Using filebeat, logstash, and elasticsearch:¶

Enable json alert output in ossec.conf:¶

<global>
  <jsonout_output>yes</jsonout_output>
</global>

Configure filebeat to read alerts.json in filebeat.yml:¶

- input_type: log
paths:
  - /var/ossec/logs/alerts/alerts.json

json.keys_under_root: true
fields: {log_type: osseclogs}

Configure logstash:¶

input {
  beats {
    id => "beats_test"
    port => 9001
    type => "ossec"
  }
}

filter {
  if([fields][log_type] == "osseclogs") {
    mutate {
      replace => {
        "[type]" => "osseclogs"
      }
    }
  }
}

output {

  if([type] == "osseclogs") {
    elasticsearch {
      index => "ossec-%{+YYYY.MM.dd}"
    }
  }
}