• Support
  • Forums
  • Blogs

OSSEC plugin

chris.roverschris.rovers

New Life Form
I am sending ossec alerts to AlienVault (via CloudWatch) from alerts.log and have it set to use the OSSEC 2.5 plugin. I am using OSSEC 2.8 - not sure what the differences are between 2.5 and 2.8

My alert lines look like :

** Alert 1496918806.499: - pam,syslog,

2017 Jun 08 06:46:46 servername->/var/log/auth.log

Rule: 5502 (level 3) -> 'Login session closed.'

Jun  8 06:46:45 waftest su[28382]: pam_unix(su:session): session closed for user xxxxxx


They are successfully going into CloudWatch and I'm pulling them into AlienVault from there, but the plugin does not seem to parse them.


What format is the plugin expecting to parse?

Share post:

Best Answer

  • Answer ✓
    json is supported with the version 2.9 which in release candidate not the 2.8.

Answers

Sign In or Register to comment.