• Support
  • Forums
  • Blogs

OSSEC plugin


New Life Form
I am sending ossec alerts to AlienVault (via CloudWatch) from alerts.log and have it set to use the OSSEC 2.5 plugin. I am using OSSEC 2.8 - not sure what the differences are between 2.5 and 2.8

My alert lines look like :

** Alert 1496918806.499: - pam,syslog,

2017 Jun 08 06:46:46 servername->/var/log/auth.log

Rule: 5502 (level 3) -> 'Login session closed.'

Jun  8 06:46:45 waftest su[28382]: pam_unix(su:session): session closed for user xxxxxx

They are successfully going into CloudWatch and I'm pulling them into AlienVault from there, but the plugin does not seem to parse them.

What format is the plugin expecting to parse?

Share post:

Best Answer

  • Answer ✓
    json is supported with the version 2.9 which in release candidate not the 2.8.


Sign In or Register to comment.