Digging into rsyslog a bit, I think it's doable. But I haven't figured out the specifics. I think you use a template and regex.submatch to grab the agent name from "Location: ix->/var/log/messages;" (ix being my agent). Then based on that submatch, use a dynafile to log the alert to that agent's log file.
On Thu, May 12, 2016 at 8:26 AM, dan (ddp) <[email protected]> wrote: > On Thu, May 12, 2016 at 8:11 AM, Yurii Shatylo <[email protected]> wrote: >> I need to put alerts to own files from every event sources. Do you know >> where is coming original event before handled by ossec? I put to rsyslog >> configuration: if from IP than to file but it didn't help me. >> > > > For agent/server configurations it goes like this: > 1. logfile is read by logcollector (AGENT) > 2. logcollector sends log to agentd (AGENT) > 3. agentd sends log to remoted (SERVER) > 4. remoted sends log message to analysisd (SERVER) > 5. analysisd logs an alert to alerts.log > > If you want to log the alerts to different files you have to either: > 1. modify the source of analysisd to do that for you > 2. Have a process read the alerts.log file and copy the alerts to > alternate files > 3. Use csyslogd to log to a syslogd that copies those alerts to different > files > 4. Use the zeromq functionality to read the alerts and log them how you want > > Since I don't have a need to do this task (and cannot think of a good > reason to want to), I've never tried these explicit tasks. > >> 2016-05-12 15:05 GMT+03:00 dan (ddp) <[email protected]>: >>> >>> On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo <[email protected]> >>> wrote: >>> > Thanks for your response but it sound difficult for me. >>> > Maybe it is possible to do before the event handles by ossec engine? for >>> > example by rsyslog? >>> > >>> >>> Maybe. Use the client syslog functionality to send the alerts to >>> rsyslog, and use that to parse and save the alerts to different files. >>> What's the point of this though? What problem does it solve (I'm >>> genuinely curious and unable to come up with a reasonable answer >>> myself)? >>> >>> > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: >>> >> >>> >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo <[email protected]> >>> >> wrote: >>> >> > Dears, >>> >> > >>> >> > Can anyone give a hand? Is it possible to divide alerts output writes >>> >> > into >>> >> > different files from any sources? For example 3 agents which >>> >> > installed >>> >> > on >>> >> > WIN servers produces alert output to the one file >>> >> > /var/ossec/logs/alerts/alerts.log but I need that every event sources >>> >> > produce alerts output into own file. How to do it? >>> >> > Thank you in advance. >>> >> > Yurii >>> >> > >>> >> >>> >> There is nothing in OSSEC that allows you to do this. >>> >> What you could do is write a daemon to connect to a zeromq socket >>> >> provided by analysisd, >>> >> receive the alerts in json format, and output the way you want. >>> >> >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to a topic in the >>> >> Google Groups "ossec-list" group. >>> >> To unsubscribe from this topic, visit >>> >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >>> >> To unsubscribe from this group and all its topics, send an email to >>> >> [email protected]. >>> >> For more options, visit https://groups.google.com/d/optout. >>> > >>> > >>> > >>> > >>> > -- >>> > С уважением, >>> > Юрий >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> -- >> С уважением, >> Юрий >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
