Take a look at www.logzilla.pro (there is a community edition) which has a separate OSSEC filter that formats the ossec log entries correctly. Source is included, so you could see how it is done. The plugin for Splunk does the same thing - it pulls the entry apart and formats correctly. But I think you will find that logzilla.pro can do more for you with centralized logging, including OSSEC.. It makes searching so much faster.
-Kat On Jul 20, 1:51 pm, James M Pulver <[email protected]> wrote: > I'm looking at using syslog from the OSSEC server to a web frontend of a > sort, and I'm not sure they're the best format they could be. That said, I > also don't know if part of it is the syslog standard. > > It seems to me that the source_host should be the OSSEC location, not the > server where OSSEC is installed for instance. It would also seem to make > sense if the severity for syslog was mapped as much as possible between the > OSSEC level and for syslog... > > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University
