Hi,
You can use JSON output from Wazuh, there is an array field containing all
the groups so you can search later for them in Kibana: "rule.groups: 'ssh'
AND rule.groups: ''attacks' ".
Output example:
{
> "decoder": {
> "name": "pam"
> },
> "full_log": "May 13 04:30:21 vpc-ossec-manager sshd[15042]:
> pam_unix(sshd:session): session opened for user root by (uid=0)",
> "hostname": "vpc-ossec-manager",
> "location": "/var/log/auth.log",
> "program_name": "sshd",
> "rule": {
> "PCI_DSS": [
> "10.2.5"
> ],
> "comment": "Login session opened.",
> "firedtimes": 1,
>
>
>
>
> *"groups": [ "pam", "syslog", "authentication_success"
> ],*
> "level": 3,
> "sidid": 5501
> },
> "timestamp": "2016 May 13 04:30:22"
> }
Kibana example:
<https://lh3.googleusercontent.com/-4ekH5aIoSfw/VzW8jC3QIiI/AAAAAAAAADo/enk4kila6ckiYoe7Pzhc4byPEubcoYf4gCLcB/s1600/2016-05-13%2B13_37_22-Discover%2B-%2BKibana.png>
Also will allow you to create visualizations and dashboards.
Best regards,
Pedro S.
On Wednesday, May 11, 2016 at 4:59:22 AM UTC+2, David Lang wrote:
>
> On Tue, 10 May 2016, dan (ddp) wrote:
>
> > On May 10, 2016 7:38 PM, "'RICARDO STOCCO' via ossec-list" <
> > [email protected] <javascript:>> wrote:
> >>
> >> Hello, I have a question
> >>
> >> It is possible to send ossec group/s when I use syslog_output?
> >>
> >> For example, in the file alert.log I have this log:
> >>
> >>
> >>
> >> ** Alert 1462920563.18241: -
> syslog,access_control,authentication_failed,
> >>
> >> 2016 May 10 15:49:23 localhost->/var/log/secure
> >>
> >> Rule: 2501 (level 5) -> 'User authentication failure.'
> >>
> >> May 10 15:49:23 localhost pam: gdm-password:
> pam_unix(gdm-password:auth):
> > authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> > user=user
> >>
> >>
> >>
> >> I want to have information about groups in kibana, for searchs:
> >>
> >> "syslog,access_control,authentication_failed"
> >>
> >>
> >>
> >> It is possible?
> >>
> >>
> >
> > You'll have to modify the source code.
>
> Or you can have logstash/rsyslog parse the log and tag it as
> authentication_failed.
>
> You really do want to have the log parsed before you put it in
> ElasticSearch. It
> can do free-form text searches, but if it's parsed you can do a lot more.
>
> David Lang
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
