← Back to blog
bpdubuntu

Integrating OSSEC Security Alerts into Your Elastic Stack

4 February 2026bpd · ubuntu

Create a Unified Dashboard for Metrics, Logs, and Security Alerts

To achieve a complete overview of your server’s health and security, it’s powerful to combine all your data streams into one place. The ‘Ubuntu System Administration Guide’ demonstrates how to integrate your OSSEC security alerts into the same Elastic Stack you use for your system logs.

The Integration Process

The process involves two key steps:

  1. Configure OSSEC for JSON Output: You’ll edit the OSSEC configuration file to tell it to output all of its alerts in a structured JSON format. This makes the alerts easy for other programs to parse.
  2. Configure Filebeat to Read OSSEC Logs: You’ll then add a new input to your Filebeat configuration file, telling it to monitor the OSSEC JSON alert log (`/var/ossec/logs/alerts/alerts.json`) and send any new entries to Elasticsearch.

Once configured, you can use Kibana to search, analyze, and create dashboards and alerts based on your OSSEC security data, giving you a single, unified view of your entire infrastructure.

This post is based from content of the book Ubuntu System adminstration guide. And the book can be found here https://www.amazon.com/stores/Mattias-Hemmingsson/author/B0FF5CQX13