Accepting json input from ossec? #27
Comments
I'm plan to work on similar feature. But I plan to forward /var/osssec/log/alert.log with logstash-forwarder because it log contains changes in files syscheck detects. @craiglawson, can you please check, does json logs contains changes in files if option report_changes=yes is setup for syscheck? |
|
I don't (yet) have an instance to test with, upon further investigating the <jsonout_output> feature it is due to arrive with OSSEC 2.9 (or with some github branches) |
|
@craiglawson, ossec alert via lumberjack have already implemented. And it works very nice. You can try it. |
|
This thread contains some configuration examples for json input. https://groups.google.com/forum/#!searchin/ossec-list/json/ossec-list/I5CytZEjV_E/eHf8UJ40T40J |
I sometimes see issues with syslog message size errors (I couldn't find one to demonstrate, but I'll keep looking), if we eliminated syslog from the equation completely would this resolve this issue? Could there be other benefits of using json direct into ELK?
I found this : http://notes.is9.co/2015/02/18/ossec-json-elk/
I'm not sure how much it would help the project, just thought it was worth suggesting?
The text was updated successfully, but these errors were encountered: