Yes, it adds redundancy, but, for now, I think its the best option. OSSEC has a very flexible analysing system, and it should fit your needs without much trouble.
On Monday, June 23, 2014 8:42:46 AM UTC-3, Siddharth Trikha wrote: > > So inputing log files to logstash-parse-store-view them and separately > doing this for alerts:ossec-parse-alert, will this not create redudancy?? > > Does OSSEC has rules for threshold crossing?? Any suggestions which fits > my scenario best? > > On Monday, 23 June 2014 16:55:54 UTC+5:30, Antonio Augusto Santos wrote: >> >> OSSEC is a HIDS (Host Intrusion Detection SYstem), its objective is to >> parse logs, check the logs against rules and send alerts. It has a vast >> amount of rules already defined, so when it starts checking your logs it >> will start firing alerts. >> >> In my architecture OSSEC fits outside the ELK stack. It parses the logs >> (as Logstash) but write alerts to files and send alerts by email. >> I've another logstash instance that reads the alerts from OSSEC, so I can >> have a nice Dashboard for them on Kibana. >> >> >> >> On Monday, June 23, 2014 7:49:03 AM UTC-3, Siddharth Trikha wrote: >>> >>> @Antonio: I use email output for a particular pattern in a log. But for >>> example, when a particular logs comes more than 5 times, for alerting for >>> this a state needs to be maintained which is not there in logstash. >>> >>> I don't know about OSSEC. But how to use it to achieve the above? >>> Presently logstash reads logs, ES stores it and kibana presents it. How >>> OSSEC fits here? >>> >>> On Monday, 23 June 2014 15:50:36 UTC+5:30, Antonio Augusto Santos wrote: >>>> >>>> The solutions I've seen for things like this in ELK usually are on the >>>> lines of using logstash to reparse the logs in ES and use some output >>>> (e-mail, nagios, Zabbix) to do the alerting. >>>> >>>> For now I've stick with using OSSEC (www.ossec.net) to do my alerting >>>> and "just" use ELK for log analysis. >>>> >>>> On Monday, June 23, 2014 5:50:22 AM UTC-3, Siddharth Trikha wrote: >>>>> >>>>> We are using the `ELK stack (logstash, elasticsearch, kibana)` to >>>>> analyze our logs. So far, so good. >>>>> >>>>> But now we want notification generation on some particular kind of >>>>> logs. Eg When a login failed logs comes more than 5 times (threshold >>>>> crossed) an email to be sent to the sysadmin. >>>>> >>>>> I looked up online and heard about `statsd`, `riemann`, `nagios`, >>>>> `metric` filter (logstash) to achieve our requirement. >>>>> >>>>> Can anyone suggest which fits best with ELK stack?? I am new to this. >>>>> Thanks >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/db98e711-254e-4a33-8592-c5277fc1a9fb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
