--- /dev/null
+<?php
+/* OSSEC 2 RSS script.
+ * by Daniel B. Cid ( dcid @ ossec.net)
+ *
+ * Just upload it to any web-accessible directory, and make
+ * sure the web server can access the OSSEC alerts log file.
+ */
+
+
+$ossec_log = "/var/ossec/logs/alerts/alerts.log";
+if(!is_readable($ossec_log))
+{
+ echo "ERROR: Unable to access $ossec_log\n";
+ echo "*TIP: Make sure your web server can access that file. \n";
+ exit(1);
+}
+
+$timelp = filemtime($ossec_log);
+$fh = fopen($ossec_log, "r");
+if(!$fh)
+{
+ exit(1);
+}
+
+if(filesize($ossec_log) > 30000)
+{
+ fseek($fh, -30000, SEEK_END);
+ $line = fgets($fh, 4096);
+}
+
+
+$lastlines = array();
+$event = array();
+while($line = fgets($fh, 4096))
+{
+ $line = trim($line);
+ if($line == "")
+ {
+ continue;
+ }
+
+ if(strncmp($line, "** Alert ", 9) == 0)
+ {
+ if(strncmp($event, "** Alert ", 9) == 0)
+ {
+ array_push($lastlines, $event);
+ }
+ unset($event);
+ $event = array();
+ $event[] = htmlspecialchars($line);
+ }
+ else
+ {
+ $event[] = htmlspecialchars($line);
+ }
+}
+fclose($fh);
+
+$lastlines = array_reverse($lastlines);
+$myhost = gethostname();
+if($myhost === FALSE)
+{
+ $myhost = "";
+}
+
+echo '<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet href="/css/rss.css" type="text/css"?>
+<rss version="2.0">
+<channel>
+<title>OSSEC '.$myhost.' RSS Feed</title>
+<link>http://ossec.net</link>
+<description>OSSEC RSS Feed for '.$myhost.'</description>
+<language>en-us</language>
+<lastBuildDate>'.date("r", $timelp).'</lastBuildDate>
+<pubDate>'.date("r", $timelp).'</pubDate>
+<copyright>(C) OSSEC.net 2008-2011</copyright>
+<generator>OSSEC.net RSS feed</generator>
+<ttl>30</ttl>
+<webMaster>dcid@ossec.net</webMaster>
+
+<image>
+ <title>OSSEC Alert Feed</title>
+ <url>http://www.ossec.net/img/ossec_logo.jpg</url>
+ <link>http://ossec.net</link>
+</image>
+';
+
+foreach($lastlines as $myentry)
+{
+echo $myentry;
+
+ if(preg_match("/^.. Alert (\d+)\./", $myentry[0], $regs, PREG_OFFSET_CAPTURE, 0))
+ {
+ $myunixtime = $regs[1][0];
+ }
+ else
+ {
+ continue;
+ }
+
+
+ echo '
+ <item>
+ <title>'.$myentry[2]." ,from ".substr($myentry[1], 20).'</title>
+ <link>http://ossec.net</link>
+ <guid isPermaLink="false">'.$myentry[0].'</guid>
+ <description><![CDATA[';
+
+ foreach($myentry as $myline){ echo $myline."<br />\n"; }
+
+ echo '
+ ]]></description>
+ <pubDate>'.date("r", $myunixtime).'</pubDate>
+ </item>
+ ';
+}
+
+echo '
+</channel>
+</rss>
+';
+
+
+?>