Ossec alert log to syslog server [urgent]

878 views
Skip to first unread message

Altangerel

unread,
Jan 11, 2010, 4:07:33 AM1/11/10
to ossec...@googlegroups.com
Dears,

I have a problem on sending ossec alert log to syslog server. I found an article that shows how to configure ossec.conf to send log data to syslog server.
Then I configured my ossec.conf file like below:

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>xxxxxxxxxxxxxxx</email_to>
    <smtp_server>xxxxxxxxxxxxx</smtp_server>
    <email_from>xxxxxxxxx</email_from>
  </global>
  <syslog_output>
    <server>172.30.80.40</server>
  </syslog_output>

Is there any mistake on my configuration? Also, do I need to modify syslog.conf file?
Please, help me

-- 
Altangerel Ganbold

Wim Remes

unread,
Jan 11, 2010, 10:51:59 AM1/11/10
to ossec...@googlegroups.com
Hi,

you also need to enable syslog output on your ossec server :
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart

as found here : http://www.ossec.net/main/splunk-ossec-integration

Cheers,

Wim

--
Wim Remes
Security Afficionado

Carter, Dennis A

unread,
Jan 11, 2010, 11:20:08 AM1/11/10
to ossec...@googlegroups.com

Altangerel,

 

Do you have a certain port number that the syslog server uses to receive the alert logs from ossec? If so you may want to add <port>****</port>. The **** would equal the port number like 514.

 

Thanks

 

Dennis Carter

Business Technology Services

727-464-4527

Altangerel

unread,
Jan 11, 2010, 8:15:16 PM1/11/10
to Carter, Dennis A, ossec...@googlegroups.com
On 1/12/2010 12:20 AM, Carter, Dennis A wrote:

Altangerel,

 

Do you have a certain port number that the syslog server uses to receive the alert logs from ossec? If so you may want to add <port>****</port>. The **** would equal the port number like 514.

 

Thanks

 

Dennis Carter

Business Technology Services

727-464-4527


Thanks guys,

I added port number that is used syslog server. Also enabled client-syslog, but it cannot send alert log to syslog server. Is there anyone who can send ossec alert log via syslog?
Please, help me.

I've installed Ossec on FreeBSD 8.0 where syslogd is running. 

-- 
Altangerel Ganbold

dan (ddp)

unread,
Jan 12, 2010, 8:21:40 AM1/12/10
to ossec...@googlegroups.com
> Thanks guys,
>
> I added port number that is used syslog server. Also enabled client-syslog,
> but it cannot send alert log to syslog server. Is there anyone who can send
> ossec alert log via syslog?
> Please, help me.
>
> I've installed Ossec on FreeBSD 8.0 where syslogd is running.
>
> --
> Altangerel Ganbold
>
>

Do you mean specifically the /var/ossec/logs/alert.log?

Wim Remes

unread,
Jan 12, 2010, 8:39:55 AM1/12/10
to ossec...@googlegroups.com
Hi,

does your syslogd run on the same server as OSSEC ?

Cheers,
W

--
Wim Remes
Security Afficionado

Jakub Moravek

unread,
Jan 12, 2010, 8:45:33 AM1/12/10
to ossec-list
Hi,
I set up following architecture:

external agent --ossec--> external manager --syslog--> central manager
<--ossec-- internal agent

External agents send alerts to external manager (10.0.0.2) via ossec
protocol and external manager retransmits these alerts via syslog to
central manager (10.0.0.1).
Agents in internal network send alerts directly to central manager via
ossec protocol.

In occes.conf of external manager I have:
<syslog_output>
<server>10.0.0.1</server>
<port>1515</port>
</syslog_output>

In occes.conf of central manager is:
<remote>
<connection>syslog</connection>
<port>1515</port>
<allowed-ips>10.0.0.2/32</allowed-ips>
</remote>

Cheers,

Jakub

Reply all
Reply to author
Forward
0 new messages