On Tue, Mar 21, 2017 at 2:53 PM, Marc Baker <marcjbake...@gmail.com> wrote:
> I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended
> configuration in the documentation is:
>
> <syslog_output>
> <server>192.168.4.1</server>
> </syslog_output>
>
>
>
> The SIEM recognizes json format on port 5500 so I've configured logs to that
> formatted and set the configuration as:
>
> <syslog_output>
> <server>172.27.212.243</server>
> <port>5500</port>
> <format>json</format>
> </syslog_output>
>
> When I save this and try to start the services the following error is
> generated:
>
> Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)...
> OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
>
> /var/ossec/bin/ossec-logtest returns the following:
>
> 2017/03/21 18:50:55 ossec-testrule(1230): ERROR: Invalid element in the
> configuration: 'syslog_output'.
> 2017/03/21 18:50:55 ossec-testrule(1202): ERROR: Configuration error at
> '/var/ossec/etc/ossec.conf'. Exiting.
> If I comment out the syslog configuration services start as expected. Any
> advice would be greatly appreciated.
>
This works for me with current sources (haven't tried 2.9.0 specifically):
<syslog_output>
<server>192.168.17.8</server>
<port>9514</port>
<format>json</format>
</syslog_output>
Check src/config/csyslogd-config.c to see if json is listed.
> Thank you,
>
> Marc Baker
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
