Forward the syslog alerts to the OSSIM server and then write a plugin to parse the /var/log/syslog log file there. That is the most easiest in case you are using an external manager. I am using an external OSSEC manager with our QRadar SIEM and the integration is working fine.
On Tuesday, August 6, 2013 9:18:02 PM UTC+5, Blake Johnson wrote: > > I realize this list is not OSSIM specific, but it seems there are a few > users here. This has been brought up conceptually in the past, but I don't > see any definitive examples of someone implementing this model. > > We have a current OSSEC deployment that is reporting to a single manager > instance. We are evaluating adding OSSIM to our environment. OSSIM installs > its own OSSEC manager on the OSSIM server. I would like to leverage our > existing deployment and maintain a separate manager instance. > > Is anyone currently running a similar deployment? Could you speak to how > you designed the integration? > > Ideas that come to my mind include syslog forwarding of alerts to a > listener on the OSSIM server, or deploying an OSSEC agent paired to the > OSSIM manager instance on the current OSSEC manager set to monitor the > alerts.log file. > > Any ideas appreciated. > > Blake > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
