OSSEC and Elasticstack¶
A tale of dread and woe.
Turn on json logging in OSSEC:¶
<global>
<jsonout_output>yes</jsonout_output>
</global>
Logstash Config:¶
input {
beats {
id => "beats_test"
port => 9001
}
}
output {
elasticsearch {
index => "ossec-%{+YYYY.MM.dd}"
}
# stdout {
# }
}
Install filebeat.
Filebeat Config:¶
filebeat.prospectors:
- input_type: log
paths:
- /var/ossec/logs/alerts/alerts.json
json.keys_under_root: true
output.logstash:
hosts: ["elastic:9001"]