Honestly I don't know how to do it. Rsyslog takes event based on different parameters and writes output to the file which you defined. As for ossec it's another story with own engine: I did't find any original output form agent on the server. I can find only alert log file. That's a problem for me.
2016-05-12 16:10 GMT+03:00 dan (ddp) <[email protected]>: > Digging into rsyslog a bit, I think it's doable. But I haven't figured > out the specifics. > I think you use a template and regex.submatch to grab the agent name > from "Location: ix->/var/log/messages;" (ix being my agent). > Then based on that submatch, use a dynafile to log the alert to that > agent's log file. > > On Thu, May 12, 2016 at 8:26 AM, dan (ddp) <[email protected]> wrote: > > On Thu, May 12, 2016 at 8:11 AM, Yurii Shatylo <[email protected]> > wrote: > >> I need to put alerts to own files from every event sources. Do you know > >> where is coming original event before handled by ossec? I put to rsyslog > >> configuration: if from IP than to file but it didn't help me. > >> > > > > > > For agent/server configurations it goes like this: > > 1. logfile is read by logcollector (AGENT) > > 2. logcollector sends log to agentd (AGENT) > > 3. agentd sends log to remoted (SERVER) > > 4. remoted sends log message to analysisd (SERVER) > > 5. analysisd logs an alert to alerts.log > > > > If you want to log the alerts to different files you have to either: > > 1. modify the source of analysisd to do that for you > > 2. Have a process read the alerts.log file and copy the alerts to > > alternate files > > 3. Use csyslogd to log to a syslogd that copies those alerts to > different files > > 4. Use the zeromq functionality to read the alerts and log them how you > want > > > > Since I don't have a need to do this task (and cannot think of a good > > reason to want to), I've never tried these explicit tasks. > > > >> 2016-05-12 15:05 GMT+03:00 dan (ddp) <[email protected]>: > >>> > >>> On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo <[email protected] > > > >>> wrote: > >>> > Thanks for your response but it sound difficult for me. > >>> > Maybe it is possible to do before the event handles by ossec engine? > for > >>> > example by rsyslog? > >>> > > >>> > >>> Maybe. Use the client syslog functionality to send the alerts to > >>> rsyslog, and use that to parse and save the alerts to different files. > >>> What's the point of this though? What problem does it solve (I'm > >>> genuinely curious and unable to come up with a reasonable answer > >>> myself)? > >>> > >>> > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: > >>> >> > >>> >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo < > [email protected]> > >>> >> wrote: > >>> >> > Dears, > >>> >> > > >>> >> > Can anyone give a hand? Is it possible to divide alerts output > writes > >>> >> > into > >>> >> > different files from any sources? For example 3 agents which > >>> >> > installed > >>> >> > on > >>> >> > WIN servers produces alert output to the one file > >>> >> > /var/ossec/logs/alerts/alerts.log but I need that every event > sources > >>> >> > produce alerts output into own file. How to do it? > >>> >> > Thank you in advance. > >>> >> > Yurii > >>> >> > > >>> >> > >>> >> There is nothing in OSSEC that allows you to do this. > >>> >> What you could do is write a daemon to connect to a zeromq socket > >>> >> provided by analysisd, > >>> >> receive the alerts in json format, and output the way you want. > >>> >> > >>> >> > -- > >>> >> > > >>> >> > --- > >>> >> > You received this message because you are subscribed to the Google > >>> >> > Groups > >>> >> > "ossec-list" group. > >>> >> > To unsubscribe from this group and stop receiving emails from it, > >>> >> > send > >>> >> > an > >>> >> > email to [email protected]. > >>> >> > For more options, visit https://groups.google.com/d/optout. > >>> >> > >>> >> -- > >>> >> > >>> >> --- > >>> >> You received this message because you are subscribed to a topic in > the > >>> >> Google Groups "ossec-list" group. > >>> >> To unsubscribe from this topic, visit > >>> >> > https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. > >>> >> To unsubscribe from this group and all its topics, send an email to > >>> >> [email protected]. > >>> >> For more options, visit https://groups.google.com/d/optout. > >>> > > >>> > > >>> > > >>> > > >>> > -- > >>> > С уважением, > >>> > Юрий > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to a topic in the > >>> Google Groups "ossec-list" group. > >>> To unsubscribe from this topic, visit > >>> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. > >>> To unsubscribe from this group and all its topics, send an email to > >>> [email protected]. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > >> > >> > >> -- > >> С уважением, > >> Юрий > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- С уважением, Юрий -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
