I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended
configuration in the documentation is:
<syslog_output>
<server>192.168.4.1</server>
</syslog_output>
The SIEM recognizes json format on port 5500 so I've configured logs to
that formatted and set the configuration as:
<syslog_output>
<server>172.27.212.243</server>
<port>5500</port>
<format>json</format>
</syslog_output>
When I save this and try to start the services the following error is
generated:
Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
/var/ossec/bin/ossec-logtest returns the following:
2017/03/21 18:50:55 ossec-testrule(1230): ERROR: Invalid element in the
configuration: 'syslog_output'.
2017/03/21 18:50:55 ossec-testrule(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
If I comment out the syslog configuration services start as expected.
Any advice would be greatly appreciated.
Thank you,
Marc Baker
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
