On Thu, May 12, 2016 at 10:29 AM, Yurii Shatylo <[email protected]> wrote: > Honestly I don't know how to do it. Rsyslog takes event based on different > parameters and writes output to the file which you defined. As for ossec > it's another story with own engine: I did't find any original output form > agent on the server. I can find only alert log file. That's a problem for > me. >
All you've asked about is alerts. The agents do not produce alerts, only the server does. If you want the original log messages, you have to turn on the logall option. Even then the messages have a header appended to them by OSSEC. But those log messages that OSSEC receives will be stored in /var/ossec/logs/archives/archives.log (I think) after you turn on the logall option. > 2016-05-12 16:10 GMT+03:00 dan (ddp) <[email protected]>: >> >> Digging into rsyslog a bit, I think it's doable. But I haven't figured >> out the specifics. >> I think you use a template and regex.submatch to grab the agent name >> from "Location: ix->/var/log/messages;" (ix being my agent). >> Then based on that submatch, use a dynafile to log the alert to that >> agent's log file. >> >> On Thu, May 12, 2016 at 8:26 AM, dan (ddp) <[email protected]> wrote: >> > On Thu, May 12, 2016 at 8:11 AM, Yurii Shatylo <[email protected]> >> > wrote: >> >> I need to put alerts to own files from every event sources. Do you know >> >> where is coming original event before handled by ossec? I put to >> >> rsyslog >> >> configuration: if from IP than to file but it didn't help me. >> >> >> > >> > >> > For agent/server configurations it goes like this: >> > 1. logfile is read by logcollector (AGENT) >> > 2. logcollector sends log to agentd (AGENT) >> > 3. agentd sends log to remoted (SERVER) >> > 4. remoted sends log message to analysisd (SERVER) >> > 5. analysisd logs an alert to alerts.log >> > >> > If you want to log the alerts to different files you have to either: >> > 1. modify the source of analysisd to do that for you >> > 2. Have a process read the alerts.log file and copy the alerts to >> > alternate files >> > 3. Use csyslogd to log to a syslogd that copies those alerts to >> > different files >> > 4. Use the zeromq functionality to read the alerts and log them how you >> > want >> > >> > Since I don't have a need to do this task (and cannot think of a good >> > reason to want to), I've never tried these explicit tasks. >> > >> >> 2016-05-12 15:05 GMT+03:00 dan (ddp) <[email protected]>: >> >>> >> >>> On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo >> >>> <[email protected]> >> >>> wrote: >> >>> > Thanks for your response but it sound difficult for me. >> >>> > Maybe it is possible to do before the event handles by ossec engine? >> >>> > for >> >>> > example by rsyslog? >> >>> > >> >>> >> >>> Maybe. Use the client syslog functionality to send the alerts to >> >>> rsyslog, and use that to parse and save the alerts to different files. >> >>> What's the point of this though? What problem does it solve (I'm >> >>> genuinely curious and unable to come up with a reasonable answer >> >>> myself)? >> >>> >> >>> > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: >> >>> >> >> >>> >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo >> >>> >> <[email protected]> >> >>> >> wrote: >> >>> >> > Dears, >> >>> >> > >> >>> >> > Can anyone give a hand? Is it possible to divide alerts output >> >>> >> > writes >> >>> >> > into >> >>> >> > different files from any sources? For example 3 agents which >> >>> >> > installed >> >>> >> > on >> >>> >> > WIN servers produces alert output to the one file >> >>> >> > /var/ossec/logs/alerts/alerts.log but I need that every event >> >>> >> > sources >> >>> >> > produce alerts output into own file. How to do it? >> >>> >> > Thank you in advance. >> >>> >> > Yurii >> >>> >> > >> >>> >> >> >>> >> There is nothing in OSSEC that allows you to do this. >> >>> >> What you could do is write a daemon to connect to a zeromq socket >> >>> >> provided by analysisd, >> >>> >> receive the alerts in json format, and output the way you want. >> >>> >> >> >>> >> > -- >> >>> >> > >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> >>> >> > Google >> >>> >> > Groups >> >>> >> > "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from it, >> >>> >> > send >> >>> >> > an >> >>> >> > email to [email protected]. >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >> >>> >> -- >> >>> >> >> >>> >> --- >> >>> >> You received this message because you are subscribed to a topic in >> >>> >> the >> >>> >> Google Groups "ossec-list" group. >> >>> >> To unsubscribe from this topic, visit >> >>> >> >> >>> >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> >>> >> To unsubscribe from this group and all its topics, send an email to >> >>> >> [email protected]. >> >>> >> For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > С уважением, >> >>> > Юрий >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to a topic in the >> >>> Google Groups "ossec-list" group. >> >>> To unsubscribe from this topic, visit >> >>> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> >>> To unsubscribe from this group and all its topics, send an email to >> >>> [email protected]. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> >> >> -- >> >> С уважением, >> >> Юрий >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > С уважением, > Юрий > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
