ddpbsd
commented
6 years ago It's a known consequence of custom alert formats. I don't think maild will work with custom alert logs either.
Open midasi opened 6 years ago
ddpbsd
commented
6 years ago It's a known consequence of custom alert formats. I don't think maild will work with custom alert logs either.
midasi
commented
6 years ago OK, thank you. We didn't find a hint in the documentation mentioning this.
Do you plan to fix this issue or do we have to modify csyslogd by ourselves? And is it possible to change the csyslogd behaviour to retrieve the alerts directly (zeromq?) instead of reading the alerts.log?
ddpbsd
commented
6 years ago It is possible to change csyslogd to use zeromq to get the alerts. I had started this a long time ago, but never got around to finishing it.
midasi
commented
6 years ago That would be great! In the meantime we try to use a workaround with jsonout_output and rsyslog.
The OSSEC deployment within OSSIM uses custom_alert_output, rather than the default log format. We were trying to send these alerts to our central syslog server, and enabled syslog_output, as we have done on other OSSEC deployments. On the OSSIM deployment, the logs do not get forwarded, although the alerts.log contains the alerts in the custom format. We removed the custom_alert_output setting in ossec.conf and the logs get forwarded as expected.