AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-27 Thread T-SOC Operations
Thanks david. I'd like to avoid rsyslog and write directly to logstash and especially if ossec already supports json format. Unfortunately the alert ossec is sending in json format an the t_source table including the alert details, are very hard to find a proper regex. Therefore I asked if

Re: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-27 Thread David Lang
the logs in ElasticSearch. David Lang On Wed, 27 May 2015, T-SOC Operations wrote: Date: Wed, 27 May 2015 16:03:46 +0200 From: T-SOC Operations t-soc-operati...@tiri.li Reply-To: ossec-list@googlegroups.com To: ossec-list@googlegroups.com Subject: AW: [ossec-list] OSSEC 2.8.1 JSON Format

AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-27 Thread T-SOC Operations
2.8.1 JSON Format and Logstash challenges in a filter section do: grok { match = { message = %{SYSLOGBASE} %{DATA:message} } } json { source = message } I'm not saying to go to rsyslog to then go to logstash, I'm saying go to rsyslog to go to ElasticSearch

AW: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-27 Thread T-SOC Operations
Subject: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges Hi david, thanks for your time patience! If i just used those filters, i do get _jsonparsefailure. so i just created different grok filters to match the messy encoded messages, but what I've seen as well

Re: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-27 Thread David Lang
: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges in a filter section do: grok { match = { message = %{SYSLOGBASE} %{DATA:message} } } json { source = message } I'm not saying to go to rsyslog to then go to logstash, I'm saying go to rsyslog to go

Re: AW: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-27 Thread David Lang
@googlegroups.com [mailto:ossec-list@googlegroups.com] Im Auftrag von David Lang Gesendet: Mittwoch, 27. Mai 2015 19:08 An: ossec-list@googlegroups.com Betreff: Re: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges on the input, force everything to utf8 On Wed, 27 May 2015, T-SOC

Re: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-26 Thread David Lang
On Tue, 26 May 2015, T-SOC Operations wrote: Sorry, bloody germans ;-) -someone sharing their logstash 1.5.0 ossec grok filter (ossec.log + alerts.log, also the permission challenges on those files) -clean json formatted events from ossec to logstash input handler I thought the ossec json

AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges

2015-05-26 Thread T-SOC Operations
Sorry, bloody germans ;-) -someone sharing their logstash 1.5.0 ossec grok filter (ossec.log + alerts.log, also the permission challenges on those files) -clean json formatted events from ossec to logstash input handler I thought the ossec json message is properly formated and therefore