Closed uxbod closed 10 years ago
I have tried to switch OSSEC to write in JSON and the output looks like:
{"host":"testserver-01","ident":"ossec","message":"{ \"crit\": 8, \"id\": 5104, \"description\": \"Interface entered in promiscuous(sniffing) mode.\", \"component\": \"testserver-01->/var/log/messages\", \"classification\": \" syslog,linuxkernel,promisc,\", \"message\": \"Apr 23 09:28:39 testserver-01 kernel: device lo entered promiscuous mode\" }"}
How would I use the parser to extract those JSON fields please ?
To parse json message, you should just specify format json
and key_name
with field name of json value as README.
Using kibana is out of this plugin. I don't know about it.
How would I go about writing the following out as JSON that could be then use with Kibana please ?
message Alert Level: 7; Rule: 510 - Host-based anomaly detection event (rootcheck).; Location: (testserver-01.local.net)192.168.1.103->rootcheck; Process '1141' hidden from kill (0) or getsid (1). Possible kernel-level rootkit.