Hi, If you need to forward to Elastic all the events (not only alerts), try to enable the option *<logall_json>yes</logall_json>* (available at Wazuh Fork <https://github.com/wazuh/ossec-wazuh>) like this:
ossec.conf <global> <logall_json>yes</logall_json> </global> You will find a log file at */var/ossec/logs/archives/archives.json, *then set up Logstash conf file to read from that file: input { file { type => "ossec-alerts" path => "/var/ossec/logs/archives/*archives*.json" codec => "json" } } Set the output to Elasticsearch server: output { elasticsearch { hosts => ["your_elastic_search_ip:9200"] index => "ossec-%{+YYYY.MM.dd}" document_type => "ossec" template => "/etc/logstash/elastic-ossec-template.json" template_name => "ossec" template_overwrite => true } } If everything goes well, you should see on Kibana every log collect by your OSSEC agents. Be careful, archives option collect *everything *so archives.json/log and elasticsearch indexes will be huge if you have a large deployment. Regards, Pedro S. On Thursday, March 3, 2016 at 11:07:05 AM UTC+1, Bhuvanesh Bhuvanachandran wrote: > > Hi Folks, > > > > I am new to Ossec, and trying out the functionalities of Ossec for a > requirement in my company. I need some help with some of the concepts that > I am trying to achieve. > > > > Basically I am using a combination of Ossec + Logstash + Elastic search > Kibana to get the things visualized in a useful way. All these components > integrated successfully. > > > > I have one apache web server (for testing purpose ) which is monitored by > Ossec agent and the results are getting shipped to the Ossec server. But > when looking at the syslog output of Ossec server I can only see some > suspicious/error log entries of apache; like log entries with 400 error > code, that triggers some Ossec rules. On IDS point of view it is perfect. > But I need all logs getting shipped to a central server. > > > > What I am expecting here is, I want to get all logs of apache (Including > 200 status code) get shipped to Ossec server and made available at the > syslog output of Ossec server so that logstash can further parse the logs. > > > > Is this something possible with Ossec ? If it is how I can achieve this ? > Please advise. > > > > > > Thanks & Regards, > > > > Bhuvanesh > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.