OSSEC Reporting Dump to CSV and reporting range setting

[joe lee]

I am contacting you because I utilize your product and I am trying to find the best way to get some detail reporting and was wondering if someone can assist. I am trying to do two things and if you can provide the commands or instructions on how to, it would be appreciated. 

1. I trying to do a dump of logs for the last seven days into a CSV/Excel file; is there any way yo do this because I have not found documentation from the OSSEC site on how to?

2. I am trying to obtain a report that gives me the TOP 10 files or file types that have been changed according to the logs. Maybe if we can get the excel spreadsheet, then we can possibly set filters to obtain this information.  

Can someone please confirm if this information can be gathered and how?

Thank you 

[Jesus Linares]

Hi,

you can create a script to read that information from /var/ossec/logs/alerts. Alerts are classified in years/month/days:

/var/ossec/logs/alerts# tree
.
├── 2017
│   └── May
│       ├── ossec-alerts-11.json.gz
│       ├── ossec-alerts-11.json.sum
│       ├── ossec-alerts-11.log.gz
│       ├── ossec-alerts-11.log.sum
│       ├── ossec-alerts-12.json
│       └── ossec-alerts-12.log
├── alerts.json
└── alerts.log

Also, if you use Elasticsearch, it should be easy create a query to get the information.

Regards.

[Pedro Sanchez]

You could also take a look into "OSSEC Reportd" tool, you could aggregate stats for rules ids, groups, location etc..:

• http://ossec-docs.readthedocs.io/en/latest/programs/ossec-reportd.html
  

For CSV output you could parse Reportd output.

Regards,

Pedro.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.