OSSEC and Logstash

This is an updated post of my previous post about OSSEC and Logstash from 3 years ago. For those who remember this was a set up which consisted of OSSEC Agents, OSSEC Server, mongodb, graylog2, elasticsearch, graphite, some grok filters and logstash – Quite a stack.

This stack has several disadvantages, you will use OSSEC agent which sends all alerts to a single OSSEC Server (this can be circumvented), but it may make scaling a bit harder. The stack is big, many components to maintain and the more components, the higher the reliability for it fail is – and trouble shooting becomes harder.

This is a diagram for the setup on the old setup:

Allright, the new setup:

The old one will be scratched, the new setup will consist of

OSSEC Local (not agent/server-setup)

Lumberjack – Lumberjack is a small footprint log forwarder to logstash written in Google GO, we will install this on all our monitored servers to ship logs.

The server will run Logstash w/ elasticsearch and graphite for graphs.

To be continued in part #2