On Mon, Jun 1, 2015 at 12:11 PM, R Brandt <[email protected]> wrote: > If this is documented somewhere I apoligize, I can't find it. > We are using OSSEC 2.8.1 on RedHat Linux (some 5.x, some 6.x) and using > Logstash to populate elasticsearch. > I've configured ossec to output json for logstash. The problem is that > neither the size, permissions, or diffs show up in the json output. But > they do show up in the alerts log. > Since I need those details to be available via elasticsearch/kibana, I'm > resigned to having to write a script to do it. I see where the copies of > the monitored files are stored but I don't see where the permissions are > stored. The permissions on the last-entry file do not match the monitored > file. > So how do I find the last-entry files permissions? >
The permissions recorded by syscheck are stored in /var/ossec/queue/syscheck > Is there any work being done to add the file size/perms/diffs to the json > output? > > Thanks > Richard > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
