hello everyone, some have experience with osquery integration towards alienvault ossim (opensource, no-USM)
09/24/2018, 3:55 PM
you might have more responses if you describe what you've done/what you need.
I have not used ossim. However I did get data into Splunk using the Splunk forwarder in conjunction with Fleet.
09/24/2018, 5:45 PM
thanks for you response @stefanmaerz
I basically need to establish a transition from OSSEC to osquery. but ossim by default does not have a plugin
only USM (paid version) Alienvault ..
any ideas? @stefanmaerz
09/25/2018, 12:40 PM
Well. I know nothing about the ossim plugin. presumably it provides some means of ingesting a log file.
So i suppose you could either: use that functionality on each osquery endpoint or aggregate the logs in a central place via syslog or fleet, then use that functionaly to ingest the log file.
The other issue you might encounter is if the ossim plugin does any magic like text parsing or correlation or whatever. Osquery outputs JSON, which should be easy for a SIEM to parse