I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended configuration in the documentation is: <syslog_output> <server>192.168.4.1</server> </syslog_output>
The SIEM recognizes json format on port 5500 so I've configured logs to that formatted and set the configuration as: <syslog_output> <server>172.27.212.243</server> <port>5500</port> <format>json</format> </syslog_output> When I save this and try to start the services the following error is generated: Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)... OSSEC analysisd: Testing rules failed. Configuration error. Exiting. /var/ossec/bin/ossec-logtest returns the following: 2017/03/21 18:50:55 ossec-testrule(1230): ERROR: Invalid element in the configuration: 'syslog_output'. 2017/03/21 18:50:55 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. If I comment out the syslog configuration services start as expected. Any advice would be greatly appreciated. Thank you, Marc Baker -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.