Hello, i have this problem, you could say. I need Ossec to crunch modified logs (syslogs). Our syslog message is as follows.
*Example message:* [syslog-1] Mar 13 06:25:16 my-server-1 syslog-ng[1012]: EOF on control channel, closing connection; *Format:* [TAG] syslog_timestamp syslog_host syslog_program syslog_message *I need 2 things:* 1. Ossec to parse this modified syslog format - How it can be done ? By modifying pre-decoder / decoder, or something else ? 2. Modify ossec output alert/syslog message, to include field TAG. *Current Ossec message:* Mar 13 11:20:02 Ossec1 ossec: Alert Level: 3; Rule: 5501 - Login session opened.; Location: (otrs2) 172.30.124.32->/var/log/messages; 2017-03-13T11: 20:01.045060+01:00 Otrs2 cron[40779]: pam_unix(crond:session): session opened for user otrs by (uid=0) *Modified Ossec message: (for TAG-ed syslog message)* Mar 13 11:20:02 Ossec1 ossec: Tag: syslog-1; Alert Level: 3; Rule: 5501 - Login session opened.; Location: (otrs2) 172.30.124.32->/var/log/messages; [ syslog-1] 2017-03-13T11:20:01.045060+01:00 Otrs2 cron[40779]: pam_unix(crond :session): session opened for user otrs by (uid=0) It also can be JSON message. What shoud I do to make this happen ? Thanks in advance. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.