in a older version of ossec - you could use:
<logging>
<log_format>json</log_format>
</logging>
and manual kind of also mentions this:
https://www.ossec.net/docs/docs/formats/index.html
on a centos 7 server i get:
May 14 14:20:47 aws-mnm-checkmk ossec-hids[14820]: Starting ossec-hids: 2021/05/14 14:20:47 ossec-agentd(1230): ERROR: Invalid element in the configuration: 'logging'.
May 14 14:20:47 aws-mnm-checkmk ossec-hids[14820]: 2021/05/14 14:20:47 ossec-agentd(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting.
can you confirm json output is still possible?
json log format
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: json log format
<jsonout_output>yes</jsonout_output>
Is the new systax. It belongs in the global settngs, for example:
<global>
<email_notification>yes</email_notification>
<email_to>root@localhost</email_to>
<smtp_server>127.0.0.1</smtp_server>
<helo_server>localhost</helo_server>
<email_from>localhost</email_from>
<email_maxperhour>1</email_maxperhour>
<white_list>127.0.0.1</white_list>
<logall>yes</logall>
<jsonout_output>yes</jsonout_output>
<geoipdb>/usr/share/GeoIP/GeoLiteCity.dat</geoipdb>
</global>
Is the new systax. It belongs in the global settngs, for example:
<global>
<email_notification>yes</email_notification>
<email_to>root@localhost</email_to>
<smtp_server>127.0.0.1</smtp_server>
<helo_server>localhost</helo_server>
<email_from>localhost</email_from>
<email_maxperhour>1</email_maxperhour>
<white_list>127.0.0.1</white_list>
<logall>yes</logall>
<jsonout_output>yes</jsonout_output>
<geoipdb>/usr/share/GeoIP/GeoLiteCity.dat</geoipdb>
</global>
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone