The information in this guide is very old and likely no longer applicable to current versions of Graylog. Please take that into account when reading the following content.
This guide describes how to send structured OSSEC alert logs into Graylog.
We’ll use the CEF format to forward logs from OSSEC to Graylog. There is an official Graylog plugin to read OSSEC logs via TCP or UDP and you can get it here:
Follow the installation instructions in the linked repository.
After installing the CEF input plugin and restarting graylog-server, go to System -> Inputs in your Graylog Web Interface and start a new CEF UDP Input.
Remember the port you configure it to listen on. We’ll need it in the next step.
After starting the CEF UDP input in the previous step, open your OSSEC configuration file (usually located at /var/ossec/etc/ossec.conf) and add the following to the global <ossec_config> path:
<syslog_output>
<server>graylog.example.org</server>
<port>12000</port>
<format>cef</format>
</syslog_output>
Make sure to configure the same port you have your Graylog UDP CEF input listen on.
You also need to enable the OSSEC syslog subsystem on most operating systems. On Linux, execute this command:
/var/ossec/bin/ossec-control enable client-syslog
Restart OSSEC and see if messages arrive.
/var/ossec/bin/ossec-control restart
Now all OSSEC alerts should arrive in Graylog with nicely parsed and extracted fields:
