Hi,
You can process alerts.json with Logstash, use a filter in the output
section and write to different files that you prefer (use codec
<https://www.elastic.co/guide/en/logstash/current/plugins-outputs-file.html>to
specify output format):
output {
>
> if [AgentName] == "agent1" {
>
> file {
>
> path => /var/logs/mylog-agent1.log
>
> }
>
> }
>
> if [AgentIP] == "10.0.0.56" {
>
> file {
>
> path => /var/logs/mylog-agent-10.0.0.56.log
>
> }
>
> }
>
> ....
>
> }
>
>
I am sure you will be able to adapt Wazuh Logstash configuration
<https://github.com/wazuh/ossec-wazuh/blob/master/extensions/logstash/01-ossec-singlehost.conf>
to your needs, in other cases I have used this to choose to what
Elasticsearch index I want to forward the data.
Regards,
Pedro S.
On Thu, May 12, 2016 at 4:53 PM, dan (ddp) <[email protected]> wrote:
> On Thu, May 12, 2016 at 10:29 AM, Yurii Shatylo <[email protected]>
> wrote:
> > Honestly I don't know how to do it. Rsyslog takes event based on
> different
> > parameters and writes output to the file which you defined. As for ossec
> > it's another story with own engine: I did't find any original output form
> > agent on the server. I can find only alert log file. That's a problem for
> > me.
> >
>
> All you've asked about is alerts. The agents do not produce alerts,
> only the server does.
> If you want the original log messages, you have to turn on the logall
> option.
> Even then the messages have a header appended to them by OSSEC.
> But those log messages that OSSEC receives will be stored in
> /var/ossec/logs/archives/archives.log (I think) after you turn on the
> logall option.
>
> > 2016-05-12 16:10 GMT+03:00 dan (ddp) <[email protected]>:
> >>
> >> Digging into rsyslog a bit, I think it's doable. But I haven't figured
> >> out the specifics.
> >> I think you use a template and regex.submatch to grab the agent name
> >> from "Location: ix->/var/log/messages;" (ix being my agent).
> >> Then based on that submatch, use a dynafile to log the alert to that
> >> agent's log file.
> >>
> >> On Thu, May 12, 2016 at 8:26 AM, dan (ddp) <[email protected]> wrote:
> >> > On Thu, May 12, 2016 at 8:11 AM, Yurii Shatylo <
> [email protected]>
> >> > wrote:
> >> >> I need to put alerts to own files from every event sources. Do you
> know
> >> >> where is coming original event before handled by ossec? I put to
> >> >> rsyslog
> >> >> configuration: if from IP than to file but it didn't help me.
> >> >>
> >> >
> >> >
> >> > For agent/server configurations it goes like this:
> >> > 1. logfile is read by logcollector (AGENT)
> >> > 2. logcollector sends log to agentd (AGENT)
> >> > 3. agentd sends log to remoted (SERVER)
> >> > 4. remoted sends log message to analysisd (SERVER)
> >> > 5. analysisd logs an alert to alerts.log
> >> >
> >> > If you want to log the alerts to different files you have to either:
> >> > 1. modify the source of analysisd to do that for you
> >> > 2. Have a process read the alerts.log file and copy the alerts to
> >> > alternate files
> >> > 3. Use csyslogd to log to a syslogd that copies those alerts to
> >> > different files
> >> > 4. Use the zeromq functionality to read the alerts and log them how
> you
> >> > want
> >> >
> >> > Since I don't have a need to do this task (and cannot think of a good
> >> > reason to want to), I've never tried these explicit tasks.
> >> >
> >> >> 2016-05-12 15:05 GMT+03:00 dan (ddp) <[email protected]>:
> >> >>>
> >> >>> On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo
> >> >>> <[email protected]>
> >> >>> wrote:
> >> >>> > Thanks for your response but it sound difficult for me.
> >> >>> > Maybe it is possible to do before the event handles by ossec
> engine?
> >> >>> > for
> >> >>> > example by rsyslog?
> >> >>> >
> >> >>>
> >> >>> Maybe. Use the client syslog functionality to send the alerts to
> >> >>> rsyslog, and use that to parse and save the alerts to different
> files.
> >> >>> What's the point of this though? What problem does it solve (I'm
> >> >>> genuinely curious and unable to come up with a reasonable answer
> >> >>> myself)?
> >> >>>
> >> >>> > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>:
> >> >>> >>
> >> >>> >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo
> >> >>> >> <[email protected]>
> >> >>> >> wrote:
> >> >>> >> > Dears,
> >> >>> >> >
> >> >>> >> > Can anyone give a hand? Is it possible to divide alerts output
> >> >>> >> > writes
> >> >>> >> > into
> >> >>> >> > different files from any sources? For example 3 agents which
> >> >>> >> > installed
> >> >>> >> > on
> >> >>> >> > WIN servers produces alert output to the one file
> >> >>> >> > /var/ossec/logs/alerts/alerts.log but I need that every event
> >> >>> >> > sources
> >> >>> >> > produce alerts output into own file. How to do it?
> >> >>> >> > Thank you in advance.
> >> >>> >> > Yurii
> >> >>> >> >
> >> >>> >>
> >> >>> >> There is nothing in OSSEC that allows you to do this.
> >> >>> >> What you could do is write a daemon to connect to a zeromq socket
> >> >>> >> provided by analysisd,
> >> >>> >> receive the alerts in json format, and output the way you want.
> >> >>> >>
> >> >>> >> > --
> >> >>> >> >
> >> >>> >> > ---
> >> >>> >> > You received this message because you are subscribed to the
> >> >>> >> > Google
> >> >>> >> > Groups
> >> >>> >> > "ossec-list" group.
> >> >>> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >>> >> > send
> >> >>> >> > an
> >> >>> >> > email to [email protected].
> >> >>> >> > For more options, visit https://groups.google.com/d/optout.
> >> >>> >>
> >> >>> >> --
> >> >>> >>
> >> >>> >> ---
> >> >>> >> You received this message because you are subscribed to a topic
> in
> >> >>> >> the
> >> >>> >> Google Groups "ossec-list" group.
> >> >>> >> To unsubscribe from this topic, visit
> >> >>> >>
> >> >>> >>
> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe.
> >> >>> >> To unsubscribe from this group and all its topics, send an email
> to
> >> >>> >> [email protected].
> >> >>> >> For more options, visit https://groups.google.com/d/optout.
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> > --
> >> >>> > С уважением,
> >> >>> > Юрий
> >> >>> >
> >> >>> > --
> >> >>> >
> >> >>> > ---
> >> >>> > You received this message because you are subscribed to the Google
> >> >>> > Groups
> >> >>> > "ossec-list" group.
> >> >>> > To unsubscribe from this group and stop receiving emails from it,
> >> >>> > send
> >> >>> > an
> >> >>> > email to [email protected].
> >> >>> > For more options, visit https://groups.google.com/d/optout.
> >> >>>
> >> >>> --
> >> >>>
> >> >>> ---
> >> >>> You received this message because you are subscribed to a topic in
> the
> >> >>> Google Groups "ossec-list" group.
> >> >>> To unsubscribe from this topic, visit
> >> >>>
> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe.
> >> >>> To unsubscribe from this group and all its topics, send an email to
> >> >>> [email protected].
> >> >>> For more options, visit https://groups.google.com/d/optout.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> С уважением,
> >> >> Юрий
> >> >>
> >> >> --
> >> >>
> >> >> ---
> >> >> You received this message because you are subscribed to the Google
> >> >> Groups
> >> >> "ossec-list" group.
> >> >> To unsubscribe from this group and stop receiving emails from it,
> send
> >> >> an
> >> >> email to [email protected].
> >> >> For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to a topic in the
> >> Google Groups "ossec-list" group.
> >> To unsubscribe from this topic, visit
> >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe.
> >> To unsubscribe from this group and all its topics, send an email to
> >> [email protected].
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> > С уважением,
> > Юрий
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
