Unfortunately I don't need srcip, I need hostname which was generated in log file. Is there any possibility to parse it? At the moment I can't regexp whole log file but only starting from "[Wed Sep"
понедельник, 17 сентября 2012 г., 17:07:23 UTC+4 пользователь dan (ddpbsd) написал: > > On Mon, Sep 17, 2012 at 4:52 AM, kay kay <[email protected] <javascript:>> > wrote: > > I need to pass hostname to the active-response script. Here is the log > test: > > > > **Phase 1: Completed pre-decoding. > > full event: 'Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 > > 2012] "Failed to send <8937140> messages to remote log server > > <192.168.0.1:3621> "' > > hostname: 'someservername.local' > > program_name: '(null)' > > log: '[Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to > remote > > log server <192.168.0.1:3621> "' > > > > I tried to use the following construction: > > > > <command> > > <name>log_error</name> > > <executable>test.sh</executable> > > <timeout_allowed>no</timeout_allowed> > > <expect>hostname</expect> > > </command> > > > > But ossec doesn't pass hostname to script. > > /var/ossec/logs/active-responses.log: > > the ip address is /var/ossec/active-response/bin/test.sh add - - > > 1347870299.890849 100018 /var/log/remote.log > > > > P.S. Here is original text message in /var/log/remote.log: > > > > Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed > to > > send <8937140> messages to remote log server <192.168.0.1:3621> " > > The only things you can really send to AR are srcip and user. Also, > hostname doesn't show up in the log message, only the pre-decoded bits > at the beginning. >
