Add a field "id" to the json log. #1090

ddpbsd · 2017-03-10T22:00:44Z

This should match up to the number following Alert in the regular alert log. I'm not sure "id" is descriptive enough, but I wanted to keep it short. Also, I'm not sure it's in the right spot of the log message. Maybe that doesn't even matter.

{"rule":{"level":3,"comment":"Login session closed.","sidid":5502,"group":"pam,syslog,"},"id":"1489183089.253799","decoder":"pam","location":"/var/log/syslog-ng/messages","full_log":"Mar  8 20:13:39 ubnt sudo: pam_unix(sudo:session): session closed for user root","TimeStamp":"Fri Mar 10 16:58:09 2017\n","hostname":"ubnt","program_name":"sudo"}

** Alert 1489183089.253799: - pam,syslog,
2017 Mar 10 16:58:09 ubnt->/var/log/syslog-ng/messages
Rule: 5502 (level 3) -> 'Login session closed.'
Mar  8 20:13:39 ubnt sudo: pam_unix(sudo:session): session closed for user root

This change is

I'm not sure this is the best place for it yet, but it seems to work.

Maybe someone else has an opinion.

jrossi

This looks good to me.

ddpbsd added 2 commits March 10, 2017 15:24

Put the alert id(?) in the json logs.

1b0f9b1

I'm not sure this is the best place for it yet, but it seems to work.

Finish up the alert id thing. I'm not sure "id" is the best label.

393c95d

Maybe someone else has an opinion.

jrossi approved these changes Mar 14, 2017

View reviewed changes

ddpbsd merged commit 1ec34de into ossec:master Mar 15, 2017

ddpbsd deleted the alertid branch November 26, 2018 14:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add a field "id" to the json log. #1090

Add a field "id" to the json log. #1090

ddpbsd commented Mar 10, 2017 •

edited by jrossi

jrossi left a comment

Add a field "id" to the json log. #1090

Add a field "id" to the json log. #1090

Conversation

ddpbsd commented Mar 10, 2017 • edited by jrossi

jrossi left a comment

Choose a reason for hiding this comment

ddpbsd commented Mar 10, 2017 •

edited by jrossi