In a pilot, both csyslogd and the Graylog CEF Plugin suffer from bugs (or design shortcomings) that preclude their use as they function today:
- csyslogd truncates certain events -- seemingly those with special characters (such as carriage return, line feed, and tab -- Windows Event ID 4627 for example), and it so happens that *critical *security information is stripped in the process. Since OSSEC truncates these events, it is difficult to predict the behavior of the CEF Plugin and of Graylog once they receive these events in full. - CEF Plugin seems to handle only the standard Application, Security, and System logs. Events from other 'eventchannel' logs picked up by OSSEC and forwarded by csyslogd in CEF format to CEF Plugin seem to be dropped *silently *by the CEF plugin. I have not pushed testing further to see what happens to single or multi-line events picked up by OSSEC from plain-text log files and forwarded to Graylog through csyslogd and CEF Plugin. The transport of events in the [OSSEC --> csyslogd --> CEF plugin --> Graylog] chain cannot be trusted with reliably transferring security information (whatever happens to be required) from OSSEC into Graylog (OSSEC and Graylog work as expected, the transport mechanism between the two is evidently broken). Between truncated and dropped events, the end-result of the entire event processing chain is *totally unacceptable*. On the other hand, OSSEC (alerts.json) --> Filebeat --> LogStash --> Elasticsearch (when configured correctly) work as expected. All events in alerts.json are stored "as is" in Elasticsearch, with no ifs and buts. Any chance that these issues will be fixed? If yes, what is the expected time frame for a fix? I am willing to contribute to testing. If not, is there an alternative trustworthy (non-syslog) method to reliably transport all events from OSSEC undoctored into Graylog? Can NxLog come to the rescue as an alternative trustworthy transport mechanism? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/8a81ee4f-01d0-48e3-94cf-4c3b4a7ddb26%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
