.. _ossec-reportd: ossec-reportd ============== ``ossec-reportd`` is a program to create reports from OSSEC alerts. ``ossec-reportd`` accepts alerts on ``stdin``, and outputs a report on ``stderr``. .. note:: Since ``ossec-reportd`` outputs to stderr some utilities like ``less`` will not work if you do not redirect the output. End the ossec-reportd with ``2>&1`` to redirect stderr to stdout. ``more`` or ``less`` can be easily used after the stderr redirect. ossec-reportd argument options ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. program:: ossec-reportd .. option:: -D chroot to ````. .. option:: -d Execute ossec-reportd in debug mode. This option can be used multiple times to increase the verbosity of the debug messages. .. option:: -f Filter the results. .. note:: Allowed filters: group, rule, level, location, user, srcip, and filename. .. option:: -h Display the help message .. option:: -n Create a description for the report. .. option:: -r Show related entries. .. option:: -s Show the alerts related to the summary. .. option:: -V Display OSSEC Version and license information. ossec-reportd example usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Example 1: Show Successful Logins ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. code-block:: console # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication_success Example 2: Show Alerts Level 10 and Greater ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. code-block:: console # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 10 Example 3: Show the srcip for all users ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. code-block:: console # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication -r user srcip Example 4: Show Changed files as reported by Syscheck ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. code-block:: console # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename Example output ~~~~~~~~~~~~~~ .. code-block:: none # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd 2>&1 | more 2011/07/11 21:01:36 ossec-reportd: INFO: Started (pid: 1444). 2011/07/11 21:01:41 ossec-reportd: INFO: Report completed. Creating output... Report completed. == ------------------------------------------------ ->Processed alerts: 17 ->Post-filtering alerts: 17 ->First alert: 2011 Jul 11 00:00:46 ->Last alert: 2011 Jul 11 00:16:52 Top entries for 'Username': ------------------------------------------------ _nrpe |6 | SYSTEM |2 | Top entries for 'Level': ------------------------------------------------ Severity 3 |13 | Severity 2 |4 | Top entries for 'Group': ------------------------------------------------ syslog |10 | sudo |6 | dropbearrecon |4 | ossec |4 | sshd |4 | authentication_success |2 | windows |2 | clamd |1 | freshclam |1 | virus |1 | Top entries for 'Location': ------------------------------------------------ ix->/var/log/secure |4 | ix->ossec-logcollector |3 | (vistapc) 192.168.17.0->WinEvtLog |2 | buffalo1->/var/log/secure |2 | buffalo2->/var/log/secure |2 | (junction) 192.168.17.17->/var/log/secure |1 | (junction) 192.168.17.17->ossec-logcollector |1 | ix->/var/log/local6 |1 | junction->/var/log/secure |1 | Top entries for 'Rule': ------------------------------------------------ 5402 - Successful sudo to ROOT executed |6 | 51006 - Client exited before authentication. |4 | 591 - Log file rotated. |4 | 18107 - Windows Logon Success. |2 | 52507 - ClamAV database update |1 |