When I was evaluating the various option for Log capture and alert for host and firewall I came across with OSSEC. Seems like it can do some correlation and do what the watcher & beats does. What I am unsure is from an architecture point of view how can OSSEC be combined with ELK to produce greater value or is there some component in ELK that can replace OSSEC?
I am sorry, but I do not have any ossec experience. Can you tell us, which part of that stack you are missing in the Elastic Stack? So we can maybe give some hints.
Thanks a lot!
Hey, I think I can offer a little help here.
OSSEC has some tight coupling between its agents and their central manager. So if you want to use Elastic's product sin conjunction, you'd likely be looking at forwarding the data from the central manager to the Elastic Stack. From a quick look at their docs and some blogs, it looks like people have been successful in using the syslog output from the OSSEC central manger to achieve this sort of integration.
Hope that helps!