Re: [ossec-list] Local OSSEC install scan logstash files as alternative to installing agent

Thu, 11 Aug 2016 20:23:44 -0700 

Ok so it appears there is a logstash.stdout file which could be used which 
is often turned on for debuging. It shows all information after it has been 
parsed.  It can also be fed certain parameters in order to format it. There 
is JSON codec.

Would OSSEC be capable of receiving such input, but breaking it down to 
understand that there a multiple hosts within the the one file

Here an example of the output with ruby "awesome_print" codec applied, host 
and usernames redacted. 

{
                 "message" => "Aug 12 13:14:01 <hostname> CRON[5670]: 
pam_unix(cron:session): session closed for user <username>",
                "@version" => "1",
              "@timestamp" => "2016-08-12T03:14:01.000Z",
                  "source" => "/var/log/auth.log",
                   "count" => 1,
                  "fields" => nil,
                    "beat" => {
        "hostname" => "<hostname>",
            "name" => "<hostname>"
    },



On Thursday, 11 August 2016 21:38:32 UTC+10, dan (ddpbsd) wrote:
>
> On Thu, Aug 11, 2016 at 2:09 AM, Charlie Wilson 
> <[email protected] <javascript:>> wrote: 
> > Hi I was wondering if anyone has any idea if it is possible for a  local 
> > OSSEC install on an ELK server (elasticsearch, logstash, kibana) to just 
> > parse info and analyse the log files being sent to logstash? 
> > 
>
> OSSEC can't read from elasticsearch, but if logstash is reading from a 
> file it should be able to read that file as well. 
>
> > If agents like filebeat or even syslog are sending logs to the server 
> > already, there would be no need to install the agent or setup agentless 
> > methods on the clients. 
> > Is this possible/feasible? 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to [email protected] <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to