So inputing log files to logstash-parse-store-view them and separately doing this for alerts:ossec-parse-alert, will this not create redudancy??
Does OSSEC has rules for threshold crossing?? Any suggestions which fits my scenario best? On Monday, 23 June 2014 16:55:54 UTC+5:30, Antonio Augusto Santos wrote: > > OSSEC is a HIDS (Host Intrusion Detection SYstem), its objective is to > parse logs, check the logs against rules and send alerts. It has a vast > amount of rules already defined, so when it starts checking your logs it > will start firing alerts. > > In my architecture OSSEC fits outside the ELK stack. It parses the logs > (as Logstash) but write alerts to files and send alerts by email. > I've another logstash instance that reads the alerts from OSSEC, so I can > have a nice Dashboard for them on Kibana. > > > > On Monday, June 23, 2014 7:49:03 AM UTC-3, Siddharth Trikha wrote: >> >> @Antonio: I use email output for a particular pattern in a log. But for >> example, when a particular logs comes more than 5 times, for alerting for >> this a state needs to be maintained which is not there in logstash. >> >> I don't know about OSSEC. But how to use it to achieve the above? >> Presently logstash reads logs, ES stores it and kibana presents it. How >> OSSEC fits here? >> >> On Monday, 23 June 2014 15:50:36 UTC+5:30, Antonio Augusto Santos wrote: >>> >>> The solutions I've seen for things like this in ELK usually are on the >>> lines of using logstash to reparse the logs in ES and use some output >>> (e-mail, nagios, Zabbix) to do the alerting. >>> >>> For now I've stick with using OSSEC (www.ossec.net) to do my alerting >>> and "just" use ELK for log analysis. >>> >>> On Monday, June 23, 2014 5:50:22 AM UTC-3, Siddharth Trikha wrote: >>>> >>>> We are using the `ELK stack (logstash, elasticsearch, kibana)` to >>>> analyze our logs. So far, so good. >>>> >>>> But now we want notification generation on some particular kind of >>>> logs. Eg When a login failed logs comes more than 5 times (threshold >>>> crossed) an email to be sent to the sysadmin. >>>> >>>> I looked up online and heard about `statsd`, `riemann`, `nagios`, >>>> `metric` filter (logstash) to achieve our requirement. >>>> >>>> Can anyone suggest which fits best with ELK stack?? I am new to this. >>>> Thanks >>>> >>> -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b88ce0be-0a32-4bee-8d68-6d1ea324aa5e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
