2012/3/20 Félix Barbeira <[email protected]>:
> I have a ossec server with several agents. I forward the alerts over
> level 7 to a logstash instance listening on the port 1515 in another
> server:
>
> <syslog_output>
>   <server>x.x.x.x</server>
>   <level>7</level>
>   <port>1515</port>
>  </syslog_output>
>
>
> In this server I filter the alert with a logstash instance and forward
> it via GELF to a graylog2 interface. But I have one problem. The
> alerts that the daemon "ossec-csyslogd" forward to the logstash server
> it´s like this:
>
>
> Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to
> the system.; Location: (xxxx) 82.x.x.x->/var/log/auth.log; srcip:
> 188.x.x.x; Mar 20 14:30:53 xx sshd[3182]: Failed password for invalid
> user alias from 188.x.x.x port 44222 ssh2
>
>
> At the same time I receive the same alert via e-mail with the
> following output:
>
>
> OSSEC HIDS Notification.
> 2012 Mar 20 14:30:55
>
> Received From: (xxxx) 82.x.x.x->/var/log/auth.log
> Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access
> to the system."
> Portion of the log(s):
>
> Mar 20 14:30:53 xxxx sshd[3182]: Failed password for invalid user
> alias from 188.x.x.x port 44222 ssh2
> Mar 20 14:30:51 xxxx sshd[3182]: Invalid user alias from 188.x.x.x
> Mar 20 14:30:50 xxxx sshd[3135]: Failed password for invalid user
> recruit from 188.x.x.x port 44141 ssh2
> Mar 20 14:30:49 xxxx sshd[3135]: Invalid user recruit from 188.x.x.x
> Mar 20 14:30:48 xxxx sshd[3086]: Failed password for invalid user
> sales from 188.x.x.x port 44027 ssh2
> Mar 20 14:30:45 xxxx sshd[3086]: Invalid user sales from 188.x.x.x
> Mar 20 14:30:45 xxxx sshd[3048]: Failed password for invalid user
> staff from 188.x.x.x port 43907 ssh2
> Mar 20 14:30:42 xxxx sshd[3048]: Invalid user staff from 188.x.x.x
>
>
>
>
>
> --END OF NOTIFICATION
>
>
> I want that ossec forward all this information via syslog too, not
> only via e-mail. It´s like the daemon "ossec-csyslogd" had a
> limitation in characters.

There's no option to change this.

Reply via email to