On Apr 30, 2012 4:11 PM, "carlopmart" <carlopm...@gmail.com> wrote:
>
> Hi all,
>
> I have several problems with ossec-remoted process and ossec's syslog
remote options. My ossec server is configured to receive syslog messages
via tcp port.
>
> The problem is the amount of syslog messages that ossec can receive, not
seem to be many.
>
> Configuration is:
>
> syslog forwarder --------> ossec-remote process...
>
What are you using as your "forwarder?"
> Using this configuration, ossec doesn't trigger alerts because groups
these alerts (sometime three or four messages in the same alert and
What does this mean? If multiple alerts are grouped together in an alert,
an alert is triggered.
sometimes more). As you can see, some alerts works and anothers not ...
>
I can't see, no examples were provided.
> Changing to udp, ossec loose a lot of messages ...
>
> Another option I've tried is to use a third server that redirects all
messages to a text file in syslog format. It was the worst solution: ossec
reads messages two hours late ...
>
> Then, what is tha solution. Is not posible to use remote syslog option
in a production environments??
>
> Thanks.
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
