Hi Georges,

if you think that something is missing or wrong (i. e. a bug) in the 
Graylog CEF plugin, please create an issue on 
GitHub: https://github.com/Graylog2/graylog-plugin-cef/issues


On Thursday, 15 September 2016 08:20:35 UTC+2, Georges Jahchan wrote:
> In a pilot, both csyslogd and the Graylog CEF Plugin suffer from bugs (or 
> design shortcomings) that preclude their use as they function today:
>    - csyslogd truncates certain events -- seemingly those with special 
>    characters (such as carriage return, line feed, and tab -- Windows Event 
> ID 
>    4627 for example), and it so happens that *critical *security 
>    information is stripped in the process.
>    Since OSSEC truncates these events, it is difficult to predict the 
>    behavior of the CEF Plugin and of Graylog once they receive these events 
> in 
>    full.
>    - CEF Plugin seems to handle only the standard Application, Security, 
>    and System logs. Events from other 'eventchannel' logs picked up by OSSEC 
>    and forwarded by csyslogd in CEF format to CEF Plugin seem to be dropped 
> *silently 
>    *by the CEF plugin.
>    I have not pushed testing further to see what happens to single or 
>    multi-line events picked up by OSSEC from plain-text log files and 
>    forwarded to Graylog through csyslogd and CEF Plugin.
> The transport of events in the [OSSEC --> csyslogd --> CEF plugin --> 
> Graylog] chain cannot be trusted with reliably transferring security 
> information (whatever happens to be required) from OSSEC into Graylog 
> (OSSEC and Graylog work as expected, the transport mechanism between the 
> two is evidently broken). Between truncated and dropped events, the 
> end-result of the entire event processing chain is *totally unacceptable*.
> On the other hand, OSSEC (alerts.json) --> Filebeat --> LogStash --> 
> Elasticsearch (when configured correctly) work as expected. All events in 
> alerts.json are stored "as is" in Elasticsearch, with no ifs and buts.
> Any chance that these issues will be fixed? If yes, what is the expected 
> time frame for a fix? I am willing to contribute to testing.
> If not, is there an alternative trustworthy (non-syslog) method to 
> reliably transport all events from OSSEC undoctored into Graylog? Can 
> NxLog come to the rescue as an alternative trustworthy transport mechanism?

You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to