Quick and Dirty REST API for OSSEC Logs Using NodeJS

OSSEC gives you the ability to push events and updates to any destination. You can also set up complex filtering and event processing rules to co-relate logs from multiple destinations. However that is all on a future TODO.

We have a legacy test wrapper called 'Automation Wrapper' which runs on every test host. The logs it generates are terrible because they contain all sorts of special characters and screen dumps. However all we want for now is to be able to query the status of any machine in our test farm in one place. 

I have another post about my OSSEC setup. Basically I have set to 'yes' so all the events go to the archive.log. I then grep through the logs based on IP address to present the log entries to the front end developer. 

The major portion of the log file is composed of four pipe-delimited parts - the timestamp, the log level, the process name and the log message. 

The API provides an array of JSON messages where each log line is a JSON object.

This is what the coffescript for my nodejs route looks like -



So all you have to do is go to http://nodejs.host.com:8080/ossec?ip=xxx.xxx.xxx.xxx and you should get an array of objects composed like this -

  {

    "date": " 2013-07-24 18:58:26.4843",

    "level": "TRACE",

    "process": "AutomationWrapper.XMLEngine.XMLValidator",

    "message": "XML validation failed."

  },

Note: If you are using forever to daemonize your nodejs service then you need to change the permissions on the ossec dirs using 'chmod -R o+rx /var/ossec/logs/archives/archive.log' because you can't use sudo without a tty. The logs are rotated every day and I couldn't find the config location to modify file permissions for new logs so you have to run the node service as root.