I need to put alerts to own files from every event sources. Do you know where is coming original event before handled by ossec? I put to rsyslog configuration: if from IP than to file but it didn't help me.
2016-05-12 15:05 GMT+03:00 dan (ddp) <[email protected]>: > On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo <[email protected]> > wrote: > > Thanks for your response but it sound difficult for me. > > Maybe it is possible to do before the event handles by ossec engine? for > > example by rsyslog? > > > > Maybe. Use the client syslog functionality to send the alerts to > rsyslog, and use that to parse and save the alerts to different files. > What's the point of this though? What problem does it solve (I'm > genuinely curious and unable to come up with a reasonable answer > myself)? > > > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: > >> > >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo <[email protected]> > >> wrote: > >> > Dears, > >> > > >> > Can anyone give a hand? Is it possible to divide alerts output writes > >> > into > >> > different files from any sources? For example 3 agents which installed > >> > on > >> > WIN servers produces alert output to the one file > >> > /var/ossec/logs/alerts/alerts.log but I need that every event sources > >> > produce alerts output into own file. How to do it? > >> > Thank you in advance. > >> > Yurii > >> > > >> > >> There is nothing in OSSEC that allows you to do this. > >> What you could do is write a daemon to connect to a zeromq socket > >> provided by analysisd, > >> receive the alerts in json format, and output the way you want. > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "ossec-list" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. > >> To unsubscribe from this group and all its topics, send an email to > >> [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > -- > > С уважением, > > Юрий > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- С уважением, Юрий -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
