On Fri, May 25, 2012 at 4:58 PM, Peter M Abraham <[email protected]> wrote: > Good day everyone: > > Is there a way to modify rule 519 in ossec_rules.xml so that the > description auto fills the agent name? >
Modify the analysisd(?) source. > Current output of the rule: > > 2012 May 25 14:50:39 (agent_name_goes_here) agent_ip_goes_here- >>rootcheck > Rule: 519 (level 7) -> 'System Audit: Vulnerable web application > found.' > System Audit: Web vulnerability - Outdated WordPress installation. > File: /fullpath_goes_here/wp-includes/version.php. Reference: > http://sucuri.net/latest-versions . > > I would like it if the "System Audit: Web vulnerability" included the > agent name. > > Here is why: > > I would love to be able to send a report of vulnerable applications by > agent to the party responsible for managing the agent. > > If i do the following: > > grep 'Web vulnerability' /var/ossec/logs/alerts.log > > I only get the System Audit line which while it has the full path, it > doesn't have the agent name. > > Can a rule include an agent name variable that will later be filled in > when the alert is triggered? > > If yes, what does that look like? > > Thank you.
