Here's hoping there is a simple answer to this. I know of the technique to run the forensics into ossec-logtest. And that is a fabulous tool/method. But, I want to take a previous years data - BO - (before ossec) and run it through and have ossec actually process it into the appropriate log files (and perhaps mysql or spunk) just as if it was live data. In other words, process it like live data so it is logged and saved in the database/splunk. The reason for this is simple - to build up the past couple of years of raw data into a searchable/historical reference.
I know ossec-logtest can be piped into anything, but before I start trying it, I am wondering if you could use the same method of catting the files but into live ossec? Off to try some tests - if I find anything, I will let you know. If anyone else can think of a way to do it, would love to hear. thanks ~k
