archives.log and logstash
79 views
Skip to first unread message
Martynas Buožis
May 26, 2015, 7:01:46 AM5/26/15
to ossec...@googlegroups.com
Hello
Maybe anyone has working archives.log integration with logstash ?
Thanks for an advise.
With best regards
Martynas
Maybe anyone has working archives.log integration with logstash ?
Thanks for an advise.
With best regards
Martynas
dan (ddp)
May 26, 2015, 1:06:59 PM5/26/15
to ossec...@googlegroups.com
On Tue, May 26, 2015 at 7:00 AM, Martynas Buožis <m...@nrdcs.lt> wrote:
> Hello
>
> Maybe anyone has working archives.log integration with logstash ?
>
> Thanks for an advise.
>
I think you can read the file with syslog-ng, strip of the OSSEC
> Hello
>
> Maybe anyone has working archives.log integration with logstash ?
>
> Thanks for an advise.
>
specific header, and use syslog-ng to foward the log messages to
logstash. I feel like I looked into stripping the header many years
ago with syslog-ng, but I don't remember details.
> With best regards
> Martynas
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Daniil Svetlov
Jun 29, 2015, 5:16:34 PM6/29/15
to ossec...@googlegroups.com
Hello, Martynas!
I have workin solution in my project LightSIEM.
You can find patterns in file https://github.com/dsvetlov/lightsiem/blob/master/roles/elk/files/ossec.pattern
You are looking for pettern named OSSEC_MESSAGE_FULL.
вт, 26 мая 2015 г. в 20:07, dan (ddp) <ddp...@gmail.com>:
--
--
С уважением, Светлов Даниил.
Michael Starks
Jun 29, 2015, 6:24:27 PM6/29/15
to ossec...@googlegroups.com
On 05/26/2015 12:03 PM, dan (ddp) wrote:
> I think you can read the file with syslog-ng, strip of the OSSEC
> specific header, and use syslog-ng to foward the log messages to
> logstash. I feel like I looked into stripping the header many years
> ago with syslog-ng, but I don't remember details.
Yes, I have done this. But as logs in there follow no standard, it will
> I think you can read the file with syslog-ng, strip of the OSSEC
> specific header, and use syslog-ng to foward the log messages to
> logstash. I feel like I looked into stripping the header many years
> ago with syslog-ng, but I don't remember details.
have to be reverse-engineered and syslog-ng parsers written to make them
useful. And it will likely break in the future.
Martynas Buožis
Jun 30, 2015, 7:17:12 AM6/30/15
to ossec...@googlegroups.com
Hello
Thanks a mil. I will check that.
Martynas
Dan Burns
Aug 18, 2015, 2:11:14 PM8/18/15
to ossec-list
Hi Daniil,
I'm interested in using your pattern to read the archives.log file with Logstash, am I correct that I can use this on the file input for the archives.log file to properly parse messages?
I'm interested in using your pattern to read the archives.log file with Logstash, am I correct that I can use this on the file input for the archives.log file to properly parse messages?
Daniil Svetlov
Aug 19, 2015, 12:50:57 PM8/19/15
to ossec...@googlegroups.com
Hello, Dan.
Yes, you can use that pattern for reading archives.log and also you can use tool like logstash forwarder, if your logstash afe installed on separate server.
Feel free to ask me, if you have any questions.
вт, 18 авг. 2015, 21:11, Dan Burns <dburn...@gmail.com>:
Reply all
Reply to author
Forward
0 new messages