Hello
I have following configuration in /var/ossec/etc/ossec.conf :
syslog_output
server10.10.0.11/server
/syslog_output
I also see that /var/ossec/bin/ossec-csyslogd is running and considering UDP
port to syslog server :
# lsof -p 3781 | grep UDP
ossec-csy 3781 ossecm6u IPv4 145795360
Only alerts are sent to the syslog output, not logs (if you enabled the
logall feature).
/x
On Wed, May 27, 2015 at 11:20 AM, Martynas Buožis m...@nrdcs.lt wrote:
Hello
I have following configuration in /var/ossec/etc/ossec.conf :
syslog_output
server10.10.0.11/server
/syslog_output
Thanks david.
I'd like to avoid rsyslog and write directly to logstash and especially if
ossec already supports json format.
Unfortunately the alert ossec is sending in json format an the t_source
table including the alert details, are very hard to find a proper regex.
Therefore I asked if
Hi Gil,
When I wrote this patch for OSSEC a long time ago (it was later integrated
into the main branch), my goal was not to create geolocalized alerts.
IMHO, to add this feature, it requires a lot of patching because you need
to define a new keyword to be used in alerts like srcip, user, data,
Dan,
That shouldn't be too hard to do.. I can take a swipe at it if you like.
On Friday, May 22, 2015 at 5:25:28 AM UTC-7, dan (ddpbsd) wrote:
On Wed, May 20, 2015 at 5:36 PM, Brent Morris brent@gmail.com
javascript: wrote:
So to get IIS to work right, I had to go into IIS Manager,
What language is the source code? C?
If we decide to contribute to the source code, it would be to add new tags:
srccountry, srccity and dstcountry, dstcity.
*srccountry:*
Any country decoded as srccountry.
Use ”!” to negate it.
*example: (any country outside the US)*
srccountry!US/srccountry
On 05/27/2015 07:19 AM, Xavier Mertens wrote:
Hi Gil,
When I wrote this patch for OSSEC a long time ago (it was later
integrated into the main branch), my goal was not to create
geolocalized alerts. IMHO, to add this feature, it requires a lot of
patching because you need to define a new
in a filter section do:
grok {
match = { message = %{SYSLOGBASE} %{DATA:message} }
}
json {
source = message
}
I'm not saying to go to rsyslog to then go to logstash, I'm saying go to rsyslog
to go to ElasticSearch. There is no requirement to use logstash to get
Hi david,
thanks for your time patience!
If i just used those filters, i do get _jsonparsefailure.
so i just created different grok filters to match the messy encoded messages,
but what I've seen as well, different
encoding, depending on the ossec agent soure (linux versus windows :-)...so
Thanks fort he suggestion, in my case i'd to use: ISO-8859-1
-Ursprüngliche Nachricht-
Von: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] Im
Auftrag von David Lang
Gesendet: Mittwoch, 27. Mai 2015 19:08
An: ossec-list@googlegroups.com
Betreff: Re: AW: AW: [ossec-list]
on the input, force everything to utf8
On Wed, 27 May 2015, T-SOC Operations wrote:
Date: Wed, 27 May 2015 19:02:33 +0200
From: T-SOC Operations t-soc-operati...@tiri.li
Reply-To: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Subject: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format
do yourself a big favor and translate everything to UTF8, using anything else is
gong to cause you problems eventually.
David Lang
On Wed, 27 May 2015, T-SOC Operations wrote:
Thanks fort he suggestion, in my case i'd to use: ISO-8859-1
-Ursprüngliche Nachricht-
Von:
On Wed, May 27, 2015 at 12:29 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 05/27/2015 07:19 AM, Xavier Mertens wrote:
Hi Gil,
When I wrote this patch for OSSEC a long time ago (it was later
integrated into the main branch), my goal was not to create
geolocalized alerts. IMHO, to
Nice! I'll test this patch!
/x
On Wed, May 27, 2015 at 6:37 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, May 27, 2015 at 12:29 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 05/27/2015 07:19 AM, Xavier Mertens wrote:
Hi Gil,
When I wrote this patch for OSSEC a long time ago
14 matches
Mail list logo