Customizing OSSEC Syslog output

[capli...@gmail.com]

Afternoon everybody,

So I have been working with OSSEC for the past couple of weeks getting it tied in to my organization and we are wanting to output the alerts to are syslog server.

However for are purposes we need the following fields added to the output:

• DATE:
• Application-type:
• Priority:
• Program:

Right now we are having it log to are syslog via JSON, OSSEC.conf entry below:

  <syslog_output>
    <server>SERVER</server>
    <format>json</format>
    <level>1</level>
  </syslog_output>

Here is a current example of the output we are getting:

2015-06-04T17:45:20-04:00 <OSSEC-SERVER> ossec: {"crit":3,"id":5715,"component":"(<OSSEC-Agent>) <AGENT-IP>->/var/log/authlog","classification":" syslog,sshd,authentication_success,","description":"SSHD authentication success.","message":"2015-06-04T13:45:18-04:00 <OSSEC-AGENT> sshd[47789]: [ID 800047 auth.info] Accepted publickey for <USER> from <AGENT-IP> port 45430 ssh2","acct":"<AGENT-IP>","src_ip":"<IP>"}

I have a few years of python and C programming under my belt, so if there is a source file I can modify and recompile i would be ok with doing that. 

Any help that can be offered is thanked deeply in advance,

Jacob

[capli...@gmail.com]

 So After a few days of research I have figured out a way to write my own custom OSSEC Syslog client, its not the greatest possible solution but it works.

So first I used the python gevent lib and created a "UNIX tail command" python function called follow:

def follow(filename):
   try:
      list_of_lines = []
      fd = os.open(filename, os.O_RDONLY|os.O_NONBLOCK)
      os.lseek(fd, 0, os.SEEK_END)
      while True:
         lines = os.read(fd, 4096).splitlines()
         if not lines:
            continue
         else:
            for line in lines:
               list_of_lines.append(line)
            length_of_line = len(list_of_lines) - 1
            list_of_lines.pop(length_of_line)
            log_to_syslog(list_of_lines[len(list_of_lines) - 1])
            del list_of_lines[:]
      os.close(fd)
   except(KeyboardInterrupt):
      print("[*] Ctrl-C Pressed")

Then using the logging module in python I found a way to parse and send the logs to my syslog server, here is a quick example:

logger = logging.getLogger()
logger.setLevel(logging.INFO)
handler = logging.handlers.SysLogHandler(address=(<server name goes here>, 514), 
socktype=socket.SOCK_DGRAM)
formatter = logging.Formatter('ossec: %(message)s')
handler.setFormatter(formatter)
logger.addHandler(handler)

then using logging.info(<MESSAGE>) I could format my own syslog messages. This is not the full code of course but a start if anybody else has this problem.

[David Lang]

silly question, but why don't you just log in JSON format and then use the
syslog daemon to format things however you want? (a custom template in rsyslog,
since that's probably your default syslog daemon)

David Lang

[capli...@gmail.com]

Being honest David, I have never really worked with rsyslog before and did not think of that. For the JSON thing I am using 2.8.1 and isn't JSON logging only available in 2.9 ?

[David Lang]

On Tue, 9 Jun 2015, capli...@gmail.com wrote:

> Being honest David, I have never really worked with rsyslog before and did
> not think of that. For the JSON thing I am using 2.8.1 and isn't JSON
> logging only available in 2.9 ?

I don't think I'm running a custom build (it was put in just before I started
here) and I'm able to output JSON

what version of rsyslog are you running. It will probably be just a little odd
to set things up with the distro default versions, but it should still be easier
in the long run than having to write custom code to run inside ossec.

David Lang