Aaron, Almost all of the pre-existing rules are built around the analyzing of syslog or similar formatted lines. To support JSON input would be a sizable undertaking. Assuming you had the right JSON format, you'd probably want to skip phase 1 of the log analysis. All of that said, I've found the OSSEC agent to be much more lightweight then logstash. Typically each of the 4 processes is using under 2MB of memory and only occasionally spike to 2% CPU usage. Also, you'll need the agent running in order to support file integrity checking and active response from the server.
My recommendation would be to configure logstash to stop forwarding logs that OSSEC can handle. Well tuned OSSEC rules really help with the signal to noise ratio of some of the logs. Also, if you are concerned with the overhead of running two client apps, consider using lumberjack (logstash-forwarder) instead of logstash. https://github.com/elasticsearch/logstash-forwarder --Josh On Tue, Mar 11, 2014 at 7:54 AM, Aaron Hunter <[email protected]>wrote: > I recently discovered OSSEC and find it a great tool. My thanks to the > developers for their hard work on this product. I especially like the log > events rules engine. > > My issue is that I am finding it a challenge to integrate OSSEC into my > logging architecture. I don't see a way, and I hope this is just my > inexperience, to feed OSSEC logs from other networked sources instead of > the OSSEC agent on the clients. For the sake of this discussion, let's say > I have the following logging architecture: > > Client Host -> logstash -> zeroMQ -> logstash server -> elasticsearch > cluster > > I would like to have OSSEC also receive all the log events via zeroMQ sent > by the logstatsh clients, process the events in its rules engine, and then > send any alerts to the logstash server. It would be helpful if the log > events could be structured JSON rather than syslog format lines. > > I don't want the OSSEC client agent to send the logs to the OSSEC server > since I have another component (in this case logstatsh) doing that already > and would like to avoid redundant traffic and administration. As far as I > can tell there is no current way to send logs to an OSSEC server directly > via some network protocol such as zeroMQ. I did see that support for zeroMQ > *output > *has been added and that JSON export also seems to be available. Perhaps > you would consider adding zeroMQ and JSON input functionality as well? > > Cheers, > Aaron > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
