So far, I have been unimpressed with the WUI and decided to use Splunk as the interface to OSSEC. If you don't know what Splunk is, head to www.splunk.com and check it out. It's a fantastic product for correlating log data, and there's a free version that's perfect for the volume of data output by OSSEC.
**Disclosure: I don't work for Splunk, but I would in a heartbeat. So here's how it works... OSSEC agents are installed on server, reporting to the OSSEC Server. Splunk uses the /var/ossec/log/ alerts.log file as in input and voila, your done.... well not quite... The alert structure of OSSEC is not as machine readable as Splunk would like, so there's some customization that has to take place in order to get the best information out of it. But when you do, you get access to Splunk's extremely powerful parsing and statistics engine that can generate excellent graphs and reports as well as provide a very powerful Google-like search interface on all your OSSEC data. So you might be asking: Why don't you just use Spunk to handle all your log data? Excellent question, and the answer is twofold. One, Splunk is not an automatic event correlator. It can't do the "If you see this event 10 times in 20 minutes, followed by this event, throw this flag" thing automatically. (Even though "Transaction Types" is getting close, it's still not quite good enough) It is, however, the best manual event correlator though. It's the tool I would turn to when I'm researching the flag thrown by OSSEC in the above event. And Two: Money. Splunk recently got expensive, so instead of having Splunk handle all my immense amount of log data and pay tons of cash, I downloaded the free version and it handles the output of OSSEC. If you have the cash, I *highly* recommend running both. My question: Is there a way to get a more machine readable output to feed something like Splunk or swatch? Could this be a wishlist feature?