On Wed, Feb 5, 2014 at 9:14 AM, Chris H <[email protected]> wrote: > Hi. I'm trying this setup, after seeing the blog post on ossec.net > recently, and regularly exceeding the 500mb limit on Splunk free. I'm > sending alerts level 3+ to logstash and 5+ to splunk still. I spent a while > tweaking the logstash.conf to work with spunk format syslog output, as it > includes the groups. Was going to share when it was fully working, but... > > Not all the logs are going into logstash (or at least not going in to > elasticsearch.) > > For example, we just had a bunch of alerts from our anti-virus server. In > the space of 30 seconds we had 29 events from one workstation: > > ** Alert 1391605348.1873086525: - trend_micro,osce,virus > 2014 Feb 05 13:02:28 (AV01) 172.19.2.2->WinEvtLog > Rule: 110003 (level 5) -> 'Virus detected and Quarantined' > WinEvtLog: Application: WARNING(500): Trend Micro OfficeScan Server: SYSTEM: > NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: TROJ_SPNR.14AR14 Computer: > D13800 Domain: Client pcs and laptops File: C:\Documents and > Settings\bob.smith\Local Settings\Temp\tmp0de3e9e7.exe Date/Time: > 05/02/2014 13:02:21 Result: Quarantine > > The only difference was the timestamp and the filename. All 29 events went > into Splunk, but only 1 made it into elasticsearch (not the first event, > either.) Could this be because of the syslog size limit? There are a lot > more events going into logstash because of the lower alert threshold. How > does OSSEC group alerts when sending them by syslog? >
When you come across an instance like this, do all (or at least > 1) of the alerts get sent to logstash by ossec-csyslogd? > Thanks. > > On Monday, January 27, 2014 1:36:19 PM UTC, dan (ddpbsd) wrote: >> >> On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es <[email protected]> >> wrote: >> > Hi, >> > >> > Is anyone using OSSEC => syslog => Logstash => Kibana for their setup? >> > We found out that the netstat -tan diff ran by syscheck gives only the >> > first >> > line of the diff: >> > >> > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533 >> > - >> > Listened ports status (netstat) >> > >> > changed (new port opened or closed).; Location: >> > local-machine-001->netstat >> > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: >> > >> > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not >> > show >> > the diff output (the 2 netstat -tan outputs). >> > >> > Does anyone else has this issue and if so, how did you fix it with >> > (r)syslog? >> > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and >> > Logstash/Kibana >> > run on 2 seperate machines. >> > >> >> I haven't looked into this really, but I think the syslog output is >> limited to 1024(?)k (an old syslog limit). diffs wouldn't really >> transfer via syslog very well anyways, so I'm not sure they'd be worth >> it. >> >> > Michiel >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
