I recently discovered OSSEC and find it a great tool. My thanks to the developers for their hard work on this product. I especially like the log events rules engine.
My issue is that I am finding it a challenge to integrate OSSEC into my logging architecture. I don't see a way, and I hope this is just my inexperience, to feed OSSEC logs from other networked sources instead of the OSSEC agent on the clients. For the sake of this discussion, let's say I have the following logging architecture: Client Host -> logstash -> zeroMQ -> logstash server -> elasticsearch cluster I would like to have OSSEC also receive all the log events via zeroMQ sent by the logstatsh clients, process the events in its rules engine, and then send any alerts to the logstash server. It would be helpful if the log events could be structured JSON rather than syslog format lines. I don't want the OSSEC client agent to send the logs to the OSSEC server since I have another component (in this case logstatsh) doing that already and would like to avoid redundant traffic and administration. As far as I can tell there is no current way to send logs to an OSSEC server directly via some network protocol such as zeroMQ. I did see that support for zeroMQ *output *has been added and that JSON export also seems to be available. Perhaps you would consider adding zeroMQ and JSON input functionality as well? Cheers, Aaron -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
