I have a working install of "Reporting and Management for OSSEC" working nicely now. Now that we have purchased ES and want to start deploying it, I'm a little lost on how if its even possible to use the existing OSSEC install with ES.
Can I just make the existing Reporting and Management for OSSEC a heavy forwarder to ES and classify the data as ossec on the ES server?
Hi, OSSEC has a lot of data, and we don't want to generate duplicates from other sources (e.g. login events). There's a TA in ES that will parse the OSSEC data for change management events. To use it, you just need to let your ES search head search the index where OSSEC data is written (Manager > Roles > Admin > Indexes searched by default). You may need to tweak the sourcetype in TA-ossec's props.conf.
The OSSEC is installed in a 6.0.x server that is not a part of the ES deployment.