OSSEC and Elasticstack

A tale of dread and woe.

Turn on json logging in OSSEC:

<global>
  <jsonout_output>yes</jsonout_output>
</global>

Logstash Config:

input {
  beats {
    id => "beats_test"
    port => 9001
  }
}


output {
  elasticsearch {
    index => "ossec-%{+YYYY.MM.dd}"
  }

#  stdout {
#  }

}

Install filebeat.

Filebeat Config:

filebeat.prospectors:

- input_type: log
  paths:
    - /var/ossec/logs/alerts/alerts.json

  json.keys_under_root: true

output.logstash:
  hosts: ["elastic:9001"]