I have a ossec server with several agents. I forward the alerts over
level 7 to a logstash instance listening on the port 1515 in another
server:
<syslog_output>
<server>x.x.x.x</server>
<level>7</level>
<port>1515</port>
</syslog_output>
In this server I filter the alert with a logstash instance and forward
it via GELF to a graylog2 interface. But I have one problem. The
alerts that the daemon "ossec-csyslogd" forward to the logstash server
it´s like this:
Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to
the system.; Location: (xxxx) 82.x.x.x->/var/log/auth.log; srcip:
188.x.x.x; Mar 20 14:30:53 xx sshd[3182]: Failed password for invalid
user alias from 188.x.x.x port 44222 ssh2
At the same time I receive the same alert via e-mail with the following output:
OSSEC HIDS Notification.
2012 Mar 20 14:30:55
Received From: (xxxx) 82.x.x.x->/var/log/auth.log
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access
to the system."
Portion of the log(s):
Mar 20 14:30:53 xxxx sshd[3182]: Failed password for invalid user
alias from 188.x.x.x port 44222 ssh2
Mar 20 14:30:51 xxxx sshd[3182]: Invalid user alias from 188.x.x.x
Mar 20 14:30:50 xxxx sshd[3135]: Failed password for invalid user
recruit from 188.x.x.x port 44141 ssh2
Mar 20 14:30:49 xxxx sshd[3135]: Invalid user recruit from 188.x.x.x
Mar 20 14:30:48 xxxx sshd[3086]: Failed password for invalid user
sales from 188.x.x.x port 44027 ssh2
Mar 20 14:30:45 xxxx sshd[3086]: Invalid user sales from 188.x.x.x
Mar 20 14:30:45 xxxx sshd[3048]: Failed password for invalid user
staff from 188.x.x.x port 43907 ssh2
Mar 20 14:30:42 xxxx sshd[3048]: Invalid user staff from 188.x.x.x
--END OF NOTIFICATION
I want that ossec forward all this information via syslog too, not
only via e-mail. It´s like the daemon "ossec-csyslogd" had a
limitation in characters.
