On Wed, Jul 20, 2011 at 3:49 PM, James M Pulver <jmp...@cornell.edu> wrote: > I'm actually looking at using logstash (I prefer FLOSS software to ones where > I have to pay per data and hosts), but writing the parser will require some > work. >
I was going to start looking into that. How you started with a parser or anything yet? I think having a parser work around the format of the ossec syslog messages is the way to go. I don't want my manager to "spoof" syslog messages to make them look like they're coming from agent1 instead. This just seems wrong to me. > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University > > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On > Behalf Of Kat > Sent: Wednesday, July 20, 2011 3:00 PM > To: ossec-list > Subject: [ossec-list] Re: Have OSSEC generated syslogs more "correct" > > Take a look at www.logzilla.pro (there is a community edition) which > has a separate OSSEC filter that formats the ossec log entries > correctly. Source is included, so you could see how it is done. The > plugin for Splunk does the same thing - it pulls the entry apart and > formats correctly. But I think you will find that logzilla.pro can do > more for you with centralized logging, including OSSEC.. It makes > searching so much faster. > > -Kat > > On Jul 20, 1:51 pm, James M Pulver <jmp...@cornell.edu> wrote: >> I'm looking at using syslog from the OSSEC server to a web frontend of a >> sort, and I'm not sure they're the best format they could be. That said, I >> also don't know if part of it is the syslog standard. >> >> It seems to me that the source_host should be the OSSEC location, not the >> server where OSSEC is installed for instance. It would also seem to make >> sense if the severity for syslog was mapped as much as possible between the >> OSSEC level and for syslog... >> >> -- >> James Pulver >> Information Technology Area Supervisor >> LEPP Computer Group >> Cornell University >
