Hi david, thanks for your time & patience!
If i just used those filters, i do get " _jsonparsefailure". so i just created different grok filters to match the messy encoded messages, but what I've seen as well, different encoding, depending on the ossec agent soure (linux versus windows :-)...so I've to play around with charsets as well. Cheers, gerald -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von David Lang Gesendet: Mittwoch, 27. Mai 2015 18:22 An: [email protected] Betreff: Re: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges in a filter section do: grok { match => { "message" => "%{SYSLOGBASE} %{DATA:message}" } } json { source => "message" } I'm not saying to go to rsyslog to then go to logstash, I'm saying go to rsyslog to go to ElasticSearch. There is no requirement to use logstash to get the logs in ElasticSearch. David Lang On Wed, 27 May 2015, T-SOC Operations wrote: -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
