Yes, afaik, at least Logstash and Rsyslog can be used to parse the alerts file and split alerts on per agent basis.
On Thu, May 12, 2016 at 8:08 AM, Pedro Sanchez <[email protected]> wrote: > Hi, > > You can process alerts.json with Logstash, use a filter in the output > section and write to different files that you prefer (use codec > <https://www.elastic.co/guide/en/logstash/current/plugins-outputs-file.html>to > specify output format): > > output { >> >> if [AgentName] == "agent1" { >> >> file { >> >> path => /var/logs/mylog-agent1.log >> >> } >> >> } >> >> if [AgentIP] == "10.0.0.56" { >> >> file { >> >> path => /var/logs/mylog-agent-10.0.0.56.log >> >> } >> >> } >> >> .... >> >> } >> >> > I am sure you will be able to adapt Wazuh Logstash configuration > <https://github.com/wazuh/ossec-wazuh/blob/master/extensions/logstash/01-ossec-singlehost.conf> > to your needs, in other cases I have used this to choose to what > Elasticsearch index I want to forward the data. > > > Regards, > > Pedro S. > > > On Thu, May 12, 2016 at 4:53 PM, dan (ddp) <[email protected]> wrote: > >> On Thu, May 12, 2016 at 10:29 AM, Yurii Shatylo <[email protected]> >> wrote: >> > Honestly I don't know how to do it. Rsyslog takes event based on >> different >> > parameters and writes output to the file which you defined. As for ossec >> > it's another story with own engine: I did't find any original output >> form >> > agent on the server. I can find only alert log file. That's a problem >> for >> > me. >> > >> >> All you've asked about is alerts. The agents do not produce alerts, >> only the server does. >> If you want the original log messages, you have to turn on the logall >> option. >> Even then the messages have a header appended to them by OSSEC. >> But those log messages that OSSEC receives will be stored in >> /var/ossec/logs/archives/archives.log (I think) after you turn on the >> logall option. >> >> > 2016-05-12 16:10 GMT+03:00 dan (ddp) <[email protected]>: >> >> >> >> Digging into rsyslog a bit, I think it's doable. But I haven't figured >> >> out the specifics. >> >> I think you use a template and regex.submatch to grab the agent name >> >> from "Location: ix->/var/log/messages;" (ix being my agent). >> >> Then based on that submatch, use a dynafile to log the alert to that >> >> agent's log file. >> >> >> >> On Thu, May 12, 2016 at 8:26 AM, dan (ddp) <[email protected]> wrote: >> >> > On Thu, May 12, 2016 at 8:11 AM, Yurii Shatylo < >> [email protected]> >> >> > wrote: >> >> >> I need to put alerts to own files from every event sources. Do you >> know >> >> >> where is coming original event before handled by ossec? I put to >> >> >> rsyslog >> >> >> configuration: if from IP than to file but it didn't help me. >> >> >> >> >> > >> >> > >> >> > For agent/server configurations it goes like this: >> >> > 1. logfile is read by logcollector (AGENT) >> >> > 2. logcollector sends log to agentd (AGENT) >> >> > 3. agentd sends log to remoted (SERVER) >> >> > 4. remoted sends log message to analysisd (SERVER) >> >> > 5. analysisd logs an alert to alerts.log >> >> > >> >> > If you want to log the alerts to different files you have to either: >> >> > 1. modify the source of analysisd to do that for you >> >> > 2. Have a process read the alerts.log file and copy the alerts to >> >> > alternate files >> >> > 3. Use csyslogd to log to a syslogd that copies those alerts to >> >> > different files >> >> > 4. Use the zeromq functionality to read the alerts and log them how >> you >> >> > want >> >> > >> >> > Since I don't have a need to do this task (and cannot think of a good >> >> > reason to want to), I've never tried these explicit tasks. >> >> > >> >> >> 2016-05-12 15:05 GMT+03:00 dan (ddp) <[email protected]>: >> >> >>> >> >> >>> On Thu, May 12, 2016 at 7:55 AM, Yurii Shatylo >> >> >>> <[email protected]> >> >> >>> wrote: >> >> >>> > Thanks for your response but it sound difficult for me. >> >> >>> > Maybe it is possible to do before the event handles by ossec >> engine? >> >> >>> > for >> >> >>> > example by rsyslog? >> >> >>> > >> >> >>> >> >> >>> Maybe. Use the client syslog functionality to send the alerts to >> >> >>> rsyslog, and use that to parse and save the alerts to different >> files. >> >> >>> What's the point of this though? What problem does it solve (I'm >> >> >>> genuinely curious and unable to come up with a reasonable answer >> >> >>> myself)? >> >> >>> >> >> >>> > 2016-05-12 14:39 GMT+03:00 dan (ddp) <[email protected]>: >> >> >>> >> >> >> >>> >> On Thu, May 12, 2016 at 7:16 AM, Yurii Shatylo >> >> >>> >> <[email protected]> >> >> >>> >> wrote: >> >> >>> >> > Dears, >> >> >>> >> > >> >> >>> >> > Can anyone give a hand? Is it possible to divide alerts output >> >> >>> >> > writes >> >> >>> >> > into >> >> >>> >> > different files from any sources? For example 3 agents which >> >> >>> >> > installed >> >> >>> >> > on >> >> >>> >> > WIN servers produces alert output to the one file >> >> >>> >> > /var/ossec/logs/alerts/alerts.log but I need that every event >> >> >>> >> > sources >> >> >>> >> > produce alerts output into own file. How to do it? >> >> >>> >> > Thank you in advance. >> >> >>> >> > Yurii >> >> >>> >> > >> >> >>> >> >> >> >>> >> There is nothing in OSSEC that allows you to do this. >> >> >>> >> What you could do is write a daemon to connect to a zeromq >> socket >> >> >>> >> provided by analysisd, >> >> >>> >> receive the alerts in json format, and output the way you want. >> >> >>> >> >> >> >>> >> > -- >> >> >>> >> > >> >> >>> >> > --- >> >> >>> >> > You received this message because you are subscribed to the >> >> >>> >> > Google >> >> >>> >> > Groups >> >> >>> >> > "ossec-list" group. >> >> >>> >> > To unsubscribe from this group and stop receiving emails from >> it, >> >> >>> >> > send >> >> >>> >> > an >> >> >>> >> > email to [email protected]. >> >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >> >>> >> >> >> >>> >> -- >> >> >>> >> >> >> >>> >> --- >> >> >>> >> You received this message because you are subscribed to a topic >> in >> >> >>> >> the >> >> >>> >> Google Groups "ossec-list" group. >> >> >>> >> To unsubscribe from this topic, visit >> >> >>> >> >> >> >>> >> >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> >> >>> >> To unsubscribe from this group and all its topics, send an >> email to >> >> >>> >> [email protected]. >> >> >>> >> For more options, visit https://groups.google.com/d/optout. >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > -- >> >> >>> > С уважением, >> >> >>> > Юрий >> >> >>> > >> >> >>> > -- >> >> >>> > >> >> >>> > --- >> >> >>> > You received this message because you are subscribed to the >> Google >> >> >>> > Groups >> >> >>> > "ossec-list" group. >> >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >> >>> > send >> >> >>> > an >> >> >>> > email to [email protected]. >> >> >>> > For more options, visit https://groups.google.com/d/optout. >> >> >>> >> >> >>> -- >> >> >>> >> >> >>> --- >> >> >>> You received this message because you are subscribed to a topic in >> the >> >> >>> Google Groups "ossec-list" group. >> >> >>> To unsubscribe from this topic, visit >> >> >>> >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> >> >>> To unsubscribe from this group and all its topics, send an email to >> >> >>> [email protected]. >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> С уважением, >> >> >> Юрий >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "ossec-list" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> send >> >> >> an >> >> >> email to [email protected]. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/Y7ZR1k6WOUg/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > >> > >> > -- >> > С уважением, >> > Юрий >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
