On Thu, Nov 6, 2014 at 3:12 PM, Mario d'Aniello <diablo85...@gmail.com> wrote: > It's surely a reference to ZeroMQ, while syslog have another type of format. > But that's was confusing me :) > > Thx for the answer as always. >
I created an issue on github to see about unifying these outputs. Seems odd to me that they are not. > > 2014-11-06 17:48 GMT+01:00 dan (ddp) <ddp...@gmail.com>: > >> On Thu, Nov 6, 2014 at 11:36 AM, Mario d'Aniello <diablo85...@gmail.com> >> wrote: >> > I've read here >> > (http://ossec-docs.readthedocs.org/en/latest/formats/json.html) in the >> > documentation, that we have a JSON format for alerts. >> > But it refer to what? >> > >> > We can have standard alert (in /var/ossec/logs/alert/alert.log) in JSON >> > format, or it refer to the system via syslog? >> > >> >> I'm not sure really. You cannot configure OSSEC to log in json format >> to alerts.log. >> It is probably a reference to the zeromq output >> >> (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html#element-zeromq_output) >> which definitely uses json, and the csyslogd >> >> (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syslog_output.html#element-format) >> which can use json. >> >> > I have this doubt cause when i match JSON format in the documentation >> > from >> > my one in my syslog system output they differs. >> > Indeed i have this kind of format (grabbed from an UDP socket): >> > >> > 192.168.150.3:39957 - <132>Nov 6 17:11:11 linux-ji1g ossec: >> > >> > {"crit":3,"id":5501,"component":"linux-ji1g->/var/log/messages","classification":" >> > pam,syslog,authentication_success,","description":"Login session >> > opened.","message":"2014-11-06T17:11:10.674152+01:00 linux-ji1g su: >> > pam_unix(su:session): session opened for user root by >> > suseserver(uid=0)"} >> > >> > And the fields are different from what the documentation says. >> > >> >> I don't have any clues on this, probably outdated documentation. >> >> > Thx to any clarification. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.