It's surely a reference to ZeroMQ, while syslog have another type of format. But that's was confusing me :)
Thx for the answer as always. 2014-11-06 17:48 GMT+01:00 dan (ddp) <[email protected]>: > On Thu, Nov 6, 2014 at 11:36 AM, Mario d'Aniello <[email protected]> > wrote: > > I've read here > > (http://ossec-docs.readthedocs.org/en/latest/formats/json.html) in the > > documentation, that we have a JSON format for alerts. > > But it refer to what? > > > > We can have standard alert (in /var/ossec/logs/alert/alert.log) in JSON > > format, or it refer to the system via syslog? > > > > I'm not sure really. You cannot configure OSSEC to log in json format > to alerts.log. > It is probably a reference to the zeromq output > ( > http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html#element-zeromq_output > ) > which definitely uses json, and the csyslogd > ( > http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syslog_output.html#element-format > ) > which can use json. > > > I have this doubt cause when i match JSON format in the documentation > from > > my one in my syslog system output they differs. > > Indeed i have this kind of format (grabbed from an UDP socket): > > > > 192.168.150.3:39957 - <132>Nov 6 17:11:11 linux-ji1g ossec: > > > {"crit":3,"id":5501,"component":"linux-ji1g->/var/log/messages","classification":" > > pam,syslog,authentication_success,","description":"Login session > > opened.","message":"2014-11-06T17:11:10.674152+01:00 linux-ji1g su: > > pam_unix(su:session): session opened for user root by suseserver(uid=0)"} > > > > And the fields are different from what the documentation says. > > > > I don't have any clues on this, probably outdated documentation. > > > Thx to any clarification. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
