I have found a solution. We can build psql query in active-response script, and we can get the full log message from postgresql database:
SQL_COMMAND="SELECT alertid,full_log FROM alert,data WHERE alertid = '"$ALERTID"' AND data.id = alert.id AND data.server_id = alert.server_id" ALERTTEXT=`/usr/bin/psql -h 127.0.0.1 -U ossec_user -d ossecdb -c "$SQL_COMMAND"` But sometimes active-response is faster than DB transaction and there could be no data. понедельник, 17 сентября 2012 г., 19:03:20 UTC+4 пользователь dan (ddpbsd) написал: > > On Mon, Sep 17, 2012 at 10:55 AM, kay kay <[email protected] <javascript:>> > wrote: > > Well. Is it possible to run ossec decoder with active-response on remote > > ossec-client directly? In that case I don't need to use syslog-ng > collector > > and "hostname" variable. > > > > I don't understand the question. You can run a standalone instance of > OSSEC. Either way, you don't _need_ syslog-ng. > > Part of the problem might be that you haven't told us your goal, or > your setup. I'm getting an idea of what's going on here, but I could > be way off. (I'm hoping I'm way off) > > > Where should I put the rules? On ossec-server and the rules should be > > automatically deployed on each remote client? Or I should configure each > > client to use these rules? > > > > Agents do not get rules, only the server and standalone instances. The > agents send the log messages to the server, which then checks them. > > > понедельник, 17 сентября 2012 г., 17:20:14 UTC+4 пользователь dan > (ddpbsd) > > написал: > >> > >> On Mon, Sep 17, 2012 at 9:14 AM, kay kay <[email protected]> wrote: > >> > Unfortunately I don't need srcip, I need hostname which was generated > in > >> > log > >> > file. Is there any possibility to parse it? At the moment I can't > regexp > >> > whole log file but only starting from "[Wed Sep" > >> > > >> > >> The only way will be to modify the source. > >> >
