On Thursday, February 6, 2014 1:06:35 PM UTC, dan (ddpbsd) wrote: > > On Wed, Feb 5, 2014 at 9:14 AM, Chris H <[email protected] <javascript:>> > wrote: > > Hi. I'm trying this setup, after seeing the blog post on ossec.net > > recently, and regularly exceeding the 500mb limit on Splunk free. I'm > > sending alerts level 3+ to logstash and 5+ to splunk still. I spent a > while > > tweaking the logstash.conf to work with spunk format syslog output, as > it > > includes the groups. Was going to share when it was fully working, > but... > > > > Not all the logs are going into logstash (or at least not going in to > > elasticsearch.) > > > > For example, we just had a bunch of alerts from our anti-virus server. > In > > the space of 30 seconds we had 29 events from one workstation: > > > > ** Alert 1391605348.1873086525: - trend_micro,osce,virus > > 2014 Feb 05 13:02:28 (AV01) 172.19.2.2->WinEvtLog > > Rule: 110003 (level 5) -> 'Virus detected and Quarantined' > > WinEvtLog: Application: WARNING(500): Trend Micro OfficeScan Server: > SYSTEM: > > NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: TROJ_SPNR.14AR14 > Computer: > > D13800 Domain: Client pcs and laptops File: C:\Documents and > > Settings\bob.smith\Local Settings\Temp\tmp0de3e9e7.exe Date/Time: > > 05/02/2014 13:02:21 Result: Quarantine > > > > The only difference was the timestamp and the filename. All 29 events > went > > into Splunk, but only 1 made it into elasticsearch (not the first event, > > either.) Could this be because of the syslog size limit? There are a > lot > > more events going into logstash because of the lower alert threshold. > How > > does OSSEC group alerts when sending them by syslog? > > > > When you come across an instance like this, do all (or at least > 1) > of the alerts get sent to logstash by ossec-csyslogd? >
Hi Dan. I don't whether they're being dropped by logstash, or not being posted. There's nothing in the logstash logs to indicate them being dropped. Is there a log file to indicate when a message is posted by ossec-csyslogd? My alerts.log is 2.2gb so far today, there's too much going through to be able to readily compare what's going through to what's being received. Thanks > > Thanks. > > > > On Monday, January 27, 2014 1:36:19 PM UTC, dan (ddpbsd) wrote: > >> > >> On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es <[email protected]> > >> wrote: > >> > Hi, > >> > > >> > Is anyone using OSSEC => syslog => Logstash => Kibana for their > setup? > >> > We found out that the netstat -tan diff ran by syscheck gives only > the > >> > first > >> > line of the diff: > >> > > >> > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: > 533 > >> > - > >> > Listened ports status (netstat) > >> > > >> > changed (new port opened or closed).; Location: > >> > local-machine-001->netstat > >> > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: > >> > > >> > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not > >> > show > >> > the diff output (the 2 netstat -tan outputs). > >> > > >> > Does anyone else has this issue and if so, how did you fix it with > >> > (r)syslog? > >> > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and > >> > Logstash/Kibana > >> > run on 2 seperate machines. > >> > > >> > >> I haven't looked into this really, but I think the syslog output is > >> limited to 1024(?)k (an old syslog limit). diffs wouldn't really > >> transfer via syslog very well anyways, so I'm not sure they'd be worth > >> it. > >> > >> > Michiel > >> > > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
