On Mon, Jun 25, 2012 at 12:14 PM, Sasse, Fred (DNR) <[email protected]> wrote: > Hello everyone, what is the most popular tool to view the OSSEC logs in a > browser, if not the WUI? > What are the best alternatives while the community works on the WUI? > Thanks ! >
There are some great alternatives out there. Some free, some less free. The ones I'm listing are good enough that I think wasting resources on the WUI would be a super silly thing to do. I like logstash and graylog2. They're great projects, pretty easy to setup, quick, and easy to learn. Others like ELSA. There's a small amount of OSSEC related traffic on their mailing list. I think the project is neat, but haven't tried it. Splunk is still available, and still a great product. The free version may or may not fit your needs. Octopussy is one I keep meaning to try, but haven't gotten around to yet. I think its use of perl would fit in with my grumpiness. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, June 25, 2012 10:05 AM > To: [email protected] > Subject: Re: [ossec-list] Re: Error in message formating on OSSEC Wui > > On Mon, Jun 25, 2012 at 10:57 AM, [email protected] > <[email protected]> wrote: >> Dan, >> >> It provides a service, even if the display was not as effective as it could >> be. I know my environment well enough to glean the valuable info from WUI. >> With a cleaner interface, others in my organization will be able to leverage >> this as well. >> >> I understand your feeling that all should help the cause, and agree. This >> issue was obviously a higher priority for Ryan, and I thank him for working >> on it. >> > > Yes, I feel that everyone should contribute. But more importantly I feel that > if your business relies on a piece of software, taking care of that software > is important. Even if you're not sharing, it's hard to believe that you'd put > up with a broken tool without devoting a little time to fix it. > >> You could do the same. >> > > I could, but I won't. I think the WUI is currently so bad that encouraging > its use does more harm than good. There are good alternatives for viewing > logs, why would I thank someone for pushing a bad one? > >> Scott Klauminzer >> Director of Information Technology & Security >> >> Sent from my iPad >> >> On Jun 25, 2012, at 7:11 AM, "dan (ddp)" <[email protected]> wrote: >> >>> On Sun, Jun 24, 2012 at 3:16 PM, [email protected] >>> <[email protected]> wrote: >>>> Ryan, >>>> >>>> Thank you for taking the time to address this! We rely on WUI, and don't >>>> want to add DB in order to get a GUI view of the data, so thanks again. >>>> >>> >>> You rely on it, but couldn't be bothered to spend the short amount of >>> time it would take to fix this issue? >>> >>>> Scott Klauminzer >>>> Director of Information Technology & Security >>>> >>>> Sent from my iPad >>>> >>>> On Jun 23, 2012, at 7:30 PM, Ryan Schulze <[email protected]> wrote: >>>> >>>>> >>>>> Ok, finished playing around with the code and testing it with my logs and >>>>> it should now work with OSSEC 2.6 again. If anyone runs into problems >>>>> with the patch just poke me and I'll see if I can help out. >>>>> >>>>> Below are links to a patchfile and a tar.gz with the changed files. The >>>>> important changes are in lib/os_lib_alerts.php the other files are more >>>>> or less just cosmetic changes making the alerts a bit easier to read, and >>>>> previous fixes already posted on this list. >>>>> >>>>> http://www.dopefish.de/files/ossec/ossec-wui-0.3_ossec_2.6.patch >>>>> http://www.dopefish.de/files/ossec/ossec-wui-0.3_ossec_2.6.patch.tg >>>>> z >>>>> >>>>> List of all changes ( http://www.dopefish.de/archives/1154 ) >>>>> - Works with the OSSEC 2.6 alert log file format >>>>> - Changed Rule ID Link to better work with the new OSSEC >>>>> documentation wiki >>>>> - Added "user" field to alert output >>>>> - Widened the layout by a few pixels (to 1000px) and changed the >>>>> CSS /alert layout to make the individual alerts better readable >>>>> - Moved some of the hardcoded formatting to CSS >>>>> >>>>> Ryan >>>>> >>>>> >>>>> On 6/23/2012 9:56 AM, Mike Disley wrote: >>>>>> Ryan, >>>>>> You are awesome. Those of us using this "dead" and "junk" tool will be >>>>>> most appreciative. >>>>>> >>>>>> Cheers, >>>>>> Mike >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] On Behalf Of Ryan Schulze >>>>>> Sent: Friday, June 22, 2012 8:01 PM >>>>>> To: [email protected] >>>>>> Subject: Re: [ossec-list] Re: Error in message formating on OSSEC >>>>>> Wui >>>>>> >>>>>> On 6/21/2012 2:47 PM, dan (ddp) wrote: >>>>>>>> I prefer a fix or solution. I'm not a developer and not intended >>>>>>>> to be... >>>>>>>> >>>>>>> Hire someone who knows PHP. >>>>>>> >>>>>>> WUI is junk. No one seems to be able to get it working properly. >>>>>>> >>>>>>> >>>>>> Aww WUI isn't that bad, considering the poor thing has to parse logfiles >>>>>> I find it does a pretty good job. Since OSSEC supports writing alerts to >>>>>> a database, recoding WUI to (optionally) use the database backend for >>>>>> pulling the alert data would be cool (any motivated PHP programmers out >>>>>> there / on the list willing to do it?). >>>>>> >>>>>> As far as I can tell, the main problem with WUI and OSSEC 2.6 seems to >>>>>> be that in 2.6 the lines "Src IP:" and "User:" are optional in the alert >>>>>> logs (depending on if they have values or not). Should be easy enough to >>>>>> fix, and by the end of the weekend I should have enough test data to see >>>>>> if my little hotfix works or breaks. >>>>>> >>>>>> Will keep the thread updated with my progress :-) >>>>>> >>>>>> >>>>>> >>>>>> >>>>> > >
