I am working on a log aggregation project and wanted to add some minor correlations/security intelligence to the mix.
Currently I have logs from ~400 servers coming into a syslog-ng box. I was looking into a few programs such as SEC (Simple Event Correlator), OSSEC, etc. to do this. For SEC, I could easily have the process tail the file(s) I am writing to and have it trip alerts off of it.
However I would have to build in a lot of custom rules and there wouldn't be a pretty GUI as there is with OSSEC.
So I was thinking of using OSSEC as a local install and instead of having it handle all of the agents, just have it tail the log file(s) and trip alerts.
My main fear is since I'm not using OSSEC's agent portion of it, it looks like the only agent is localhost and is therefore going to combine a lot of the traffic we see into 1 big alert. If I get login failures from server1 and server2, it will treat this as the same source and correlate it a lot faster than it would if it treated them as separate servers.
Is there any logic I can put into OSSEC to make this local/non agent config work with multiple server logs coming in, or would you recommend even trying?