2012/3/20 Félix Barbeira <[email protected]>: > I have a ossec server with several agents. I forward the alerts over > level 7 to a logstash instance listening on the port 1515 in another > server: > > <syslog_output> > <server>x.x.x.x</server> > <level>7</level> > <port>1515</port> > </syslog_output> > > > In this server I filter the alert with a logstash instance and forward > it via GELF to a graylog2 interface. But I have one problem. The > alerts that the daemon "ossec-csyslogd" forward to the logstash server > it´s like this: > > > Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to > the system.; Location: (xxxx) 82.x.x.x->/var/log/auth.log; srcip: > 188.x.x.x; Mar 20 14:30:53 xx sshd[3182]: Failed password for invalid > user alias from 188.x.x.x port 44222 ssh2 > > > At the same time I receive the same alert via e-mail with the > following output: > > > OSSEC HIDS Notification. > 2012 Mar 20 14:30:55 > > Received From: (xxxx) 82.x.x.x->/var/log/auth.log > Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access > to the system." > Portion of the log(s): > > Mar 20 14:30:53 xxxx sshd[3182]: Failed password for invalid user > alias from 188.x.x.x port 44222 ssh2 > Mar 20 14:30:51 xxxx sshd[3182]: Invalid user alias from 188.x.x.x > Mar 20 14:30:50 xxxx sshd[3135]: Failed password for invalid user > recruit from 188.x.x.x port 44141 ssh2 > Mar 20 14:30:49 xxxx sshd[3135]: Invalid user recruit from 188.x.x.x > Mar 20 14:30:48 xxxx sshd[3086]: Failed password for invalid user > sales from 188.x.x.x port 44027 ssh2 > Mar 20 14:30:45 xxxx sshd[3086]: Invalid user sales from 188.x.x.x > Mar 20 14:30:45 xxxx sshd[3048]: Failed password for invalid user > staff from 188.x.x.x port 43907 ssh2 > Mar 20 14:30:42 xxxx sshd[3048]: Invalid user staff from 188.x.x.x > > > > > > --END OF NOTIFICATION > > > I want that ossec forward all this information via syslog too, not > only via e-mail. It´s like the daemon "ossec-csyslogd" had a > limitation in characters.
There's no option to change this.
