On Tue, Oct 25, 2011 at 2:42 PM, James M Pulver <[email protected]> wrote: > The big issue I’ve had is that if I use the built in syslog generation, all > the events appear to come from the OSSEC server. So if it can fake the > “location” to be where it actually comes from, then I could indeed use any > syslog frontend. > >
I didn't fix this issue in my logstash installation, but I got around it with some creative tagging. Kind of a brute force method. > > -- > > James Pulver > > Information Technology Area Supervisor > > LEPP Computer Group > > Cornell University > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of ash kumar > Sent: Tuesday, October 25, 2011 2:39 PM > To: [email protected] > > Subject: Re: [ossec-list] ossec-wui BUG > > > > I think this is the most practical course of action. Generalizing to syslog > formats will ensure that the archive logs can be added to any management > system rather than painfully slapping something together. I have wasted far > too much time getting logstash to behave.
