[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: RE: [ossec-list] archives.log and logstash
From: Martynas Buožis <mb () nrdcs ! lt>
Date: 2015-06-30 11:15:25
Message-ID: 26731f41dd2447a59cff76ce9290253d () nmail01 ! baipgroup ! lt
[Download RAW message or body]
Hello
Thanks a mil. I will check that.
Martynas
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of \
Daniil Svetlov
Sent: Tuesday, June 30, 2015 12:07 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] archives.log and logstash
Hello, Martynas!
I have workin solution in my project LightSIEM.
You can find patterns in file \
https://github.com/dsvetlov/lightsiem/blob/master/roles/elk/files/ossec.pattern You \
are looking for pettern named OSSEC_MESSAGE_FULL.
вт, 26 мая 2015 г. в 20:07, dan (ddp) \
<ddpbsd@gmail.com<mailto:ddpbsd@gmail.com>>: On Tue, May 26, 2015 at 7:00 AM, \
Martynas Buožis <mb@nrdcs.lt<mailto:mb@nrdcs.lt>> wrote:
> Hello
>
> Maybe anyone has working archives.log integration with logstash ?
>
> Thanks for an advise.
>
I think you can read the file with syslog-ng, strip of the OSSEC
specific header, and use syslog-ng to foward the log messages to
logstash. I feel like I looked into stripping the header many years
ago with syslog-ng, but I don't remember details.
> With best regards
> Martynas
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups \
> "ossec-list" group. To unsubscribe from this group and stop receiving emails from \
> it, send an email to \
> ossec-list+unsubscribe@googlegroups.com<mailto:ossec-list%2Bunsubscribe@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com<mailto:ossec-list%2Bunsubscribe@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
--
С уважением, Светлов Даниил.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com<mailto:ossec-list+unsubscribe@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:3.0cm 1.0cm 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="LT" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hello<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Thanks \
a mil. I will check that. <o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Martynas
<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span \
lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> \
ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] <b>On Behalf Of \
</b>Daniil Svetlov<br> <b>Sent:</b> Tuesday, June 30, 2015 12:07 AM<br>
<b>To:</b> ossec-list@googlegroups.com<br>
<b>Subject:</b> Re: [ossec-list] archives.log and logstash<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hello, <span \
style="font-size:10.0pt">Martynas!</span><o:p></o:p></p> <div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">I have workin solution in my \
project LightSIEM.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">You can find patterns in \
file </span><a href="https://github.com/dsvetlov/lightsiem/blob/master/roles/elk/ \
files/ossec.pattern">https://github.com/dsvetlov/lightsiem/blob/master/roles/elk/files/ossec.pattern</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">You are looking for pettern named <span \
style="font-size:9.0pt;font-family:Consolas;color:#333333">OSSEC_MESSAGE_FULL.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">вт, 26 мая 2015 г. в 20:07, dan (ddp) <<a \
href="mailto:ddpbsd@gmail.com">ddpbsd@gmail.com</a>>:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm \
6.0pt;margin-left:4.8pt;margin-right:0cm"> <p class="MsoNormal">On Tue, May 26, 2015 \
at 7:00 AM, Martynas Buožis <<a href="mailto:mb@nrdcs.lt" \
target="_blank">mb@nrdcs.lt</a>> wrote:<br> > Hello<br>
><br>
> Maybe anyone has working archives.log integration with logstash ?<br>
><br>
> Thanks for an advise.<br>
><br>
<br>
I think you can read the file with syslog-ng, strip of the OSSEC<br>
specific header, and use syslog-ng to foward the log messages to<br>
logstash. I feel like I looked into stripping the header many years<br>
ago with syslog-ng, but I don't remember details.<br>
<br>
> With best regards<br>
> Martynas<br>
><br>
> --<br>
><br>
> ---<br>
> You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> > To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:ossec-list%2Bunsubscribe@googlegroups.com" \
target="_blank">ossec-list+unsubscribe@googlegroups.com</a>.<br> > For more \
options, visit <a href="https://groups.google.com/d/optout" target="_blank"> \
https://groups.google.com/d/optout</a>.<br> <br>
--<br>
<br>
---<br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list%2Bunsubscribe@googlegroups.com" \
target="_blank">ossec-list+unsubscribe@googlegroups.com</a>.<br> For more \
options, visit <a href="https://groups.google.com/d/optout" target="_blank"> \
https://groups.google.com/d/optout</a>.<o:p></o:p></p> </blockquote>
</div>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
</div>
<div>
<p>--<br>
С уважением, Светлов Даниил.<o:p></o:p></p>
</div>
<p class="MsoNormal">-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br>
For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<o:p></o:p></p>
</div>
</body>
</html>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic