It seems like there are two fields though, one called source, and one source_host -> so if source was the OSSEC server generating the syslog, and source_host was where the OSSEC agent was, best of both worlds? At least accourding to logstash...
I'm still fighting with the monolithic jar file - it's included elasticsearch seems to keep crashing / hanging so until I get that stable, I'm not about to try and compile grok to do additional parsing of the OSSEC logs. The whole reason I want logstash is the web interface, so if it's not working - well... back to the drawing board perhaps :( -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Starks Sent: Wednesday, July 20, 2011 4:26 PM To: [email protected] Subject: Re: [ossec-list] Have OSSEC generated syslogs more "correct" On Wed, 20 Jul 2011 14:51:43 -0400, James M Pulver wrote: > I'm looking at using syslog from the OSSEC server to a web frontend > of a sort, and I'm not sure they're the best format they could be. > That said, I also don't know if part of it is the syslog standard. > > It seems to me that the source_host should be the OSSEC location, not > the server where OSSEC is installed for instance. It would also seem > to make sense if the severity for syslog was mapped as much as > possible between the OSSEC level and for syslog... I took a look at the source and it seems like the issue here is that the agent name is defined in the location, which is already in the syslog output, but it is formatted in such a way that it would break the syslog. For example: (host1) 172.16.0.1->WinEvtLog. The agent name would have to come from something else or it would have to be preprocessed in some way. Also, someone might have several ossec managers, and it actually is ossec that sends the alerts, so in a way it is correct. But I see your point. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
