Thanks to Ryan Schulze's contribution, also Darius Jahandarie, ddpbsd, and Vic Hargrave.
I started integrating several WUI patches into a BitBucket repository: https://bitbucket.org/jbcheng/ossec-wui/. (1) Updated logo, remove paypal button, wider display format, easier to read events output. (2) Updated broken rule ID link, fixed "Src IP:" error, and added "User:" if available. (3) Fixed integrity check file regexes to allow period in agent names, and 'any' for IP address. (4) Fixed fseek() error. It is still a work in progress. You are welcome to download the TIP from BitBucket and try it. On Saturday, February 2, 2013 3:01:00 PM UTC-8, Ryan Schulze wrote: > > Hi Vilius, > > If you are using the OSSEC Web UI 0.3 download from ossec.net you may > want to have a look at some of the patches here on the list. > e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html > > The log format changed with version OSSEC 2.6 and broke some of the > functionality of the Web UI. I don't use it any more, so I can't say if the > changes still work with 2.7, but as long as the log formatting is the same, > it should. > > On 2/2/2013 1:23 PM, Vilius Benetis wrote: > > Hey, > > I try to understand where exactly ossec-wui is parsing srcip, as I have > often bad parsing, for example: > > 2013 Feb 02 10:48:42 Rule Id: > 2901<http://www.ossec.net/wiki/index.php/Rule:2901> level: > 3 > Location: ubuntu->/var/log/dpkg.log > Src IP: 02 10:48:41 install libapr1 <none> 1.4.6-1 > New dpkg (Debian Package) requested to install. > ** Alert 1359830922.3553: - syslog,dpkg, > 2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log > Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.' > 2013-02-02 10:48:41 install libaprutil1 <none> 1.3.12+dfsg-3 > > 2013 Feb 02 10:48:32 Rule Id: > 5501<http://www.ossec.net/wiki/index.php/Rule:5501> level: > 3 > Location: ubuntu->/var/log/auth.log > Src IP: 0:48:32 ubuntu sudo: pam_unix(sudo:session): session opened for > user root by user(uid=1000) > Login session opened. > ** Alert 1359830922.3117: - syslog,dpkg, > 2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log > Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.' > 2013-02-02 10:48:41 install libcap2 <none> 1:2.22-1ubuntu3 > > this comes from local agent, but equally strange results sometimes come > from remotes as well. > > I believe, that sometimes IP address cannot be extracted, but then most > probably in this field should be nothing, right? > > My programming/debugging skills are very rusty, but if it is not too > tricky, I could try to adjust regexp not to fire such results, which messes > up statistics and filtering. > > -- > /Vilius > -- > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
