I've recently setup my ossec server to output alerts to a json file. I'm sending it over to logstash and elasticsearch. I'd like to create a kibana dashboard that defines individual ossec agent hosts.
The issue is that the json doesn't have it's own dedicated field for agent host. Here's an example alert event (location field): "(example-host) 10.0.0.5->/var/log/messages" Notice how the actual agent hostname is in parenthesis? This makes it very difficult to unique on hostname alone. It would be much better if there was another field called location.agentHost or some other field that contains just the agent hostname. Anyone know of a workaround so I can get the agent hostname in a json field all by itself? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
