On Thu, May 12, 2016 at 8:11 AM, Yurii Shatylo <[email protected]> wrote: > I need to put alerts to own files from every event sources. Do you know > where is coming original event before handled by ossec? I put to rsyslog > configuration: if from IP than to file but it didn't help me. >
For agent/server configurations it goes like this: 1. logfile is read by logcollector (AGENT) 2. logcollector sends log to agentd (AGENT) 3. agentd sends log to remoted (SERVER) 4. remoted sends log message to analysisd (SERVER) 5. analysisd logs an alert to alerts.log If you want to log the alerts to different files you have to either: 1. modify the source of analysisd to do that for you 2. Have a process read the alerts.log file and copy the alerts to alternate files 3. Use csyslogd to log to a syslogd that copies those alerts to different files 4. Use the zeromq functionality to read the alerts and log them how you want Since I don't have a need to do this task (and cannot think of a good reason to want to), I've never tried these explicit tasks. > 2016-05-12 15:05 GMT+03:00 dan (ddp) <[email protected]>: >> >> On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo <[email protected]> >> wrote: >> > Thanks for your response but it sound difficult for me. >> > Maybe it is possible to do before the event handles by ossec engine? for >> > example by rsyslog? >> > >> >> Maybe. Use the client syslog functionality to send the alerts to >> rsyslog, and use that to parse and save the alerts to different files. >> What's the point of this though? What problem does it solve (I'm >> genuinely curious and unable to come up with a reasonable answer >> myself)? >> >> > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: >> >> >> >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo <[email protected]> >> >> wrote: >> >> > Dears, >> >> > >> >> > Can anyone give a hand? Is it possible to divide alerts output writes >> >> > into >> >> > different files from any sources? For example 3 agents which >> >> > installed >> >> > on >> >> > WIN servers produces alert output to the one file >> >> > /var/ossec/logs/alerts/alerts.log but I need that every event sources >> >> > produce alerts output into own file. How to do it? >> >> > Thank you in advance. >> >> > Yurii >> >> > >> >> >> >> There is nothing in OSSEC that allows you to do this. >> >> What you could do is write a daemon to connect to a zeromq socket >> >> provided by analysisd, >> >> receive the alerts in json format, and output the way you want. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > >> > -- >> > С уважением, >> > Юрий >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > С уважением, > Юрий > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
