Hello, I am working on generating a summarized report for auditing purposes. Currently ossec-reportd has some pretty good options, but they all require additional work as far as seeing the top alerts and then digging deeper into the raw logs to see the username or additional information. Currently I am using this command.
sudo cat /var/ossec/logs/alerts/alerts.log | sudo /var/ossec/bin/ossec-reportd -n "Level 10+ Alerts" -f level 10 -r rule location -r location user The related searches gives me the following summarized sections. Related entries for 'Location': ------------------------------------------------ server1->/logs/test.log |20 | user: 'root' user: 'admin' user: 'joe.bob' server8->/logs/test.log |15 | user: 'root' Related entries for 'Rule': ------------------------------------------------ 5720 - Multiple SSHD authentication failures. |25 | location: 'server1->/logs/test.log' location: 'server8->/logs/test.log' 40112 - Multiple authentication failures fol.. |10 | location: 'server1->/logs/test.log' location: 'server8->/logs/test.log' Is there anyway I can combine these into 1 section? I'd like to see related entries for rule and then it break down per location and per username. I just want 1 section to look at and not have to ping pong back and forth between other raw logs or summarized sections. Thanks, Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
