On Tue, 26 May 2015, T-SOC Operations wrote:
Sorry, bloody germans ;-)
-someone sharing their logstash 1.5.0 ossec grok filter (ossec.log +
alerts.log, also the permission challenges on those files)
-clean json formatted events from ossec to logstash input handler
I thought the ossec json message is properly formated and therefore logstash is
able to porpulate right away the correct
Fields and corresponding details - which is not the case (see pastebin
examples).
ossec is sending a properly formatted syslog message that contains a JSON
formatted message. You just need to configure logstash to handle a
standards-complient message as opposed to the 'stream of raw JSON messages with
no metadata" format that it invented.
Asking on the ossec list for how to configure grok filters on logstash will
sometimes work, but it's really the wrong place to ask.
David Lang
Thanks a lot!
Gerald
-----Ursprüngliche Nachricht-----
Von: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] Im
Auftrag von dan (ddp)
Gesendet: Dienstag, 26. Mai 2015 19:48
An: ossec-list@googlegroups.com
Betreff: Re: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges
On Tue, May 26, 2015 at 1:43 PM, T-SOC Operations <t-soc-operati...@tiri.li>
wrote:
hello ossec fellows,
i'm struggling with the json syslog_output filter. The are some "kind of"
json format, but logstash is not able
to decode the message right away.
example json outputs in kibana4:
windows alert: http://pastebin.com/2n4jsJYS
linux alert: http://pastebin.com/UPAUq9pB
yes, i've tried all recent grok-filters to watch the alerts.log and
ossec.log with logstash directly, but as soon i forward
windows event logs, this is a pure nightmare to build proper regex.
Therefore i really like the idea with forwarding them through the
syslog_ouput json filter and on the other
side to use logstash native udp input - which is working perfectly fine!
I'm really wondering, that i couldn't find any recent ossec
configuration for latest logstash 1.5.0_1 release.
It would be an amazing help to have a permanent, working ossec syslog
forwarding solution. I'm pretty
Sure a lot of people are looking fort hat - in the wonderful new world
of threat analytics with ELK ;-)
I'm probably overlooking something extremely simple, but what exactly are you
looking for?
Thanks for any hints!
Kind Regards,
Gerald
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.