On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo <[email protected]> wrote: > Thanks for your response but it sound difficult for me. > Maybe it is possible to do before the event handles by ossec engine? for > example by rsyslog? >
Maybe. Use the client syslog functionality to send the alerts to rsyslog, and use that to parse and save the alerts to different files. What's the point of this though? What problem does it solve (I'm genuinely curious and unable to come up with a reasonable answer myself)? > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: >> >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo <[email protected]> >> wrote: >> > Dears, >> > >> > Can anyone give a hand? Is it possible to divide alerts output writes >> > into >> > different files from any sources? For example 3 agents which installed >> > on >> > WIN servers produces alert output to the one file >> > /var/ossec/logs/alerts/alerts.log but I need that every event sources >> > produce alerts output into own file. How to do it? >> > Thank you in advance. >> > Yurii >> > >> >> There is nothing in OSSEC that allows you to do this. >> What you could do is write a daemon to connect to a zeromq socket >> provided by analysisd, >> receive the alerts in json format, and output the way you want. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > С уважением, > Юрий > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
