On 2014-03-11 10:01, Aaron Hunter wrote:
Since the OSSEC agent sends all the logs to the OSSEC server, would it
be possible to have the server act as a pass-thorugh and forward all
log events received through the syslog client? That way I could have
logstash (acting as a syslog server) receive all the logs. Not exactly
what I was looking for but that would certainly work. Alternatively,
finer-grained user control over how the archive (<logall>) files are
stored on the OSSEC server might work as well.
I have done this in several environments. I know what you mean about not
wanting to run more than one agent. I still have to run more than one
agent in most cases, which is annoying.
What I generally do when OSSEC is forwarding the logs is having
syslog-ng parse out archives.log and then send it to local destinations
based on the agent name. This suits me better than the one, monolithic
logfile that archives.log is. I also send alerts through the client
syslog functionality to ELSA so I have a record of those in a fast,
indexed UI. Ideally, archives.log would just be syslog-format, but it's
not at the moment, so some special parsing is required.
Slightly off topic but I wonder if the venerable syslog might be on
its way out in favor of newer protocols and structured formats?
Probably not, given the almost geological pace at which core IT
infrastructure changes. Still, it might be a positive development. If
OSSEC does decide to support JSON (or other format) I would try to
glad to help out with the conversion process.
Structured data is definitely the future. It just takes far too much
time to understand free-flow log formats and write decoders for them
when that time could be better spent learning from attacks and writing
better rules to detect them. OSSEC is definitely moving in this
direction, but I also don't see the legacy stuff going away any time
forward. Getting people to use structured data for logs is like getting
them to move to IPv6. It will happen.... some day.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
