Thanks. Didn't have time to look at the file until today. So how do you decode the syscheck entries?
On Monday, June 1, 2015 at 10:13:49 AM UTC-6, dan (ddpbsd) wrote: > > On Mon, Jun 1, 2015 at 12:11 PM, R Brandt <[email protected] > <javascript:>> wrote: > > If this is documented somewhere I apoligize, I can't find it. > > We are using OSSEC 2.8.1 on RedHat Linux (some 5.x, some 6.x) and using > > Logstash to populate elasticsearch. > > I've configured ossec to output json for logstash. The problem is that > > neither the size, permissions, or diffs show up in the json output. But > > they do show up in the alerts log. > > Since I need those details to be available via elasticsearch/kibana, I'm > > resigned to having to write a script to do it. I see where the copies > of > > the monitored files are stored but I don't see where the permissions are > > stored. The permissions on the last-entry file do not match the > monitored > > file. > > So how do I find the last-entry files permissions? > > > > The permissions recorded by syscheck are stored in > /var/ossec/queue/syscheck > > > Is there any work being done to add the file size/perms/diffs to the > json > > output? > > > > Thanks > > Richard > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
