Re: [ossec-list] Sending Windows Event Logs with nxlog
Yes, I think it's possible. But you need to have this information parsed from logs. пн, 27 апр. 2015 г. в 12:01, zen.x...@gmail.com: ok, but is it possible do that without sum, just display? AccountName Printed pages Printer user11 HP user14 HP user21 Canon user21 HP On Sunday, April 26, 2015 at 7:46:21 PM UTC+2, Daniil Svetlov wrote: Hi, zen.xen! A'm not sure, that it is possible only with kibana. You can write script, with will make query to ES, and that insert sum of some fileds back. чт, 23 апр. 2015 г. в 11:23, zen@gmail.com: Hi Daniil, I would lile to add some diagram to my OSSEC interface but I don't know how. Among events there are *Microsoft-Windows-PrintSpooler[0]*, in the field *Details* there are among other things: AccountName, Message, param3, param4, there are many other but I don't need them. For example: AccountName:user1, Message:Document1 printed on HP, printed pages: 1, param3:user1, param4:HP AccountName:user1, Message:Document5 printed on HP, printed pages: 4, param3:user1, param4:HP AccountName:user2, Message:Document2 printed on Canon, printed pages: 1, param3:user2, param4:Canon AccountName:user2, Message:Document3 printed on HP, printed pages: 1, param3:user2, param4:HP I would like to create such diagram: AccountName Printed pages Printer user15 HP user21 Canon user21 HP 5 is a sum both printout. Is it something possible to do? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] send Oracle logs to OSSEC
Hi, Zen! Can you explain your goals and what you try to do. All you need is to send logs to OSSEC via syslog. You can find very detailed manual how to enable syslog input in OSSEC here: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.remote.html After editing ossec.conf you need issue command /var/ossec/bin/ossec-control enable client-syslog and then restart OSSEC daemon. вт, 28 апр. 2015 г. в 19:52, zen.x...@gmail.com: Hello, I was looking for some examples how to send logs from Oracle to OSSEC with nxlog but it wasn't succesful so my question is, is it possible or not, if is possible how do this, could you help me? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with snort
How snort logging is configured? Full or fast mode? 3.5.2015 2.51 ap. AMINE.E amine.eloui...@um5s.net.ma kirjoitti: Hi I have noticed something with snort-full log format, that it is not logging the *full_log* into /var/ossec/logs/alerts/alert.log. it just takes the *first* line and logs it. And when i ran ossec-logcollector with debug mode i can see this : 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading *syslog* message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile where might be the problem ? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with snort
On May 2, 2015 7:51 PM, AMINE.E amine.eloui...@um5s.net.ma wrote: Hi I have noticed something with snort-full log format, that it is not logging the full_log into /var/ossec/logs/alerts/alert.log. it just takes the first line and logs it. And when i ran ossec-logcollector with debug mode i can see this : It's been a while, but aren't snort full logs multiple lines? Includijg a multi-line log inside a multi-line log might be a bit cumbersome. 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading syslog message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile I don't think ossec-logtest pays attention to that configuration. where might be the problem ? I don't think there is one. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Problem with snort
Hi I have noticed something with snort-full log format, that it is not logging the *full_log* into /var/ossec/logs/alerts/alert.log. it just takes the *first* line and logs it. And when i ran ossec-logcollector with debug mode i can see this : 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading *syslog* message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile where might be the problem ? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.