[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-dev
Subject: Re: [ossec-dev] Fluentd and OSSEC
From: Phil Daws <uxbod () splatnix ! net>
Date: 2014-05-20 16:16:09
Message-ID: 881681689.1307764.1400602569263.JavaMail.zimbra () innovot ! com
[Download RAW message or body]
Dan, Thanks for that info will take a look this evening.
----- Original Message -----
From: "dan (ddp)" <ddpbsd@gmail.com>
To: "ossec-dev" <ossec-dev@googlegroups.com>
Sent: Tuesday, 20 May, 2014 5:06:07 PM
Subject: Re: [ossec-dev] Fluentd and OSSEC
On Tue, May 20, 2014 at 11:56 AM, dan (ddp) <ddpbsd@gmail.com> wrote:
> On Tue, May 20, 2014 at 11:53 AM, Phil Daws <uxbod@splatnix.net> wrote:
> > Hi Jeremy,
> >
> > thank you for the links. What I would like is that the quotes in syslog JSON \
> > output is not escaped. Do they need to be ? If I massage the alert I showed I \
> > would have expected it to look like:
> > 20140513T011505+0100 ips.ossec.reformed {"host":"tstsrv1", \
> > ident":"ossec","message":"{ "crit": 7, "id": 510, "description": "Host-based \
> > anomaly detection event (rootcheck).", "component": "(vsp1.testdomain1.local) \
> > 192.168.8.3->rootcheck", "classification": " ossec,rootcheck,", "message": \
> > "Process '748' hidden from kill (0) or getsid (1). Possible kernel-level \
> > rootkit." }"}
> > Hope that makes sense ?
> >
>
> Try removing the slashes, see what happens. It seems odd to me that
> this isn't being reported by anyone else.
>
I just fired up ossec-csyslogd (2.8ish), and fed it into nc. I am not
seeing this problem. Perhaps fluentd is adding the backslashes?
> > Thanks, Phil
> >
> > ----- Original Message -----
> > From: "Jeremy Rossi" <jeremy@jeremyrossi.com>
> > To: ossec-dev@googlegroups.com
> > Sent: Tuesday, 20 May, 2014 1:35:21 PM
> > Subject: Re: [ossec-dev] Fluentd and OSSEC
> >
> > Could try zeromq output as it output non-escaped json: \
> > http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html?highlight=zeromq#element-zeromq_output
> >
> > Looks like their are fluentd zeromq bridges already writen: \
> > https://github.com/oza/fluent-plugin-zmq/blob/master/README.md
> > If you was to dive into code please let's us know some more details of what you \
> > need so we can direct you to the correct areas of the code base.
> > On May 20, 2014, at 5:44 AM, "Phil Daws" < uxbod@splatnix.net > wrote:
> >
> >
> >
> >
> > Hello,
> >
> > am trying to integrate Fluentd (td-agent) with OSSECs JSON syslog output but \
> > having issues with how the message is emitted. When it arrives in td-agent it \
> > looks like:
> > 20140513T011505+0100 ips.ossec.reformed {"host":"tstsrv1", \
> > ident":"ossec","message":"{ \"crit\": 7, \"id\": 510, \"description\": \
> > \"Host-based anomaly detection event (rootcheck).\", \"component\": \
> > \"(vsp1.testdomain1.local) 192.168.8.3->rootcheck\", \"classification\": \" \
> > ossec,rootcheck,\", \"message\": \"Process '748' hidden from kill (0) or getsid \
> > (1). Possible kernel-level rootkit.\" }"}
> > and the problem comes when trying to use the parser plugin to do something like:
> >
> > ossec_id ${id}
> >
> > as what ends up in ${ossec_id} is ":", so the "\" is being included as a JSON \
> > field. I have looked at the os_csyslogd.c code and this is part of the block \
> > causing the issue:
> >
> > snprintf(syslog_msg, OS_SIZE_2048 - padding,
> > "<%d>%s %s ossec: { \"crit\": %d, \"id\": %d, \"description\": \"%s\", \
> > \"component\": \"%s\",",
> > /* syslog header */
> > syslog_config->priority, tstamp, __shost,
> >
> > /* OSSEC metadata */
> > al_data->level, al_data->rule, json_safe_comment,
> > al_data->location
> > );
> >
> > how can the code be change so that it does not emit the 'escaping' characters ?
> >
> > Thanks, Phil
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups \
> > "ossec-dev" group. To unsubscribe from this group and stop receiving emails from \
> > it, send an email to ossec-dev+unsubscribe@googlegroups.com . For more options, \
> > visit https://groups.google.com/d/optout .
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups \
> > "ossec-dev" group. To unsubscribe from this group and stop receiving emails from \
> > it, send an email to ossec-dev+unsubscribe@googlegroups.com . For more options, \
> > visit https://groups.google.com/d/optout .
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups \
> > "ossec-dev" group. To unsubscribe from this group and stop receiving emails from \
> > it, send an email to ossec-dev+unsubscribe@googlegroups.com. For more options, \
> > visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-dev" \
group. To unsubscribe from this group and stop receiving emails from it, send an \
email to ossec-dev+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic