syslog_output question

15 views
Skip to first unread message

Robert B

unread,
Jul 10, 2017, 6:13:36 PM7/10/17
to ossec-list
This was a little unclear to me after reading the documenation and searching around...pardon if it's been asked and answered, I simply have not found it.

We have a single server we want to send syslog output to, however, we also want to have different levels for some alerts.   Would it be as simple as two syslog_output sections, such as below, or would this create duplicate alerts, take the last syslog_output section, or can it be done in a single section?  

<syslog_output>
    <level>8</level>
    <sever>192.168.0.5</server>
</syslog_ouptut>

<syslog_output>
    <level>4</level>
    <group>invalid_login|adduser|blah|andsoon</group>
    <sever>192.168.0.5</server>
</syslog_ouptut>
  

Thanks!
Bob


Victor Fernandez

unread,
Jul 11, 2017, 3:58:37 AM7/11/17
to ossec...@googlegroups.com
Hi Robert,

OSSEC should take these settings independently:
  • Configuration A will send alerts with level 8 or higher.
  • Configuration B will send alerts with level 4 or higher (including alerts sent by the former setting) belonging to these groups.
So you'll receive duplicate alerts. One option would be to enter every groups but the specified in the configuration B.

Let me tell you that Wazuh agents include an improvement that allow to negate expressions. So you may use a setting like this one::

<syslog_output>
    <level>8</level>
    <sever>192.168.0.5</server>
    <group>!invalid_login|adduser|blah|andsoon</group>
</syslog_ouptut>

<syslog_output>
    <level>4</level>
    <group>invalid_login|adduser|blah|andsoon</group>
    <sever>192.168.0.5</server>
</syslog_ouptut>

Hence you'll have alerts with level 4 or higher (even 8 or more) belonging to these groups, plus alerts with level 8 or higher of any other group.

Hope it help.
Best regards.


--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

Robert B

unread,
Jul 11, 2017, 8:33:43 AM7/11/17
to ossec-list
That's perfect, exactly what I needed to know!   Thank you!
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages