On Thu, 5 Feb 2015, Bernard Chan wrote:
Hi,
I didn't mean to think there might be hidden options in OSSEC, but I
thought somebody might have had workarounds in or out of the realm of OSSEC
that allows me to achieve that, or just to confirm if I had been missing
something critical while reading. I have tried CEF output but found the
JSON output better suit my needs, so I thought I should just send a quick
question and see.
Then looks like I need to think of another route. Thanks.
I am doing exactly this.
I have all logs sent to relay boxes and the relay boxes then send to my central
analysis box. In the relay boxes I look for programname ossec and if I see it, I
output the log to my central host through a template that adds the @cee: that
rsyslog needs (we really do need to make that optional in rsyslog, it's a safety
check to avoid parsing something accidently, but especially now that the cee
project is pretty dead it's in the way more than it helps)
I can post smippets from my config in the morning.
The other thing that I think you can do is to take advantage of the (relatively)
recent capability for mmjsonparse to parse a variable, not just the entire
message. and since you can set a variable from a template, you can use a
template to do something like
$template ceefixup,"@cee:%msg%"
set $.fixedmessage = exec_template("ceefixup");
mmjsonparse(variable = '$.fixedmessage'
and have them all parsed nicely on the first box they hit.
David Lang
On Thursday, February 5, 2015 at 8:53:44 PM UTC+8, dan (ddpbsd) wrote:
On Thu, Feb 5, 2015 at 3:40 AM, Bernard Chan <[email protected]
<javascript:>> wrote:
Hi there,
http://ossec-docs.readthedocs.org/en/latest/manual/output/syslog-output.html#configuration-options
Currently we can configure OSSEC to generate alerts to rsyslog in JSON
format, but it is not CEE compatible (i.e. no @cee: cookie). Is there a
way
to send alerts to rsyslog in JSON in a way that can be parsed on the
rsyslog
side?
You linked to the documentation. What about it makes you think we've
hidden options?
You may safely assume we are trying the latest releases of rsyslog as
well
as OSSEC, on Linux.
Thanks.
--
---
You received this message because you are subscribed to the Google
Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to [email protected] <javascript:>.
For more options, visit https://groups.google.com/d/optout.
