I'm revisiting a problem I have developed various hacks for over the
years, but I have never been fully satisfied with any of the solutions.
The problem is essentially this: in a mixed platform environment, how
can the ossec agent send all of the logs to the manager, and the manager
then spit out raw logs in a nice, consumable way for better archival
purposes.
archives.log has these issues:
1. It's not syslog format (boooo)
2. Some logs are multi-line
3. Some logs are kind of unecessary (e.g. keepalive)
4. It's monolithic and not easily indexable
In the past, I have written syslog-ng filters to parse this log and spit
it out to the filesystem the way I like it: separated into something
like /data/logs/$HOST/$HOST.log. But then I have two copies of every
log. And this is before indexing with something like ELSA. Then I have
Sphinx indexes and logs in MySQL to boot. Ugh. With a lot of logs, the
disk space adds up.
Awhile back I figured out that I could connect syslog-ng to the ossec
socket using only the remoted daemon
(http://www.immutablesecurity.com/index.php/2010/01/29/using-ossec-for-encrypted-log-transport/).
That approach almost works. I can use the syslog filters to parse the
logs from the socket before it gets written to the destination, but then
stuff like syscheck doesn't work correctly.
Another option is to use <insert log agent> here to ship full logs, then
use ossec for just file integrity, etc. I then read the logs locally on
the manager with analysisd. This works, but it's two agents to maintain
and one of them is usually unencrypted.
Is there a one-agent solution here to have full OSSEC functionality,
while still having decent log archiving and indexing? What do you guys
do for larger installations where full log archiving is necessary?
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
