We would Very much welcome it. Some suggestions, but nothing more for the
branch :).
Agent -> master:
json and use first char of { to pick new code path for processing the messages.
This will allow master to work with legacy agents and new agents cleanly.
Master->agent:
This is harder but something I am working now as part of the work on actice
response. Reasons it is harder is that unless we change the method if
encryption/communication at the same time we have no concept of agent version
so no idea what formats of messages are acceptable. I still don't know the
best method for dealing with this and love ideas.
Logall:
Side note this log all feature comes up all the time and is confusing I think
and maybe something we should solve better. But I am worried about turning
ossec from security to a log daemon as other tools have solved that problem.
> On Jun 18, 2014, at 12:30 AM, "Janelle" <[email protected]> wrote:
>
> I guess I need to start a new brach and work on a way to do this :-)
>
>> On Tuesday, June 17, 2014 2:57:34 PM UTC-7, Michael Starks wrote:
>> On 2014-06-17 16:31, Janelle wrote:
>> > Trying to send "archives" to a syslog server for archival, and it
>> > can't handle all the extraneous code.
>>
>> Ah, yes. I have done this as well and had this problem with keepalives
>> and such. Another issue is that the ossec log format isn't syslog. It
>> looks like syslog but it's not. Then there's this:
>>
>> Agentless:
>> yyyy mmm dd hh:mm:ss (script_name) username->agentless ossec: agentless:
>> Change detected
>>
>> Command output:
>> yyyy mmm dd hh:mm:ss agentname->command
>>
>> Syscheck:
>> yyyy mmm dd hh:mm:ss (agent_name) agent_ip->syscheck
>>
>> Windows:
>> yyyy mmm dd hh:mm:ss (agent_name) agent_ip->log_name log_name_again
>>
>> Agent IP could be the IP or it could be "any."
>>
>> What I wish was that:
>>
>> 1. This was syslog formatted (or something else nice like JSON)
>> 2. In the syslog header, the hostname could be either the agent name or
>> the actual hostname
>> 3. Newlines were removed or otherwise handled gracefully
>>
>> And/or that raw logs could be sent over to a syslog server like alerts
>> are now, in addition to being analyzed. You could even strip off the
>> ossec header at that point and the syslog server wouldn't know the
>> difference.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
