Hi. I'm trying this setup, after seeing the blog post on ossec.net recently, and regularly exceeding the 500mb limit on Splunk free. I'm sending alerts level 3+ to logstash and 5+ to splunk still. I spent a while tweaking the logstash.conf to work with spunk format syslog output, as it includes the groups. Was going to share when it was fully working, but...
Not all the logs are going into logstash (or at least not going in to elasticsearch.) For example, we just had a bunch of alerts from our anti-virus server. In the space of 30 seconds we had 29 events from one workstation: ** Alert 1391605348.1873086525: - trend_micro,osce,virus 2014 Feb 05 13:02:28 (AV01) 172.19.2.2->WinEvtLog Rule: 110003 (level 5) -> 'Virus detected and Quarantined' WinEvtLog: Application: WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: TROJ_SPNR.14AR14 Computer: D13800 Domain: Client pcs and laptops File: C:\Documents and Settings\bob.smith\Local Settings\Temp\tmp0de3e9e7.exe Date/Time: 05/02/2014 13:02:21 Result: Quarantine The only difference was the timestamp and the filename. All 29 events went into Splunk, but only 1 made it into elasticsearch (not the first event, either.) Could this be because of the syslog size limit? There are a lot more events going into logstash because of the lower alert threshold. How does OSSEC group alerts when sending them by syslog? Thanks. On Monday, January 27, 2014 1:36:19 PM UTC, dan (ddpbsd) wrote: > > On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es > <[email protected]<javascript:>> > wrote: > > Hi, > > > > Is anyone using OSSEC => syslog => Logstash => Kibana for their setup? > > We found out that the netstat -tan diff ran by syscheck gives only the > first > > line of the diff: > > > > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533 > - > > Listened ports status (netstat) > > > > changed (new port opened or closed).; Location: > local-machine-001->netstat > > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: > > > > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not > show > > the diff output (the 2 netstat -tan outputs). > > > > Does anyone else has this issue and if so, how did you fix it with > > (r)syslog? > > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and > Logstash/Kibana > > run on 2 seperate machines. > > > > I haven't looked into this really, but I think the syslog output is > limited to 1024(?)k (an old syslog limit). diffs wouldn't really > transfer via syslog very well anyways, so I'm not sure they'd be worth > it. > > > Michiel > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
