Consider an OSSEC+Splunk integration servicing multiple segregated environments, where OSSEC server acts as an event collector/processor in common to all such environments and a splunk forwarder, installed on the OSSEC server, sends all collected events over to Splunk server.
Why you may want to rely on splunk forwarder rather than using syslog? Cause you want to place, for instance, alert.env1.log in dedicated Indexer1, alert.env2.log in dedicated Indexer2, etc. and have dedicated views on Splunk for separate user accounts related to separate environments. That is, main purpose is achieving total log data segregation between segregated environments. So, was just wondering whether that would be possible without having to manually process the common alert.log file. Hope the reason is clear now. Reinventing the wheel maybe? S. On Wednesday, March 19, 2014 12:43:59 PM UTC+1, dan (ddpbsd) wrote: > > On Wed, Mar 19, 2014 at 7:25 AM, Stephy <[email protected]<javascript:>> > wrote: > > Hi All, > > > > just wondering whether there would be a way to have separate alert.log > files > > generated by source IP (or even by agent name)? For instance, all inputs > > from 192.168.1.0/24 go in alert1.log, all inputs from 192.168.2.0/24 go > > alert2.log, etc.. > > > > Not sure whether the topic has already been covered in the past (at > least, > > under this perspective), but that would definitely be a great to have. > > > > Not possible without source code changes. What is the benefit to this? > I can't think of a single reason I'd ever want this to happen to my > logs. > > > Thanks in advance for any input on this! > > S. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
