ossec-reportd is a program to create reports from OSSEC alerts. ossec-reportd accepts alerts on stdin, and outputs a report on stderr.
Note
Since ossec-reportd outputs to stderr some utilities like less will not work if you do not redirect the output. End the ossec-reportd with 2>&1 to redirect stderr to stdout. more or less can be easily used after the stderr redirect.
ossec-reportd argument options
-h
Display the help message
-f <filter> <value>
Filter the results.
-r <filter> <value>
Show related entries.
-n <string>
Create a description for the report.
-s
Show the alerts related to the summary.
ossec-reportd example usage
Example 1: Show Successful Logins
# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication_success
Example 2: Show Alerts Level 10 and Greater
# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 10
Example 3: Show the srcip for all users
# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication -r user srcip
Example 4: Show Changed files as reported by Syscheck
# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename
Example output
# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd 2>&1 | more
2011/07/11 21:01:36 ossec-reportd: INFO: Started (pid: 1444).
2011/07/11 21:01:41 ossec-reportd: INFO: Report completed. Creating output…
Report completed. ==
————————————————
->Processed alerts: 17
->Post-filtering alerts: 17
->First alert: 2011 Jul 11 00:00:46
->Last alert: 2011 Jul 11 00:16:52
……………………………………………………………………………
…………………………………………………………………………………………………….
In case you have not had a chance to check it out OSSEC v2.0 added a command-line “reporting” tool. It is great for checking to see if agents, syslog etc is actually making it into OSSEC|OSSIM without having to install the web gui on OSSIM.
Note: These commands are from the OSSEC tutorial but I have made a change in the path to the ossec-reportd binary:
_________________________________________________________
Show all IP addresses/users that logged in during the day
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Logins summary” -f group authentication_success
_________________________________________________________
Show all IP addresses/users that logged in during the day and related srcips locations for each user
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Logins summary” -f group authentication_success -r user srcip -r user location
_________________________________________________________
Show all multiple authentication failures (brute force attacks)
cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Failures summary” -f group authentication_failures
_________________________________________________________
Show a summary for the month (or day) <July 2009>
zcat /var/ossec/logs/alerts/2009/Jul/*.gz | /var/ossec/bin/ossec-reportd -n “Month Summary”