This is an updated post of my previous post about OSSEC and Logstash from 3 years ago. For those who remember this was a set up which consisted of OSSEC Agents, OSSEC Server, mongodb, graylog2, elasticsearch, graphite, some grok filters and logstash – Quite a stack.
This stack has several disadvantages, you will use OSSEC agent which sends all alerts to a single OSSEC Server (this can be circumvented), but it may make scaling a bit harder. The stack is big, many components to maintain and the more components, the higher the reliability for it fail is – and trouble shooting becomes harder.
This is a diagram for the setup on the old setup:
Allright, the new setup:
The old one will be scratched, the new setup will consist of
OSSEC Local (not agent/server-setup)
Lumberjack – Lumberjack is a small footprint log forwarder to logstash written in Google GO, we will install this on all our monitored servers to ship logs.
The server will run Logstash w/ elasticsearch and graphite for graphs.
To be continued in part #2