Sending OSSEC Alerts to Sumologic

[charle...@decisivedge.com]

Hello All

I was wondering if anyone has been able to send OSSEC Alerts into Sumologic. 

If one has been able to do this can you please post how to do this as well as within Sumologic can you let me know what settings you enabled on Sumologic and regex script you used for 1 or 2 different alerts.

Thanks

Chuck

This email and any files transmitted with it are considered privileged and confidential unless otherwise explicitly stated otherwise. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. All email data and contents may be monitored to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized use, and to verify security procedures, survivability and operational security. Under no circumstance should the user of this email have an expectation of privacy for this correspondence.

[Maarten Broekman]

Hello Chuck,

  The OSSEC server writes its alerts out to /var/ossec/logs/alerts/alerts.log. Normally, that's where they stay unless you write your own tools to transfer them somewhere else. I'm not familiar with Sumologic, but you might want to check with the Sumologic folks to see if they have something to import OSSEC logs.

Maarten

[charle...@decisivedge.com]

Thank you..

This solves one of my current issues.

Thank you again.

Chuck

On Thursday, December 14, 2017 at 11:08:19 AM UTC-5, charle...@decisivedge.com wrote:

[dan (ddp)]

On Fri, Dec 15, 2017 at 6:13 AM, Maarten Broekman
<maarten....@gmail.com> wrote:
> Hello Chuck,
> The OSSEC server writes its alerts out to
> /var/ossec/logs/alerts/alerts.log. Normally, that's where they stay unless
> you write your own tools to transfer them somewhere else. I'm not familiar
> with Sumologic, but you might want to check with the Sumologic folks to see
> if they have something to import OSSEC logs.
>

If sumologic can read json, you can also log to alerts.json.
If sumologic accepts syslog (and what kind of siem would it be if it
didn't?), you can enable and use the client-syslog daemon. There are
various output formats (including CEF and json I believe).

> Maarten
>
>
> On Thursday, December 14, 2017 at 11:08:19 AM UTC-5,
> charle...@decisivedge.com wrote:
>>
>> Hello All
>>
>> I was wondering if anyone has been able to send OSSEC Alerts into
>> Sumologic.
>>
>> If one has been able to do this can you please post how to do this as well
>> as within Sumologic can you let me know what settings you enabled on
>> Sumologic and regex script you used for 1 or 2 different alerts.
>>
>> Thanks
>> Chuck
>>
>> ________________________________
>>
>> This email and any files transmitted with it are considered privileged and
>> confidential unless otherwise explicitly stated otherwise. If you are not
>> the intended recipient you are notified that disclosing, copying,
>> distributing or taking any action in reliance on the contents of this
>> information is strictly prohibited. All email data and contents may be
>> monitored to ensure that their use is authorized, for management of the
>> system, to facilitate protection against unauthorized use, and to verify
>> security procedures, survivability and operational security. Under no
>> circumstance should the user of this email have an expectation of privacy
>> for this correspondence.
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.