I guess I need to start a new brach and work on a way to do this :-) On Tuesday, June 17, 2014 2:57:34 PM UTC-7, Michael Starks wrote: > > On 2014-06-17 16:31, Janelle wrote: > > Trying to send "archives" to a syslog server for archival, and it > > can't handle all the extraneous code. > > Ah, yes. I have done this as well and had this problem with keepalives > and such. Another issue is that the ossec log format isn't syslog. It > looks like syslog but it's not. Then there's this: > > Agentless: > yyyy mmm dd hh:mm:ss (script_name) username->agentless ossec: agentless: > Change detected > > Command output: > yyyy mmm dd hh:mm:ss agentname->command > > Syscheck: > yyyy mmm dd hh:mm:ss (agent_name) agent_ip->syscheck > > Windows: > yyyy mmm dd hh:mm:ss (agent_name) agent_ip->log_name log_name_again > > Agent IP could be the IP or it could be "any." > > What I wish was that: > > 1. This was syslog formatted (or something else nice like JSON) > 2. In the syslog header, the hostname could be either the agent name or > the actual hostname > 3. Newlines were removed or otherwise handled gracefully > > And/or that raw logs could be sent over to a syslog server like alerts > are now, in addition to being analyzed. You could even strip off the > ossec header at that point and the syslog server wouldn't know the > difference. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
