I use OSSEC and splunk and find the output quite readable. The difference being is that I use the OSSEC server to send syslog to the splunk server rather than having it parse the files. For the few servers that I have been testing OSSEC on (about 10), the output has been easy to parse for the events I have been looking for.
-----Original Message----- From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of shadejinx Sent: Thursday, November 20, 2008 2:26 PM To: ossec-list; Dave Cushing Subject: [ossec-list] OSSEC via Splunk So far, I have been unimpressed with the WUI and decided to use Splunk as the interface to OSSEC. If you don't know what Splunk is, head to www.splunk.com and check it out. It's a fantastic product for correlating log data, and there's a free version that's perfect for the volume of data output by OSSEC. **Disclosure: I don't work for Splunk, but I would in a heartbeat. So here's how it works... OSSEC agents are installed on server, reporting to the OSSEC Server. Splunk uses the /var/ossec/log/ alerts.log file as in input and voila, your done.... well not quite... The alert structure of OSSEC is not as machine readable as Splunk would like, so there's some customization that has to take place in order to get the best information out of it. But when you do, you get access to Splunk's extremely powerful parsing and statistics engine that can generate excellent graphs and reports as well as provide a very powerful Google-like search interface on all your OSSEC data. So you might be asking: Why don't you just use Spunk to handle all your log data? Excellent question, and the answer is twofold. One, Splunk is not an automatic event correlator. It can't do the "If you see this event 10 times in 20 minutes, followed by this event, throw this flag" thing automatically. (Even though "Transaction Types" is getting close, it's still not quite good enough) It is, however, the best manual event correlator though. It's the tool I would turn to when I'm researching the flag thrown by OSSEC in the above event. And Two: Money. Splunk recently got expensive, so instead of having Splunk handle all my immense amount of log data and pay tons of cash, I downloaded the free version and it handles the output of OSSEC. If you have the cash, I *highly* recommend running both. My question: Is there a way to get a more machine readable output to feed something like Splunk or swatch? Could this be a wishlist feature?
