OSSEC syslog server

[Kyriakos Stavridis]

Hello everyone,

When devices are configured to send remote syslog to OSSEC on port 514 (let's say a security product), are these syslog logs saved somewhere? even if they don't trigger an alert? As any other normal syslog server would do.

The problem I'm trying to solve is that I want to supervise a service that will send logs to OSSEC with remote syslog on port 514 but since they won't trigger any alert and they will not match any decoder, I won't be able to see them anywhere. I want to see them all somehow so I can study their format and write the appropriate decoders and rules to satisfy that firewall's security requirements.

Thanks! :)

[dan (ddp)]

On Thu, Jul 30, 2020 at 8:43 AM Kyriakos Stavridis
<stavridi...@gmail.com> wrote:
>
> Hello everyone,
>
> When devices are configured to send remote syslog to OSSEC on port 514 (let's say a security product), are these syslog logs saved somewhere? even if they don't trigger an alert? As any other normal syslog server would do.
>

Not by default, but turning on the log all option might save them to
archives.log.

> The problem I'm trying to solve is that I want to supervise a service that will send logs to OSSEC with remote syslog on port 514 but since they won't trigger any alert and they will not match any decoder, I won't be able to see them anywhere. I want to see them all somehow so I can study their format and write the appropriate decoders and rules to satisfy that firewall's security requirements.
>
> Thanks! :)
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/dae419ac-49c5-4ce0-aed0-896ba07c8a2fo%40googlegroups.com.