On Thu, Nov 6, 2014 at 11:36 AM, Mario d'Aniello <[email protected]> wrote: > I've read here > (http://ossec-docs.readthedocs.org/en/latest/formats/json.html) in the > documentation, that we have a JSON format for alerts. > But it refer to what? > > We can have standard alert (in /var/ossec/logs/alert/alert.log) in JSON > format, or it refer to the system via syslog? >
I'm not sure really. You cannot configure OSSEC to log in json format to alerts.log. It is probably a reference to the zeromq output (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html#element-zeromq_output) which definitely uses json, and the csyslogd (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syslog_output.html#element-format) which can use json. > I have this doubt cause when i match JSON format in the documentation from > my one in my syslog system output they differs. > Indeed i have this kind of format (grabbed from an UDP socket): > > 192.168.150.3:39957 - <132>Nov 6 17:11:11 linux-ji1g ossec: > {"crit":3,"id":5501,"component":"linux-ji1g->/var/log/messages","classification":" > pam,syslog,authentication_success,","description":"Login session > opened.","message":"2014-11-06T17:11:10.674152+01:00 linux-ji1g su: > pam_unix(su:session): session opened for user root by suseserver(uid=0)"} > > And the fields are different from what the documentation says. > I don't have any clues on this, probably outdated documentation. > Thx to any clarification. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
