OSSEC v2.0 commands

ossec-reportd is a program to create reports from OSSEC alerts. ossec-reportd accepts alerts on stdin, and outputs a report on stderr.

Note

Since ossec-reportd outputs to stderr some utilities like less will not work if you do not redirect the output. End the ossec-reportd with 2>&1 to redirect stderr to stdout. more or less can be easily used after the stderr redirect.

ossec-reportd argument options

-h

Display the help message

-f <filter> <value>

Filter the results.

-r <filter> <value>

Show related entries.

-n <string>

Create a description for the report.

-s

Show the alerts related to the summary.

ossec-reportd example usage

Example 1: Show Successful Logins

# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication_success

Example 2: Show Alerts Level 10 and Greater

# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 10

Example 3: Show the srcip for all users

# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication -r user srcip

Example 4: Show Changed files as reported by Syscheck

# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename

Example output

# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd 2>&1 | more

2011/07/11 21:01:36 ossec-reportd: INFO: Started (pid: 1444).

2011/07/11 21:01:41 ossec-reportd: INFO: Report completed. Creating output…

Report completed. ==

————————————————

->Processed alerts: 17

->Post-filtering alerts: 17

->First alert: 2011 Jul 11 00:00:46

->Last alert: 2011 Jul 11 00:16:52

……………………………………………………………………………

…………………………………………………………………………………………………….

In case you have not had a chance to check it out OSSEC v2.0 added a command-line “reporting” tool. It is great for checking to see if agents, syslog etc is actually making it into OSSEC|OSSIM without having to install the web gui on OSSIM.

Note: These commands are from the OSSEC tutorial but I have made a change in the path to the ossec-reportd binary:

_________________________________________________________

Show all IP addresses/users that logged in during the day

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Logins summary” -f group authentication_success

_________________________________________________________

Show all IP addresses/users that logged in during the day and related srcips locations for each user

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Logins summary” -f group authentication_success -r user srcip -r user location

_________________________________________________________

Show all multiple authentication failures (brute force attacks)

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Failures summary” -f group authentication_failures

_________________________________________________________

Show a summary for the month (or day) <July 2009>

zcat /var/ossec/logs/alerts/2009/Jul/*.gz | /var/ossec/bin/ossec-reportd -n “Month Summary”

 

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.