It appears to be json encoded message within the syslog stream.
I successfully forward json formatted alerts to logstash where the fields
are decoded.
<syslog_output>
<server>logstash-server</server>
<port>logstash-udp-listener</port>
<format>json</format>
<level>2</level>
</syslog_output>
logstash snippet....
json {
source => "syslog_message"
add_tag => "ossec-json"
}
Ash
On Thursday, November 6, 2014 3:34:49 PM UTC-5, dan (ddpbsd) wrote:
>
> On Thu, Nov 6, 2014 at 3:12 PM, Mario d'Aniello <[email protected]
> <javascript:>> wrote:
> > It's surely a reference to ZeroMQ, while syslog have another type of
> format.
> > But that's was confusing me :)
> >
> > Thx for the answer as always.
> >
>
> I created an issue on github to see about unifying these outputs.
> Seems odd to me that they are not.
>
> >
> > 2014-11-06 17:48 GMT+01:00 dan (ddp) <[email protected] <javascript:>>:
> >
> >> On Thu, Nov 6, 2014 at 11:36 AM, Mario d'Aniello <[email protected]
> <javascript:>>
> >> wrote:
> >> > I've read here
> >> > (http://ossec-docs.readthedocs.org/en/latest/formats/json.html) in
> the
> >> > documentation, that we have a JSON format for alerts.
> >> > But it refer to what?
> >> >
> >> > We can have standard alert (in /var/ossec/logs/alert/alert.log) in
> JSON
> >> > format, or it refer to the system via syslog?
> >> >
> >>
> >> I'm not sure really. You cannot configure OSSEC to log in json format
> >> to alerts.log.
> >> It is probably a reference to the zeromq output
> >>
> >> (
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html#element-zeromq_output)
>
>
> >> which definitely uses json, and the csyslogd
> >>
> >> (
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syslog_output.html#element-format)
>
>
> >> which can use json.
> >>
> >> > I have this doubt cause when i match JSON format in the documentation
> >> > from
> >> > my one in my syslog system output they differs.
> >> > Indeed i have this kind of format (grabbed from an UDP socket):
> >> >
> >> > 192.168.150.3:39957 - <132>Nov 6 17:11:11 linux-ji1g ossec:
> >> >
> >> >
> {"crit":3,"id":5501,"component":"linux-ji1g->/var/log/messages","classification":"
>
>
> >> > pam,syslog,authentication_success,","description":"Login session
> >> > opened.","message":"2014-11-06T17:11:10.674152+01:00 linux-ji1g su:
> >> > pam_unix(su:session): session opened for user root by
> >> > suseserver(uid=0)"}
> >> >
> >> > And the fields are different from what the documentation says.
> >> >
> >>
> >> I don't have any clues on this, probably outdated documentation.
> >>
> >> > Thx to any clarification.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected] <javascript:>.
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to [email protected] <javascript:>.
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
