Thanks Guys!! The solution given here got worked!.
Regards, Bhuvanesh On Thursday, March 3, 2016 at 4:07:43 PM UTC+5:30, Pedro S wrote: > > Hi, > > If you need to forward to Elastic all the events (not only alerts), try to > enable the option *<logall_json>yes</logall_json>* (available at Wazuh > Fork <https://github.com/wazuh/ossec-wazuh>) like this: > > ossec.conf > > <global> > <logall_json>yes</logall_json> > </global> > > You will find a log file at */var/ossec/logs/archives/archives.json, *then > set up Logstash conf file to read from that file: > > input { > file { > type => "ossec-alerts" > path => "/var/ossec/logs/archives/*archives*.json" > codec => "json" > } > } > > Set the output to Elasticsearch server: > > output { > elasticsearch { > hosts => ["your_elastic_search_ip:9200"] > index => "ossec-%{+YYYY.MM.dd}" > document_type => "ossec" > template => "/etc/logstash/elastic-ossec-template.json" > template_name => "ossec" > template_overwrite => true > } > } > > If everything goes well, you should see on Kibana every log collect by > your OSSEC agents. > > Be careful, archives option collect *everything *so archives.json/log and > elasticsearch indexes will be huge if you have a large deployment. > > Regards, > > Pedro S. > > > On Thursday, March 3, 2016 at 11:07:05 AM UTC+1, Bhuvanesh Bhuvanachandran > wrote: >> >> Hi Folks, >> >> >> >> I am new to Ossec, and trying out the functionalities of Ossec for a >> requirement in my company. I need some help with some of the concepts that >> I am trying to achieve. >> >> >> >> Basically I am using a combination of Ossec + Logstash + Elastic search >> Kibana to get the things visualized in a useful way. All these components >> integrated successfully. >> >> >> >> I have one apache web server (for testing purpose ) which is monitored by >> Ossec agent and the results are getting shipped to the Ossec server. But >> when looking at the syslog output of Ossec server I can only see some >> suspicious/error log entries of apache; like log entries with 400 error >> code, that triggers some Ossec rules. On IDS point of view it is perfect. >> But I need all logs getting shipped to a central server. >> >> >> >> What I am expecting here is, I want to get all logs of apache (Including >> 200 status code) get shipped to Ossec server and made available at the >> syslog output of Ossec server so that logstash can further parse the logs. >> >> >> >> Is this something possible with Ossec ? If it is how I can achieve this >> ? Please advise. >> >> >> >> >> >> Thanks & Regards, >> >> >> >> Bhuvanesh >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
