On Mon, Sep 17, 2012 at 9:14 AM, kay kay <[email protected]> wrote: > Unfortunately I don't need srcip, I need hostname which was generated in log > file. Is there any possibility to parse it? At the moment I can't regexp > whole log file but only starting from "[Wed Sep" >
The only way will be to modify the source. > понедельник, 17 сентября 2012 г., 17:07:23 UTC+4 пользователь dan (ddpbsd) > написал: >> >> On Mon, Sep 17, 2012 at 4:52 AM, kay kay <[email protected]> wrote: >> > I need to pass hostname to the active-response script. Here is the log >> > test: >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 >> > 2012] "Failed to send <8937140> messages to remote log server >> > <192.168.0.1:3621> "' >> > hostname: 'someservername.local' >> > program_name: '(null)' >> > log: '[Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to >> > remote >> > log server <192.168.0.1:3621> "' >> > >> > I tried to use the following construction: >> > >> > <command> >> > <name>log_error</name> >> > <executable>test.sh</executable> >> > <timeout_allowed>no</timeout_allowed> >> > <expect>hostname</expect> >> > </command> >> > >> > But ossec doesn't pass hostname to script. >> > /var/ossec/logs/active-responses.log: >> > the ip address is /var/ossec/active-response/bin/test.sh add - - >> > 1347870299.890849 100018 /var/log/remote.log >> > >> > P.S. Here is original text message in /var/log/remote.log: >> > >> > Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed >> > to >> > send <8937140> messages to remote log server <192.168.0.1:3621> " >> >> The only things you can really send to AR are srcip and user. Also, >> hostname doesn't show up in the log message, only the pre-decoded bits >> at the beginning.
