On Wed, Jan 7, 2015 at 8:18 AM, <gr...@castraconsulting.com> wrote: > I can confirm this to be true, we did an extensive testing running a stock > 2.7 and 2.8.1 OSSEC install feeding an Alienvault platform and syslog, when > custom alert is configured, did not work. >
Does the alerts.log file contain alerts in the custom format? If so, GetAlertData() probably doesn't know how to read it. Instead of messing with that nonsense, I think it'd be better in the long run for someone to modify csyslogd to read from the zeromq pubsub and send the syslog alerts based on that information. It should be simpler than teaching it how to read the alerts.log better. > On Wednesday, January 7, 2015 8:04:25 AM UTC-5, dan (ddpbsd) wrote: >> >> On Tue, Jan 6, 2015 at 10:12 AM, Chris H <chris....@gmail.com> wrote: >> > It's the default OSSEC install in OSSIM, rather than one I installed >> > myself. >> > It's 2.8 though. >> > >> >> Does it work with a standard 2.8.1 installation? >> >> > Thanks >> > >> > On Monday, January 5, 2015 3:17:09 PM UTC, dan (ddpbsd) wrote: >> >> >> >> On Mon, Jan 5, 2015 at 10:14 AM, Chris H <chris....@gmail.com> wrote: >> >> > Hi. >> >> > >> >> > The OSSEC deployment within OSSIM uses custom_alert_output, rather >> >> > than >> >> > the >> >> > default log format. I'm was trying to get these alerts sent to >> >> > another >> >> > server, and enabled syslog_output, as I have done on other OSSEC >> >> > deployments. On the OSSIM deployment, the logs do not get forwarded. >> >> > I >> >> > removed the custom_alert_output setting in ossec.conf and the logs >> >> > get >> >> > forwarded as expected. >> >> > >> >> > Is this a known issue? If not, I can raise a bug on github. >> >> > >> >> >> >> Which version of OSSEC did you install? >> >> >> >> > Thanks >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
