at my old job we had ossec configured to send to rsyslog
personally I really dislike the 'write to a file and then scrape it with another
program' approach to logs
Yes, it handles cases where your logserver is down, but you should have HA so
that's a very rare case.
But it causes a bunch of headaches
1. a lot more disk I/O
2. polling to check if the file has changed
3. headaches if the files roll too fast
4. problems deciding when you can delete the files
It's just so much easier to pass the data directly to rsyslog and let it deal
with everything :-)
David Lang
On Wed, 7 May 2014, Josh Bitto wrote:
Date: Wed, 7 May 2014 09:44:43 -0700
From: Josh Bitto <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Rsyslog w/ logstash-elasticsearch-kibana server
Hello Everyone and Good Morning!
I have a new question for you all. Does anyone have this current setup with an
OSSEC server as well? I'm wondering which would be the better option to do.
Just create an imfile for Rsyslog to monitor the logs from OSSEC or forward
them to rsyslog. I'm curious to find out if anyone else has this implemented
too!
Josh
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
