Sorry, bloody germans ;-) -someone sharing their logstash 1.5.0 ossec grok filter (ossec.log + alerts.log, also the permission challenges on those files) -clean json formatted events from ossec to logstash input handler
I thought the ossec json message is properly formated and therefore logstash is able to porpulate right away the correct Fields and corresponding details - which is not the case (see pastebin examples). Thanks a lot! Gerald -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von dan (ddp) Gesendet: Dienstag, 26. Mai 2015 19:48 An: [email protected] Betreff: Re: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges On Tue, May 26, 2015 at 1:43 PM, T-SOC Operations <[email protected]> wrote: > hello ossec fellows, > > > > i'm struggling with the json syslog_output filter. The are some "kind of" > json format, but logstash is not able > > to decode the message right away. > > > > example json outputs in kibana4: > > windows alert: http://pastebin.com/2n4jsJYS > > linux alert: http://pastebin.com/UPAUq9pB > > > > > > yes, i've tried all recent grok-filters to watch the alerts.log and > ossec.log with logstash directly, but as soon i forward > > windows event logs, this is a pure nightmare to build proper regex. > > > > Therefore i really like the idea with forwarding them through the > syslog_ouput json filter and on the other > > side to use logstash native udp input - which is working perfectly fine! > > > > > > I'm really wondering, that i couldn't find any recent ossec > configuration for latest logstash 1.5.0_1 release. > > > > > > It would be an amazing help to have a permanent, working ossec syslog > forwarding solution. I'm pretty > > Sure a lot of people are looking fort hat - in the wonderful new world > of threat analytics with ELK ;-) > > I'm probably overlooking something extremely simple, but what exactly are you looking for? > > > > Thanks for any hints! > > > > Kind Regards, > > Gerald > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
