OSSECalertsToELSA
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/OSSECalertsToELSA.
Previously, when a user ran Setup and enabled ELSA, they would be able to log into ELSA and view OSSEC archive logs (the raw logs received by OSSEC) but they wouldn't be able to view OSSEC alerts (created based on OSSEC's analysis of the incoming logs as configured by the OSSEC ruleset). I've pushed a new Setup package that will configure OSSEC to send alerts to local syslog if the user enables ELSA.
If you've already run Setup and would like to configure OSSEC to send alerts to ELSA, you can manually run the following commands:
sudo sed -i 's| <rules>| <syslog_output>\
<server>127.0.0.1</server>\
</syslog_output>\
\
<rules>|g' /var/ossec/etc/ossec.conf
sudo /var/ossec/bin/ossec-control enable client-syslog
sudo service ossec-hids-server restart
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs