On Tue, 9 Jun 2015, [email protected] wrote:
So After a few days of research I have figured out a way to write my own custom OSSEC Syslog client, its not the greatest possible solution but it works.So first I used the python gevent lib and created a "UNIX tail command" python function called follow: def follow(filename): try: list_of_lines = [] fd = os.open(filename, os.O_RDONLY|os.O_NONBLOCK) os.lseek(fd, 0, os.SEEK_END) while True: lines = os.read(fd, 4096).splitlines() if not lines: continue else: for line in lines: list_of_lines.append(line) length_of_line = len(list_of_lines) - 1 list_of_lines.pop(length_of_line) log_to_syslog(list_of_lines[len(list_of_lines) - 1]) del list_of_lines[:] os.close(fd) except(KeyboardInterrupt): print("[*] Ctrl-C Pressed") Then using the logging module in python I found a way to parse and send the logs to my syslog server, here is a quick example: logger = logging.getLogger() logger.setLevel(logging.INFO) handler = logging.handlers.SysLogHandler(address=(<server name goes here>, 514), socktype=socket.SOCK_DGRAM) formatter = logging.Formatter('ossec: %(message)s') handler.setFormatter(formatter) logger.addHandler(handler) then using logging.info(<MESSAGE>) I could format my own syslog messages. This is not the full code of course but a start if anybody else has this problem.
silly question, but why don't you just log in JSON format and then use the syslog daemon to format things however you want? (a custom template in rsyslog, since that's probably your default syslog daemon)
David Lang
