Hi,
If you need to forward to Elastic all the events (not only alerts), try to
enable the option *<logall_json>yes</logall_json>* (available at Wazuh Fork
<https://github.com/wazuh/ossec-wazuh>) like this:
ossec.conf
<global>
<logall_json>yes</logall_json>
</global>
You will find a log file at */var/ossec/logs/archives/archives.json, *then
set up Logstash conf file to read from that file:
input {
file {
type => "ossec-alerts"
path => "/var/ossec/logs/archives/*archives*.json"
codec => "json"
}
}
Set the output to Elasticsearch server:
output {
elasticsearch {
hosts => ["your_elastic_search_ip:9200"]
index => "ossec-%{+YYYY.MM.dd}"
document_type => "ossec"
template => "/etc/logstash/elastic-ossec-template.json"
template_name => "ossec"
template_overwrite => true
}
}
If everything goes well, you should see on Kibana every log collect by your
OSSEC agents.
Be careful, archives option collect *everything *so archives.json/log and
elasticsearch indexes will be huge if you have a large deployment.
Regards,
Pedro S.
On Thursday, March 3, 2016 at 11:07:05 AM UTC+1, Bhuvanesh Bhuvanachandran
wrote:
>
> Hi Folks,
>
>
>
> I am new to Ossec, and trying out the functionalities of Ossec for a
> requirement in my company. I need some help with some of the concepts that
> I am trying to achieve.
>
>
>
> Basically I am using a combination of Ossec + Logstash + Elastic search
> Kibana to get the things visualized in a useful way. All these components
> integrated successfully.
>
>
>
> I have one apache web server (for testing purpose ) which is monitored by
> Ossec agent and the results are getting shipped to the Ossec server. But
> when looking at the syslog output of Ossec server I can only see some
> suspicious/error log entries of apache; like log entries with 400 error
> code, that triggers some Ossec rules. On IDS point of view it is perfect.
> But I need all logs getting shipped to a central server.
>
>
>
> What I am expecting here is, I want to get all logs of apache (Including
> 200 status code) get shipped to Ossec server and made available at the
> syslog output of Ossec server so that logstash can further parse the logs.
>
>
>
> Is this something possible with Ossec ? If it is how I can achieve this ?
> Please advise.
>
>
>
>
>
> Thanks & Regards,
>
>
>
> Bhuvanesh
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
