Parse out ossec multi-line

Follow
Avatar
Ramil Montallana

Hello,

I'm trying to parse an ossec log. My regex looks right but sumologic is still showing mutiple lines of one alert.

REGEX: ^\*\*\sAlert\s\d+.\d+:.*

 

Sample Log:

** Alert 1428428404.1885687: - pam,syslog,

2015 Apr 07 10:40:04 (example.com) 192.168.125.205->/var/log/secure

Rule: 5502 (level 3) -> 'Login session closed.'

Apr 7 10:40:02 hostname sshd[27669]: pam_unix(sshd:session): session closed for user root

** Alert 1428428405.1885968: - pam,syslog,

2015 Apr 07 10:40:05 (example.com) 192.168.125.163->/var/log/secure

Rule: 5502 (level 3) -> 'Login session closed.'

Apr 7 10:40:04 hostname sshd[31944]: pam_unix(sshd:session): session closed for user root

** Alert 1428428408.1886249: mail - ossec,

2015 Apr 07 10:40:08 (example.com) 192.168.125.166->netstat -tan |grep LISTEN |grep -v 127.0.0

.1 | sort

Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'

ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':

tcp 0 0 :::22 :::* LISTEN

Previous output:

ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

Appreciate any help. Thanks in advance!

 

Regards,

Ram

 

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Ramil Montallana

    ** update **

    Regex started working after restarting the collector. All good! =)

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post