I'm actually looking at using logstash (I prefer FLOSS software to ones where I have to pay per data and hosts), but writing the parser will require some work.
-- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kat Sent: Wednesday, July 20, 2011 3:00 PM To: ossec-list Subject: [ossec-list] Re: Have OSSEC generated syslogs more "correct" Take a look at www.logzilla.pro (there is a community edition) which has a separate OSSEC filter that formats the ossec log entries correctly. Source is included, so you could see how it is done. The plugin for Splunk does the same thing - it pulls the entry apart and formats correctly. But I think you will find that logzilla.pro can do more for you with centralized logging, including OSSEC.. It makes searching so much faster. -Kat On Jul 20, 1:51 pm, James M Pulver <[email protected]> wrote: > I'm looking at using syslog from the OSSEC server to a web frontend of a > sort, and I'm not sure they're the best format they could be. That said, I > also don't know if part of it is the syslog standard. > > It seems to me that the source_host should be the OSSEC location, not the > server where OSSEC is installed for instance. It would also seem to make > sense if the severity for syslog was mapped as much as possible between the > OSSEC level and for syslog... > > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University
