Afternoon everybody,
So I have been working with OSSEC for the past couple of weeks getting it
tied in to my organization and we are wanting to output the alerts to are
syslog server.
However for are purposes we need the following fields added to the output:
- DATE:
- Application-type:
- Priority:
- Program:
Right now we are having it log to are syslog via JSON, OSSEC.conf entry
below:
<syslog_output>
<server>SERVER</server>
<format>json</format>
<level>1</level>
</syslog_output>
Here is a current example of the output we are getting:
2015-06-04T17:45:20-04:00 *<OSSEC-SERVER>* ossec:
{"crit":3,"id":5715,"component":"(*<OSSEC-Agent>*)
<*AGENT-IP*>->/var/log/authlog","classification":"
syslog,sshd,authentication_success,","description":"SSHD authentication
success.","message":"2015-06-04T13:45:18-04:00 <*OSSEC-AGENT*> sshd[47789]:
[ID 800047 auth.info] Accepted publickey for <*USER*> from *<AGENT-IP>*
port 45430 ssh2","acct":"<*AGENT-IP*>","src_ip":"<*IP*>"}
I have a few years of python and C programming under my belt, so if there
is a source file I can modify and recompile i would be ok with doing that.
Any help that can be offered is thanked deeply in advance,
Jacob
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
