OSSEC and grok:

I’m currently testing this with the syslog alerts from SecurityOnion:

grok {
    match => {
        "message" => "%{SYSLOGTIMESTAMP:alert_timestamp} %{IP:alert_source} %{WORD:alert_program} Alert Level: %{NUMBER:alert_level}; Rule: %{NUMBER:alert_sid} - %{GREEDYDATA:alert_msg}; Location: %{GREEDYDATA:event_source}->%{GREEDYDATA:event_logfile}; %{SYSLOGBASE} %{GREEDYDATA:event_msg}$"
     }
}