Hi Ron,
If you are using a integration with Elasticseach, try out Wazuh fork based
on OSSEC, augmented JSON capabilities including the AgentName you need.
Internal field "lf->hostname" includes parenthesis like you said, so we are
extracting the content inside, also we rename the field in Logstash filters
to "AgentName".
Pretty basic JSON output example:
"srcip": "192.168.1.*",
> "program_name": "sshd",
> "rule": {
> "firedtimes": 4,
>
>
> * "PCI_DSS": [ "10.2.5"** ],*
> "groups": [
> "syslog",
> "sshd",
> "authentication_success"
> ],
> "description": "sshd: authentication success.",
>
> * "AlertLevel": 3,** "sidid": 5715*
> },
> "decoder": {
> "parent": "sshd",
> "fts": 2816,
> "name": "sshd"
> },
> "type": "ossec-alerts",
> "full_log": "Oct 20 02:39:03 ubuntu5 sshd[17583]: Accepted publickey
> for root from 192.168.1.* port 64306 ssh2: RSA ***",
> "path": "/var/ossec/logs/alerts/alerts.json",
> "@timestamp": "2016-10-20T09:39:04.738Z",
> *"dstuser": "root",*
> "@version": "1",
> "host": "ubuntu5",
> "location": "/var/log/auth.log",
> "GeoLocation": {},
> *"AgentName": "ubuntu5"*
> },
You will be able to create agent-dedicated dashboards, pie charts and other
visualizations using every field, GeoIP location, syscheck file integrity
info..
Best regards,
Pedro S.
On Thu, Oct 20, 2016 at 3:49 AM, <[email protected]> wrote:
> I've recently setup my ossec server to output alerts to a json file. I'm
> sending it over to logstash and elasticsearch. I'd like to create a kibana
> dashboard that defines individual ossec agent hosts.
>
> The issue is that the json doesn't have it's own dedicated field for agent
> host. Here's an example alert event (location field):
> "(example-host) 10.0.0.5->/var/log/messages"
>
> Notice how the actual agent hostname is in parenthesis? This makes it
> very difficult to unique on hostname alone. It would be much better if
> there was another field called location.agentHost or some other field that
> contains just the agent hostname.
>
> Anyone know of a workaround so I can get the agent hostname in a json
> field all by itself?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
