Hi Georges, if you think that something is missing or wrong (i. e. a bug) in the Graylog CEF plugin, please create an issue on GitHub: https://github.com/Graylog2/graylog-plugin-cef/issues
Cheers, Jochen On Thursday, 15 September 2016 08:20:35 UTC+2, Georges Jahchan wrote: > > In a pilot, both csyslogd and the Graylog CEF Plugin suffer from bugs (or > design shortcomings) that preclude their use as they function today: > > - csyslogd truncates certain events -- seemingly those with special > characters (such as carriage return, line feed, and tab -- Windows Event > ID > 4627 for example), and it so happens that *critical *security > information is stripped in the process. > Since OSSEC truncates these events, it is difficult to predict the > behavior of the CEF Plugin and of Graylog once they receive these events > in > full. > > > - CEF Plugin seems to handle only the standard Application, Security, > and System logs. Events from other 'eventchannel' logs picked up by OSSEC > and forwarded by csyslogd in CEF format to CEF Plugin seem to be dropped > *silently > *by the CEF plugin. > I have not pushed testing further to see what happens to single or > multi-line events picked up by OSSEC from plain-text log files and > forwarded to Graylog through csyslogd and CEF Plugin. > > > The transport of events in the [OSSEC --> csyslogd --> CEF plugin --> > Graylog] chain cannot be trusted with reliably transferring security > information (whatever happens to be required) from OSSEC into Graylog > (OSSEC and Graylog work as expected, the transport mechanism between the > two is evidently broken). Between truncated and dropped events, the > end-result of the entire event processing chain is *totally unacceptable*. > > On the other hand, OSSEC (alerts.json) --> Filebeat --> LogStash --> > Elasticsearch (when configured correctly) work as expected. All events in > alerts.json are stored "as is" in Elasticsearch, with no ifs and buts. > > Any chance that these issues will be fixed? If yes, what is the expected > time frame for a fix? I am willing to contribute to testing. > > If not, is there an alternative trustworthy (non-syslog) method to > reliably transport all events from OSSEC undoctored into Graylog? Can > NxLog come to the rescue as an alternative trustworthy transport mechanism? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/40fe8947-0b32-4c21-b53b-2215f90ab1dd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
