You might want to check this thread: https://groups.google.com/forum/m/#!topic/ossec-list/UuhauWUCxkU
> On Jun 4, 2015, at 1:11 AM, R Brandt <[email protected]> wrote: > > Thanks. > Didn't have time to look at the file until today. > So how do you decode the syscheck entries? > > >> On Monday, June 1, 2015 at 10:13:49 AM UTC-6, dan (ddpbsd) wrote: >> On Mon, Jun 1, 2015 at 12:11 PM, R Brandt <[email protected]> wrote: >> > If this is documented somewhere I apoligize, I can't find it. >> > We are using OSSEC 2.8.1 on RedHat Linux (some 5.x, some 6.x) and using >> > Logstash to populate elasticsearch. >> > I've configured ossec to output json for logstash. The problem is that >> > neither the size, permissions, or diffs show up in the json output. But >> > they do show up in the alerts log. >> > Since I need those details to be available via elasticsearch/kibana, I'm >> > resigned to having to write a script to do it. I see where the copies of >> > the monitored files are stored but I don't see where the permissions are >> > stored. The permissions on the last-entry file do not match the monitored >> > file. >> > So how do I find the last-entry files permissions? >> > >> >> The permissions recorded by syscheck are stored in /var/ossec/queue/syscheck >> >> > Is there any work being done to add the file size/perms/diffs to the json >> > output? >> > >> > Thanks >> > Richard >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
