On Tue, Mar 21, 2017 at 2:53 PM, Marc Baker <marcjbake...@gmail.com> wrote: > I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended > configuration in the documentation is: > > <syslog_output> > <server>192.168.4.1</server> > </syslog_output> > > > > The SIEM recognizes json format on port 5500 so I've configured logs to that > formatted and set the configuration as: > > <syslog_output> > <server>172.27.212.243</server> > <port>5500</port> > <format>json</format> > </syslog_output> > > When I save this and try to start the services the following error is > generated: > > Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)... > OSSEC analysisd: Testing rules failed. Configuration error. Exiting. > > /var/ossec/bin/ossec-logtest returns the following: > > 2017/03/21 18:50:55 ossec-testrule(1230): ERROR: Invalid element in the > configuration: 'syslog_output'. > 2017/03/21 18:50:55 ossec-testrule(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > If I comment out the syslog configuration services start as expected. Any > advice would be greatly appreciated. >
This works for me with current sources (haven't tried 2.9.0 specifically): <syslog_output> <server>192.168.17.8</server> <port>9514</port> <format>json</format> </syslog_output> Check src/config/csyslogd-config.c to see if json is listed. > Thank you, > > Marc Baker > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.