On Tue, 10 May 2016, dan (ddp) wrote:
On May 10, 2016 7:38 PM, "'RICARDO STOCCO' via ossec-list" <
[email protected]> wrote:
Hello, I have a question
It is possible to send ossec group/s when I use syslog_output?
For example, in the file alert.log I have this log:
** Alert 1462920563.18241: - syslog,access_control,authentication_failed,
2016 May 10 15:49:23 localhost->/var/log/secure
Rule: 2501 (level 5) -> 'User authentication failure.'
May 10 15:49:23 localhost pam: gdm-password: pam_unix(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
user=user
I want to have information about groups in kibana, for searchs:
"syslog,access_control,authentication_failed"
It is possible?
You'll have to modify the source code.
Or you can have logstash/rsyslog parse the log and tag it as
authentication_failed.
You really do want to have the log parsed before you put it in ElasticSearch. It
can do free-form text searches, but if it's parsed you can do a lot more.
David Lang
