Hi Daniel, I havent' tested it but maybe you can set USER_INSTALL_TYPE to "hybrid" in the preloaded-vars.conf file. Find it here:
https://github.com/ossec/ossec-hids/blob/master/etc/preloaded-vars.conf.example What OSSEC version are you trying to build? Also remember that OSSIM plugin needs to read a custom output, which is included in ossec.conf configuration this way: <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output> If you don't use this output the regular expressions the plugin uses won't be able to parse ossec alerts. Not sure how this would work with Syslog (I would say that it probably modifies the output). My advice would be to use an alternative way to read this data. Maybe mounting a small NFS partition on your OSSIM box, so the plugin can read ossec alerts file directly. Best Santiago. On Tue, Oct 27, 2015 at 9:15 AM, Daniel Townend <[email protected]> wrote: > We are wanting to deploy ossec with active response but also to send logs > to OSSIM. I can't see an option for hybrid mode on the automated install > config file, is there any way to automate this installation? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
