[OSSEC] JSON output으로 syslog 던지기

출처: https://groups.google.com/forum/#!topic/fluentd/aotQAmHlTUY

 

ossec.conf:

<syslog_output>
  <server>192.168.33.29</server>
  <port>514</port>
  <level>1</level>
  <format>json</format>
</syslog_output>

 

 ossec.conf 설정후 아래 명령어를 입력해주어야 한다.

 

/var/ossec/bin/ossec-control enable client-syslog

/var/ossec/bin/ossec-control restart

 

 

위의 명령어만 실행시켜준다면 192.168.33.29 port514 로 syslog가 던져지게 된다.

던져진 syslog를 가공시킬때 fluentd를 이용할 수 있는데 설정 방법은 아래와 같다.

 

 

td-agent.conf

<source>
  type syslog
  port 514
  bind 0.0.0.0
  tag ossec
</source>

<match ossec.**>
  type parser
  key_name message
  format json
  reserve_data yes
  tag elasticsearch.ossec
</match>

 

2014-10-02 02:48:41 +0000 out.ossec: {"host":"natha","ident":"ossec","message":"Integrity checksum changed for: '/etc/td-agent/conf.d/01ossec.conf'","crit":7,"id":551,"component":"natha->syscheck","classification":" ossec,syscheck,","description":"Integrity checksum changed again (2nd time).","file":"/etc/td-agent/c
onf.d/01ossec.conf","md5_old":"'c140e56819d80a855ac3bdf199edc7ac'","md5_new":"'225b664140960fb8c982032a79f54e11'","sha1_old":"'ab9ccbf5a6e4fe95b954b9b991520cce15eb1370'","sha1_new":"'ade1d88272ff4f2075bfc7a511cb22e9e5b91372'"}