Yes, it is possible. You need to use OSSEC logall option and have logstash/filebeat reading /var/ossec/logs/archives.log
My advice is to use different Elastcisearch indexes, one for the alerts and one for the raw logs (archives) On Wed, Mar 2, 2016 at 11:16 PM, Bhuvanesh Bhuvanachandran < [email protected]> wrote: > Hi Folks, > > I am new to Ossec, and trying out the functionalities of Ossec for a > requirement in my company. I need some help with some of the concepts that > I am trying to achieve. > > Basically I am using a combination of Ossec + Logstash + Elastic search > Kibana to get the things visualized in a useful way. All these components > integrated successfully. > > I have one apache web server (for testing purpose ) which is monitored by > Ossec agent and the results are getting shipped to the Ossec server. But > when looking at the syslog output of Ossec server I can only see some > suspicious/error log entries of apache; like log entries with 400 error > code, that triggers some Ossec rules. On IDS point of view it is perfect. > But I need all logs getting shipped to a central server. > > What I am expecting here is, I want to get all logs of apache (Including > 200 status code) get shipped to Ossec server and made available at the > syslog output of Ossec server so that logstash can further parse the logs. > > Is this something possible with Ossec ? If it is how I can achieve this ? > Please advise. > > > Thanks & Regards, > > Bhuvanesh > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
