I would be dumping all my alerts to a database and then use a tool - - I use LogZilla (www.logzilla.pro) for this. I even worked with Clayton to help come up with an OSSEC Module for Logzilla, so the alerts are properly formatted as they go into the database..
cheers Kat PS - yes, I use LogZilla for about 1500 systems running OSSEC. On May 3, 3:14 pm, "Walker, Barry" <barry.wal...@lids.com> wrote: > Here is a quick script to perform the task that you wish to perform. It > takes all files in a directory and creates a summary and then mails it out. > I run the script with level 0 so that I get a complete summary. > > #!/bin/ksh > clear > echo "Enter the year (YYYY): "; read year > echo . > echo "Enter the month (first 3 characters,i.e., Apr, May, Jun): "; read month > echo . > echo You have selected: $month, $year > echo . > echo "Hit any key to continuei "; read ans > cd /var/ossec/logs/alerts/$year/$month > zcat * | /var/ossec/bin/ossec-reportd -f level 12 2>&1 | more | mailx -s > "Ossec Summary Report Level 0" em...@domain.com > > Barry Walker > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Tuesday, May 03, 2011 1:41 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Extracting OSSEC alerts to a file > > I haven't tried it to make sure it will work, but try: > zcat /var/ossec/logs/alerts/whatever_the_files_are | > /var/ossec/bin/ossec-reportd -f level 12 2>&1 | more > > I think you would have to run it once for each level, but give it a shot. > dan > > On Tue, May 3, 2011 at 12:41 PM, <tyler.r...@l-3com.com> wrote: > > Hello, > > > Does anyone know of a quick way to run through all the OSSEC alert log data, > > and extract all alerts over level 12 severity rating, dumping them into a > > file? Thanks! > > > Tyler Ross