On Tue, Mar 11, 2014 at 11:01 AM, Aaron Hunter <[email protected]> wrote: > I suppose asking you to completely modularize OSSEC is a lot to ask. :) I'm > sure you are correct about the OSSEC agent vs. logstash. It wasn't so much > an issue with the agent, rather a desire to have a simple pipe-and-filter > style logging architecture. > > Since the OSSEC agent sends all the logs to the OSSEC server, would it be > possible to have the server act as a pass-thorugh and forward all log events > received through the syslog client? That way I could have logstash (acting > as a syslog server) receive all the logs. Not exactly what I was looking for > but that would certainly work. Alternatively, finer-grained user control > over how the archive (<logall>) files are stored on the OSSEC server might > work as well. > > Slightly off topic but I wonder if the venerable syslog might be on its way > out in favor of newer protocols and structured formats? Probably not, given > the almost geological pace at which core IT infrastructure changes. Still, > it might be a positive development. If OSSEC does decide to support JSON (or > other format) I would try to glad to help out with the conversion process. >
We like pull requests: https://github.com/ossec/ossec-hids Join in and help out. > Cheers, > Aaron > > > On Tuesday, March 11, 2014 9:55:34 AM UTC-4, Joshua Garnett wrote: >> >> Aaron, >> >> Almost all of the pre-existing rules are built around the analyzing of >> syslog or similar formatted lines. To support JSON input would be a sizable >> undertaking. Assuming you had the right JSON format, you'd probably want to >> skip phase 1 of the log analysis. All of that said, I've found the OSSEC >> agent to be much more lightweight then logstash. Typically each of the 4 >> processes is using under 2MB of memory and only occasionally spike to 2% CPU >> usage. Also, you'll need the agent running in order to support file >> integrity checking and active response from the server. >> >> My recommendation would be to configure logstash to stop forwarding logs >> that OSSEC can handle. Well tuned OSSEC rules really help with the signal >> to noise ratio of some of the logs. Also, if you are concerned with the >> overhead of running two client apps, consider using lumberjack >> (logstash-forwarder) instead of logstash. >> https://github.com/elasticsearch/logstash-forwarder >> >> --Josh >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
