Great point. We do see the custom alert in alerts.log
Should we put in a request or just modify csyslogd ourselves? Grant Leonard Castra Consulting, LLC <http://castraconsulting.com/#/> 919-949-4002 On Wed, Jan 7, 2015 at 8:58 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Wed, Jan 7, 2015 at 8:18 AM, <gr...@castraconsulting.com> wrote: > > I can confirm this to be true, we did an extensive testing running a > stock > > 2.7 and 2.8.1 OSSEC install feeding an Alienvault platform and syslog, > when > > custom alert is configured, did not work. > > > > Does the alerts.log file contain alerts in the custom format? If so, > GetAlertData() probably doesn't know how to read it. > Instead of messing with that nonsense, I think it'd be better in the > long run for someone to modify csyslogd to read from the zeromq pubsub > and send the syslog alerts based on that information. It should be > simpler than teaching it how to read the alerts.log better. > > > On Wednesday, January 7, 2015 8:04:25 AM UTC-5, dan (ddpbsd) wrote: > >> > >> On Tue, Jan 6, 2015 at 10:12 AM, Chris H <chris....@gmail.com> wrote: > >> > It's the default OSSEC install in OSSIM, rather than one I installed > >> > myself. > >> > It's 2.8 though. > >> > > >> > >> Does it work with a standard 2.8.1 installation? > >> > >> > Thanks > >> > > >> > On Monday, January 5, 2015 3:17:09 PM UTC, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Jan 5, 2015 at 10:14 AM, Chris H <chris....@gmail.com> > wrote: > >> >> > Hi. > >> >> > > >> >> > The OSSEC deployment within OSSIM uses custom_alert_output, rather > >> >> > than > >> >> > the > >> >> > default log format. I'm was trying to get these alerts sent to > >> >> > another > >> >> > server, and enabled syslog_output, as I have done on other OSSEC > >> >> > deployments. On the OSSIM deployment, the logs do not get > forwarded. > >> >> > I > >> >> > removed the custom_alert_output setting in ossec.conf and the logs > >> >> > get > >> >> > forwarded as expected. > >> >> > > >> >> > Is this a known issue? If not, I can raise a bug on github. > >> >> > > >> >> > >> >> Which version of OSSEC did you install? > >> >> > >> >> > Thanks > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/cJsJemPdqhs/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
