A while back I posted about using OSSEC as a sudo SIEM as far as sending logs from various servers to one OSSEC server and using the correlation to trip alerts. Overall that solution worked very well but I've recently had to divide out the logs for load balancing reasons so now I have something along the lines of:
OSSEC Server
- /mnt/logs/unix1.log
- /mnt/logs/unix2.log
- /mnt/logs/unix3.log
- /mnt/logs/unix4.log
Each log file is being written by a different syslog server for load balancing reasons and it works pretty good overall. However the issue I'm running into is that OSSEC can run correlation rules against each log file individually but if there are 4 failed logins and they happen to be spread out over the 4 log files, OSSEC would only see 1 on each instance and not alert of 4 failed logins from 1 user.
Is there anyway to make OSSEC treat the files as one? I'm looking at other solutions such as a gluster/cluster file system where I can write from multiple servers to one file which would fix the issue.
I was misinformed on how OSSEC processes logs. Per this forum, Jesus Linares clarified that OSSEC groups logs on a "decoded as" basis and treats multiple log formats the same.
I also confirmed this by verifying a 6 failed login correlation actually had individual logs over 4 different log files.