Thanks Pedro, I'll take a look at the Wazuh OSSEC fork.
On Thursday, October 20, 2016 at 3:37:36 AM UTC-7, Pedro S wrote:
>
> Hi Ron,
>
> If you are using a integration with Elasticseach, try out Wazuh fork based
> on OSSEC, augmented JSON capabilities including the AgentName you need.
> Internal field "lf->hostname" includes parenthesis like you said, so we
> are extracting the content inside, also we rename the field in Logstash
> filters to "AgentName".
>
> Pretty basic JSON output example:
>
> "srcip": "192.168.1.*",
>> "program_name": "sshd",
>> "rule": {
>> "firedtimes": 4,
>>
>>
>> * "PCI_DSS": [ "10.2.5"** ],*
>> "groups": [
>> "syslog",
>> "sshd",
>> "authentication_success"
>> ],
>> "description": "sshd: authentication success.",
>>
>> * "AlertLevel": 3,** "sidid": 5715*
>> },
>> "decoder": {
>> "parent": "sshd",
>> "fts": 2816,
>> "name": "sshd"
>> },
>> "type": "ossec-alerts",
>> "full_log": "Oct 20 02:39:03 ubuntu5 sshd[17583]: Accepted publickey
>> for root from 192.168.1.* port 64306 ssh2: RSA ***",
>> "path": "/var/ossec/logs/alerts/alerts.json",
>> "@timestamp": "2016-10-20T09:39:04.738Z",
>> *"dstuser": "root",*
>> "@version": "1",
>> "host": "ubuntu5",
>> "location": "/var/log/auth.log",
>> "GeoLocation": {},
>> *"AgentName": "ubuntu5"*
>> },
>
>
> You will be able to create agent-dedicated dashboards, pie charts and
> other visualizations using every field, GeoIP location, syscheck file
> integrity info..
>
> Best regards,
>
> Pedro S.
>
> On Thu, Oct 20, 2016 at 3:49 AM, <[email protected] <javascript:>> wrote:
>
>> I've recently setup my ossec server to output alerts to a json file. I'm
>> sending it over to logstash and elasticsearch. I'd like to create a kibana
>> dashboard that defines individual ossec agent hosts.
>>
>> The issue is that the json doesn't have it's own dedicated field for
>> agent host. Here's an example alert event (location field):
>> "(example-host) 10.0.0.5->/var/log/messages"
>>
>> Notice how the actual agent hostname is in parenthesis? This makes it
>> very difficult to unique on hostname alone. It would be much better if
>> there was another field called location.agentHost or some other field that
>> contains just the agent hostname.
>>
>> Anyone know of a workaround so I can get the agent hostname in a json
>> field all by itself?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
