On Thu, Aug 11, 2016 at 11:23 PM, Charlie Wilson <[email protected]> wrote: > Ok so it appears there is a logstash.stdout file which could be used which > is often turned on for debuging. It shows all information after it has been > parsed. It can also be fed certain parameters in order to format it. There > is JSON codec. > > Would OSSEC be capable of receiving such input, but breaking it down to > understand that there a multiple hosts within the the one file > > Here an example of the output with ruby "awesome_print" codec applied, host > and usernames redacted. > > { > "message" => "Aug 12 13:14:01 <hostname> CRON[5670]: > pam_unix(cron:session): session closed for user <username>", > "@version" => "1", > "@timestamp" => "2016-08-12T03:14:01.000Z", > "source" => "/var/log/auth.log", > "count" => 1, > "fields" => nil, > "beat" => { > "hostname" => "<hostname>", > "name" => "<hostname>" > }, > >
There's not really a json log format for OSSEC. > > On Thursday, 11 August 2016 21:38:32 UTC+10, dan (ddpbsd) wrote: >> >> On Thu, Aug 11, 2016 at 2:09 AM, Charlie Wilson >> <[email protected]> wrote: >> > Hi I was wondering if anyone has any idea if it is possible for a local >> > OSSEC install on an ELK server (elasticsearch, logstash, kibana) to just >> > parse info and analyse the log files being sent to logstash? >> > >> >> OSSEC can't read from elasticsearch, but if logstash is reading from a >> file it should be able to read that file as well. >> >> > If agents like filebeat or even syslog are sending logs to the server >> > already, there would be no need to install the agent or setup agentless >> > methods on the clients. >> > Is this possible/feasible? >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
