All, I'm curious if anyone has had success in utilizing rsyslog & syslog_output to organize their logs. My reason for wanting to do this is to make the SIEM I utilize faster at parsing logs. Right now, I have one giant parsing plugin for ossec, and one giant ossec log. I would like to take the alerts.log file and pipe that back locally into syslog so that rsyslog can properly sort the logs into different logs for me.
Example: [Client1:ANY] => [Server:1514] | Log arrives in alerts.log [Server:Any] => [Server:514] | Log gets parsed by rsyslog into its proper .log category So overall, Alerts.log turns into: Firewall.log Authentication.log SecAlerts.log IDS.log With this setup, I can have multiple parsing plugins running at the same time to parse individual log files. I would let the rsyslog.conf write for 7 days and then rotate the logs so I keep the "forensic" benefits of the alerts.log. I have utilized the following ossec.net documentation and met no success. hxxp://www.ossec.net/doc/manual/output/syslog-output.html I will keep tinkering around to see if I can get this to work as I would like. Devon J. Greene ________________________________ CONFIDENTIALITY NOTICE: This electronic communication (email), including any attachments, is covered by the Electronic Communications Privacy Act, 18 U.S.C. ??2510 - 2521; is confidential; and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution or copying of this electronic communication is strictly prohibited. Please reply to the sender that you received this message in error and then delete or otherwise destroy any and all copies of this electronic communication. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
