Thanks for your response but it sound difficult for me. Maybe it is possible to do before the event handles by ossec engine? for example by rsyslog?
2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: > On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo <[email protected]> > wrote: > > Dears, > > > > Can anyone give a hand? Is it possible to divide alerts output writes > into > > different files from any sources? For example 3 agents which installed on > > WIN servers produces alert output to the one file > > /var/ossec/logs/alerts/alerts.log but I need that every event sources > > produce alerts output into own file. How to do it? > > Thank you in advance. > > Yurii > > > > There is nothing in OSSEC that allows you to do this. > What you could do is write a daemon to connect to a zeromq socket > provided by analysisd, > receive the alerts in json format, and output the way you want. > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- С уважением, Юрий -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
