On Mar 13, 2017 11:50 AM, "Martin Dulovič" <[email protected]> wrote:
Hello,
i have this problem, you could say. I need Ossec to crunch modified logs
(syslogs). Our syslog message is as follows.
*Example message:*
[syslog-1] Mar 13 06:25:16 my-server-1 syslog-ng[1012]: EOF on control
channel, closing connection;
*Format:*
[TAG] syslog_timestamp syslog_host syslog_program syslog_message
*I need 2 things:*
1. Ossec to parse this modified syslog format
- How it can be done ? By modifying pre-decoder / decoder, or
something else ?
2. Modify ossec output alert/syslog message, to include field TAG.
*Current Ossec message:*
Mar 13 11:20:02 Ossec1 ossec: Alert Level: 3; Rule: 5501 - Login session
opened.; Location: (otrs2) 172.30.124.32->/var/log/messages; 2017-03-13T11:
20:01.045060+01:00 Otrs2 cron[40779]: pam_unix(crond:session): session
opened for user otrs by (uid=0)
*Modified Ossec message: (for TAG-ed syslog message)*
Mar 13 11:20:02 Ossec1 ossec: Tag: syslog-1; Alert Level: 3; Rule: 5501 -
Login session opened.; Location: (otrs2) 172.30.124.32->/var/log/messages; [
syslog-1] 2017-03-13T11:20:01.045060+01:00 Otrs2 cron[40779]: pam_unix(crond
:session): session opened for user otrs by (uid=0)
It also can be JSON message.
What shoud I do to make this happen ?
You'll have to modify the analysisd source. It goes through the msg to
identify the timestamp, hostname, and program. The code is a bit odd, and
relies on certain characters in certain spaces. So you'll have to add
support for your tag.
Thanks in advance.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
