ossec server syslog output
339 views
Skip to first unread message
Olivier Doisneau
Sep 1, 2016, 10:18:07 AM9/1/16
to ossec-list
So I changed my ossec.conf to have this:
<syslog_output>
<server>127.0.0.1</server>
<port>8089</port>
<format>default</format>
</syslog_output>
and /var/ossec/bin/ossec-csyslogd
is started. But I don't see any attempts to push the logs coming in to syslog in the ossec.log file.
Thanks
dan (ddp)
Sep 1, 2016, 10:25:28 AM9/1/16
to ossec...@googlegroups.com
should be able to see the alerts via tcpdump on the ossec manager:
`tcpdump -nn port 8089`
>
> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Olivier Doisneau
Sep 1, 2016, 10:49:45 AM9/1/16
to ossec-list
So every time I see a log in the /var/ossec/log/alerts/alerts.log I should see something being dumped correct? Because right now I see alerts.log getting bigger and still nothing on tcpdump.
dan (ddp)
Sep 1, 2016, 11:08:53 AM9/1/16
to ossec...@googlegroups.com
On Thu, Sep 1, 2016 at 10:49 AM, Olivier Doisneau
<odoi...@payveris.com> wrote:
> So every time I see a log in the /var/ossec/log/alerts/alerts.log I should
> see something being dumped correct? Because right now I see alerts.log
> getting bigger and still nothing on tcpdump.
>
Yes, you should. Try running csyslogd in debug/foreground mode to see
<odoi...@payveris.com> wrote:
> So every time I see a log in the /var/ossec/log/alerts/alerts.log I should
> see something being dumped correct? Because right now I see alerts.log
> getting bigger and still nothing on tcpdump.
>
if there are any interesting logs:
`/var/ossec/bin/ossec-csyslogd -df`
>
> On Thursday, September 1, 2016 at 10:18:07 AM UTC-4, Olivier Doisneau wrote:
>>
>> So I changed my ossec.conf to have this:
>>
>> <syslog_output>
>>
>> <server>127.0.0.1</server>
>>
>> <port>8089</port>
>>
>> <format>default</format>
>>
>> </syslog_output>
>>
>>
>> and /var/ossec/bin/ossec-csyslogd
>>
>> is started. But I don't see any attempts to push the logs coming in to
>> syslog in the ossec.log file.
>>
>>
>> Thanks
>
Olivier Doisneau
Sep 1, 2016, 11:27:52 AM9/1/16
to ossec-list
yes so this is what I see in the alerts.log
** Alert 1472743613.1120105: - pam,syslog,
2016 Sep 01 15:26:53 (dev-login-01) any->/var/log/secure
Rule: 5502 (level 3) -> 'Login session closed.'
Sep 1 15:26:51 dev-login-01 sshd[2930]: pam_unix(sshd:session): session closed for user od
but nothing for the process except this:
2016/09/01 15:24:06 ossec-csyslogd: DEBUG: Starting ...
2016/09/01 15:24:06 ossec-csyslogd: INFO: Chrooted to directory: /var/ossec, using user: ossecm
2016/09/01 15:24:06 ossec-csyslogd: INFO: Started (pid: 12106).
2016/09/01 15:24:06 ossec-csyslogd: INFO: File queue connected.
2016/09/01 15:24:06 ossec-csyslogd: INFO: Forwarding alerts via syslog to: '127.0.0.1:8089'.
and nothing else...
On Thursday, September 1, 2016 at 10:18:07 AM UTC-4, Olivier Doisneau wrote:
dan (ddp)
Sep 1, 2016, 12:23:05 PM9/1/16
to ossec...@googlegroups.com
On Thu, Sep 1, 2016 at 11:07 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Sep 1, 2016 at 10:49 AM, Olivier Doisneau
> <odoi...@payveris.com> wrote:
>> So every time I see a log in the /var/ossec/log/alerts/alerts.log I should
>> see something being dumped correct? Because right now I see alerts.log
>> getting bigger and still nothing on tcpdump.
>>
>
> Yes, you should. Try running csyslogd in debug/foreground mode to see
> if there are any interesting logs:
> `/var/ossec/bin/ossec-csyslogd -df`
>
You might want to also try setting <level>1</level> in the
> On Thu, Sep 1, 2016 at 10:49 AM, Olivier Doisneau
> <odoi...@payveris.com> wrote:
>> So every time I see a log in the /var/ossec/log/alerts/alerts.log I should
>> see something being dumped correct? Because right now I see alerts.log
>> getting bigger and still nothing on tcpdump.
>>
>
> Yes, you should. Try running csyslogd in debug/foreground mode to see
> if there are any interesting logs:
> `/var/ossec/bin/ossec-csyslogd -df`
>
syslog_output section.
dan (ddp)
Sep 1, 2016, 12:23:05 PM9/1/16
to ossec...@googlegroups.com
On Thu, Sep 1, 2016 at 11:27 AM, Olivier Doisneau
<odoi...@payveris.com> wrote:
> yes so this is what I see in the alerts.log
>
> ** Alert 1472743613.1120105: - pam,syslog,
>
> 2016 Sep 01 15:26:53 (dev-login-01) any->/var/log/secure
>
> Rule: 5502 (level 3) -> 'Login session closed.'
>
> Sep 1 15:26:51 dev-login-01 sshd[2930]: pam_unix(sshd:session): session
> closed for user od
>
>
> but nothing for the process except this:
>
>
> 2016/09/01 15:24:06 ossec-csyslogd: DEBUG: Starting ...
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Chrooted to directory: /var/ossec,
> using user: ossecm
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Started (pid: 12106).
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: File queue connected.
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Forwarding alerts via syslog to:
> '127.0.0.1:8089'.
>
I didn't realize this was on loopback (not that it matters
<odoi...@payveris.com> wrote:
> yes so this is what I see in the alerts.log
>
> ** Alert 1472743613.1120105: - pam,syslog,
>
> 2016 Sep 01 15:26:53 (dev-login-01) any->/var/log/secure
>
> Rule: 5502 (level 3) -> 'Login session closed.'
>
> Sep 1 15:26:51 dev-login-01 sshd[2930]: pam_unix(sshd:session): session
> closed for user od
>
>
> but nothing for the process except this:
>
>
> 2016/09/01 15:24:06 ossec-csyslogd: DEBUG: Starting ...
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Chrooted to directory: /var/ossec,
> using user: ossecm
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Started (pid: 12106).
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: File queue connected.
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Forwarding alerts via syslog to:
> '127.0.0.1:8089'.
>
apparently). This works for me:
<syslog_output>
<server>127.0.0.1</server>
<port>9514</port>
</syslog_output>
Make sure your syslog daemon is listening on localhost udp/8089, and
it's configured to accept the messages.
>
> and nothing else...
>
>
> On Thursday, September 1, 2016 at 10:18:07 AM UTC-4, Olivier Doisneau wrote:
>>
>> So I changed my ossec.conf to have this:
>>
>> <syslog_output>
>>
>> <server>127.0.0.1</server>
>>
>> <port>8089</port>
>>
>> <format>default</format>
>>
>> </syslog_output>
>>
>>
>> and /var/ossec/bin/ossec-csyslogd
>>
>> is started. But I don't see any attempts to push the logs coming in to
>> syslog in the ossec.log file.
>>
>>
>> Thanks
>
Olivier Doisneau
Sep 1, 2016, 1:30:46 PM9/1/16
to ossec-list
I am all set. It was the forwarder that was mis-configured.
On Thursday, September 1, 2016 at 10:18:07 AM UTC-4, Olivier Doisneau wrote:
Reply all
Reply to author
Forward
0 new messages