Send OSSEC logs to graylog
619 views
Skip to first unread message
titlei...@gmail.com
Sep 24, 2016, 11:41:44 AM9/24/16
to ossec-list
Hello,
I'm having a problem getting OSSEC to send logs to a Graylog server and I'm hoping someone can offer some advice. I followed the instructions on these pages
https://marketplace.graylog.org/addons/025e1992-8acb-4e37-8434-2785081bf977
http://ossec-docs.readthedocs.io/en/latest/manual/output/syslog-output.html
Setup:
Graylog 2.1 standalone CentOS 6 server with CEP UDP input listening on 5141
Graylog CEF input plugin 1.1 installed on the server
OSSEC 2.8.3 client on CentOS 6
There are no firewalls between these servers, and I have also verified the client can reach port 5141 on the server using both TCP or UDP. A tcpdump verifies this using netcat.
On the OSSEC client, I have installed it as a 'local' install and added this to the /var/ossec/etc/ossec.conf file
<syslog_output>
<server>172.31.1.1</server>
<port>5141</port>
<format>cef</format>
</syslog_output>
Restarted the Graylog server service and the OSSEC client service. Then, on the OSSEC client
/var/ossec/bin/ossec-control enable client-syslog
/var/ossec/bin/ossec-control restart
From that point, OSSEC appears to be working. I get various email alerts that I expect. But I never see anything show up in Graylog. A tcpdump shows no traffic ever making it to the graylog server either. I assume I would see this type of log entry
INFO: Forwarding alerts via syslog to: ’172.31.1.1:5141′
But I never do.
Have I missed a step somewhere? Would appreciate some advice.
Thanks,
Jay
I'm having a problem getting OSSEC to send logs to a Graylog server and I'm hoping someone can offer some advice. I followed the instructions on these pages
https://marketplace.graylog.org/addons/025e1992-8acb-4e37-8434-2785081bf977
http://ossec-docs.readthedocs.io/en/latest/manual/output/syslog-output.html
Setup:
Graylog 2.1 standalone CentOS 6 server with CEP UDP input listening on 5141
Graylog CEF input plugin 1.1 installed on the server
OSSEC 2.8.3 client on CentOS 6
There are no firewalls between these servers, and I have also verified the client can reach port 5141 on the server using both TCP or UDP. A tcpdump verifies this using netcat.
On the OSSEC client, I have installed it as a 'local' install and added this to the /var/ossec/etc/ossec.conf file
<syslog_output>
<server>172.31.1.1</server>
<port>5141</port>
<format>cef</format>
</syslog_output>
Restarted the Graylog server service and the OSSEC client service. Then, on the OSSEC client
/var/ossec/bin/ossec-control enable client-syslog
/var/ossec/bin/ossec-control restart
From that point, OSSEC appears to be working. I get various email alerts that I expect. But I never see anything show up in Graylog. A tcpdump shows no traffic ever making it to the graylog server either. I assume I would see this type of log entry
INFO: Forwarding alerts via syslog to: ’172.31.1.1:5141′
But I never do.
Have I missed a step somewhere? Would appreciate some advice.
Thanks,
Jay
dan (ddp)
Sep 26, 2016, 8:28:02 AM9/26/16
to ossec...@googlegroups.com
`/var/ossec/bin/ossec-csyslogd -df`
to see if there are any additional debug messages that might help. I
haven't ever tried the cef format, so I'm not sure how it works.
> Thanks,
> Jay
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages