[ossec-list] Re: Help needed with Ossec implementation

[Pedro S]

Hi,

If you need to forward to Elastic all the events (not only alerts), try to 
enable the option *yes* (available at Wazuh Fork 
) like this:

ossec.conf

  
 yes
  

You will find a log file at */var/ossec/logs/archives/archives.json, *then 
set up Logstash conf file to read from that file:

input {
  file {
type => "ossec-alerts"
path => "/var/ossec/logs/archives/*archives*.json"
codec => "json"
  }
}

Set the output to Elasticsearch server:

output {
  elasticsearch {
 hosts => ["your_elastic_search_ip:9200"]
 index => "ossec-%{+.MM.dd}"
 document_type => "ossec"
 template => "/etc/logstash/elastic-ossec-template.json"
 template_name => "ossec"
 template_overwrite => true
}
}

If everything goes well, you should see on Kibana every log collect by your 
OSSEC agents.

Be careful, archives option collect *everything *so archives.json/log and 
elasticsearch indexes will be huge if you have a large deployment.

Regards,

Pedro S.


On Thursday, March 3, 2016 at 11:07:05 AM UTC+1, Bhuvanesh Bhuvanachandran 
wrote:
>
> Hi Folks,
>
>  
>
> I am new to Ossec, and trying out the functionalities of Ossec for a 
> requirement in my company. I need some help with some of the concepts that 
> I am trying to achieve.
>
>  
>
> Basically I am using a combination of  Ossec + Logstash + Elastic search  
> Kibana  to get the things visualized in a useful way. All these components 
> integrated successfully.
>
>  
>
> I have one apache web server (for testing purpose ) which is monitored by 
> Ossec agent and the results are getting shipped to the Ossec server.  But 
> when looking at the syslog output  of Ossec server I can only see some 
> suspicious/error log entries of apache; like log entries with 400 error 
> code, that triggers some Ossec rules. On IDS point of view it is perfect. 
> But I need all logs getting shipped to a central server.
>
>  
>
> What I am expecting here is, I want to get all logs of apache (Including 
> 200 status code) get shipped to Ossec server and made available at the 
> syslog output of Ossec server so that logstash can further parse the logs.
>
>  
>
> Is this something possible with Ossec ?  If it is how I can achieve this ? 
> Please advise.
>
>  
>
>  
>
> Thanks & Regards,
>
>  
>
> Bhuvanesh
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Help needed with Ossec implementation

[Bhuvanesh Bhuvanachandran]

Thanks Guys!!

The solution given here got worked!.

Regards,
Bhuvanesh

On Thursday, March 3, 2016 at 4:07:43 PM UTC+5:30, Pedro S wrote:
>
> Hi,
>
> If you need to forward to Elastic all the events (not only alerts), try to 
> enable the option *yes* (available at Wazuh 
> Fork ) like this:
>
> ossec.conf
>
>   
>  yes
>   
>
> You will find a log file at */var/ossec/logs/archives/archives.json, *then 
> set up Logstash conf file to read from that file:
>
> input {
>   file {
> type => "ossec-alerts"
> path => "/var/ossec/logs/archives/*archives*.json"
> codec => "json"
>   }
> }
>
> Set the output to Elasticsearch server:
>
> output {
>   elasticsearch {
>  hosts => ["your_elastic_search_ip:9200"]
>  index => "ossec-%{+.MM.dd}"
>  document_type => "ossec"
>  template => "/etc/logstash/elastic-ossec-template.json"
>  template_name => "ossec"
>  template_overwrite => true
> }
> }
>
> If everything goes well, you should see on Kibana every log collect by 
> your OSSEC agents.
>
> Be careful, archives option collect *everything *so archives.json/log and 
> elasticsearch indexes will be huge if you have a large deployment.
>
> Regards,
>
> Pedro S.
>
>
> On Thursday, March 3, 2016 at 11:07:05 AM UTC+1, Bhuvanesh Bhuvanachandran 
> wrote:
>>
>> Hi Folks,
>>
>>  
>>
>> I am new to Ossec, and trying out the functionalities of Ossec for a 
>> requirement in my company. I need some help with some of the concepts that 
>> I am trying to achieve.
>>
>>  
>>
>> Basically I am using a combination of  Ossec + Logstash + Elastic search  
>> Kibana  to get the things visualized in a useful way. All these components 
>> integrated successfully.
>>
>>  
>>
>> I have one apache web server (for testing purpose ) which is monitored by 
>> Ossec agent and the results are getting shipped to the Ossec server.  But 
>> when looking at the syslog output  of Ossec server I can only see some 
>> suspicious/error log entries of apache; like log entries with 400 error 
>> code, that triggers some Ossec rules. On IDS point of view it is perfect. 
>> But I need all logs getting shipped to a central server.
>>
>>  
>>
>> What I am expecting here is, I want to get all logs of apache (Including 
>> 200 status code) get shipped to Ossec server and made available at the 
>> syslog output of Ossec server so that logstash can further parse the logs.
>>
>>  
>>
>> Is this something possible with Ossec ?  If it is how I can achieve this 
>> ? Please advise.
>>
>>  
>>
>>  
>>
>> Thanks & Regards,
>>
>>  
>>
>> Bhuvanesh
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.