I have a ossec server with several agents. I forward the alerts over level 7 to a logstash instance listening on the port 1515 in another server:
<syslog_output> <server>x.x.x.x</server> <level>7</level> <port>1515</port> </syslog_output> In this server I filter the alert with a logstash instance and forward it via GELF to a graylog2 interface. But I have one problem. The alerts that the daemon "ossec-csyslogd" forward to the logstash server it´s like this: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: (xxxx) 82.x.x.x->/var/log/auth.log; srcip: 188.x.x.x; Mar 20 14:30:53 xx sshd[3182]: Failed password for invalid user alias from 188.x.x.x port 44222 ssh2 At the same time I receive the same alert via e-mail with the following output: OSSEC HIDS Notification. 2012 Mar 20 14:30:55 Received From: (xxxx) 82.x.x.x->/var/log/auth.log Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): Mar 20 14:30:53 xxxx sshd[3182]: Failed password for invalid user alias from 188.x.x.x port 44222 ssh2 Mar 20 14:30:51 xxxx sshd[3182]: Invalid user alias from 188.x.x.x Mar 20 14:30:50 xxxx sshd[3135]: Failed password for invalid user recruit from 188.x.x.x port 44141 ssh2 Mar 20 14:30:49 xxxx sshd[3135]: Invalid user recruit from 188.x.x.x Mar 20 14:30:48 xxxx sshd[3086]: Failed password for invalid user sales from 188.x.x.x port 44027 ssh2 Mar 20 14:30:45 xxxx sshd[3086]: Invalid user sales from 188.x.x.x Mar 20 14:30:45 xxxx sshd[3048]: Failed password for invalid user staff from 188.x.x.x port 43907 ssh2 Mar 20 14:30:42 xxxx sshd[3048]: Invalid user staff from 188.x.x.x --END OF NOTIFICATION I want that ossec forward all this information via syslog too, not only via e-mail. It´s like the daemon "ossec-csyslogd" had a limitation in characters.
