Thanks david.
I'd like to avoid rsyslog and write directly to logstash and especially if
ossec already supports json format.
Unfortunately the alert ossec is sending in json format an the t_source
table including the alert details, are very hard to find a proper regex.
Therefore I asked if
the logs
in ElasticSearch.
David Lang
On Wed, 27 May 2015, T-SOC Operations wrote:
Date: Wed, 27 May 2015 16:03:46 +0200
From: T-SOC Operations t-soc-operati...@tiri.li
Reply-To: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Subject: AW: [ossec-list] OSSEC 2.8.1 JSON Format
2.8.1 JSON Format and Logstash challenges
in a filter section do:
grok {
match = { message = %{SYSLOGBASE} %{DATA:message} }
}
json {
source = message
}
I'm not saying to go to rsyslog to then go to logstash, I'm saying go to
rsyslog to go to ElasticSearch
Subject: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash
challenges
Hi david,
thanks for your time patience!
If i just used those filters, i do get _jsonparsefailure.
so i just created different grok filters to match the messy encoded
messages, but what I've seen as well
: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash challenges
in a filter section do:
grok {
match = { message = %{SYSLOGBASE} %{DATA:message} }
}
json {
source = message
}
I'm not saying to go to rsyslog to then go to logstash, I'm saying go to
rsyslog to go
@googlegroups.com [mailto:ossec-list@googlegroups.com] Im
Auftrag von David Lang
Gesendet: Mittwoch, 27. Mai 2015 19:08
An: ossec-list@googlegroups.com
Betreff: Re: AW: AW: [ossec-list] OSSEC 2.8.1 JSON Format and Logstash
challenges
on the input, force everything to utf8
On Wed, 27 May 2015, T-SOC
On Tue, 26 May 2015, T-SOC Operations wrote:
Sorry, bloody germans ;-)
-someone sharing their logstash 1.5.0 ossec grok filter (ossec.log +
alerts.log, also the permission challenges on those files)
-clean json formatted events from ossec to logstash input handler
I thought the ossec json
Sorry, bloody germans ;-)
-someone sharing their logstash 1.5.0 ossec grok filter (ossec.log +
alerts.log, also the permission challenges on those files)
-clean json formatted events from ossec to logstash input handler
I thought the ossec json message is properly formated and therefore