Created
October 20, 2015 06:07
-
-
Save VAdamec/6b03428d9eacceb26bcd to your computer and use it in GitHub Desktop.
Fluent setup for OSSEC (2.9, with json logging but with getting exact server name and log) not secure forward and also output to stdout
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <source> | |
| type tail | |
| format json | |
| path /var/ossec/logs/alerts/alerts.json | |
| pos_file /var/log/td-agent/ossec_log_json.pos | |
| tag ossec.process | |
| </source> | |
| <match ossec.process> | |
| type parser | |
| tag ossec.prod | |
| format /^\((?<srvname>[^ ]*)\) (?<srvip>[^ ]*)\-\>(?<srvloc>[^ ]*)$/ | |
| key_name location | |
| reserve_data yes | |
| suppress_parse_error_log true | |
| </match> | |
| <match *.**> | |
| type copy | |
| <store> | |
| secure no | |
| enable_strict_verification no | |
| type secure_forward | |
| shared_key XXXXXXX | |
| self_hostname ossec-server | |
| keepalive 120 | |
| <server> | |
| host xxx.xxx.xxx.xxx | |
| port xxxxx | |
| </server> | |
| <server> | |
| host xxx.xxx.xxx.xxx | |
| port xxxxx | |
| </server> | |
| buffer_type memory | |
| buffer_chunk_limit 256m | |
| buffer_queue_limit 128 | |
| flush_interval 60s | |
| disable_retry_limit false | |
| retry_limit 17 | |
| retry_wait 1s | |
| </store> | |
| <store> | |
| type stdout | |
| </store> | |
| </match> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment