Pulling OSSEC logs into syslog is really a mess. It doesn't format stuff at all how a syslog client would.
For instance, it buries the agent name in the message text instead of reporting it as the system name, which instead gets reported as the OSSEC server name that got the logs in the first place.
Plus it ranks everything as MEDIUM in syslog terms regardless of how they are ranked within the OSSEC logs.
So a priority 1 (very low) OSSEC event gets prioritized the same as a priority 10 (high) event.
This is all making me think that syslog just isn't all that great for use with log analysis tools in a heterogeneous environment.
Although it does seem possible to get rsyslog to change the way it handles certain kinds of logs...I'll have to do some digging to see if I can find instructions for doing this with OSSEC.
**Update: My friend Mike recommends http://www.ossec.net/doc/syntax/head_ossec_config.syslog_output.html?highlight=syslog#syslog_output for a possible solution.
Recent Comments