This syslog-ng filter *almost* works:
rewrite r_ossec_header
{
subst("^[0-9]{1,4} ... [0-9]{1,2}
[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2} .*->",
" ", type("pcre") flags("ignore-case")
);
};
I can't get "\S" (non-whitespace characters) to work in syslog-ng's
pcre filter. So it won't remove the filename. If anyone knows what I'm
doing wrong, please let me know (I've tried all sorts of combinations
of \S+, \S*, \/\S+, etc).
Windows logs also look a bit funky after this filter, but I'm not sure
how they "should" look in graylog2.
On Wed, Sep 14, 2011 at 2:54 PM, dan (ddp) <[email protected]> wrote:
> On Wed, Sep 14, 2011 at 12:13 PM, Falk <[email protected]> wrote:
>>
>>
>> On Wednesday, September 14, 2011 4:09:34 PM UTC+2, dan (ddpbsd) wrote:
>>>
>>> > Do you use logstash/grok to clean up the ossec headers?
>>> > I looked on logstash but thought that it might just be a more complex
>>> > environment.
>>> >
>>>
>>> It's complex, but not too bad. I forward ossec alerts through
>>> logstash, but not the archives.log (all of the logs going into ossec).
>>> I forward syslog from various hosts to logstash to get the non-alert
>>> log messages.
>>>
>>> > But perhaps that can be a good way to handle strange properitary logs
>>> > from
>>> > our windows applications.
>>>
>>> I like logstash a lot. I think it's going to be a big help for a lot of
>>> people.
>>
>> Do you collect windows logs with OSSEC, other than security log?
>>
>> I'm working in a 95% Windows shop, so there are almost no good ways to
>> collect the application logs from the windows systems.
>> Perhaps with a custom ossec logfile "syslog" and the "command/full command"
>> there are some good ways to check strange files.
>>
>> But the Oracle/Mssql pure logging apps is a lost cause I guess..
>>
>> --
>> Regards Falk
>>
>
> Since I don't have the privilege of using OSSEC at work, there are
> very few windows systems in my setup.
>
> I'll have to think about this one a bit.
>
