[ossec-list] Re: Remote syslog configuration question

[Marty E. Hillman]

Title: Scalix message content

You should not have a syslog server on Penguin.  If you do, it is intercepting the message before ossec can see it.  If you configure Gateway and Media to use a different port for syslog, configure ossec.conf on Penguin to listen to the new port.  You can either use ossec or syslogd to listen to the syslog messages on the server – not both.   Try this article in the FAQ to see if it helps you.  http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config     From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Johnny Stork Sent: Thursday, September 21, 2006 2:49 PM To: ossec-list Subject: [ossec-list] Remote syslog configuration question   I just setup ossec on three machines as follows   Penguin (RHES4) Installed as "server" Gateway (RHES4) Installed as "agent" Media (CentOS 4.4) Installed as "agent".   So far so good, agents and keys all setup as per instructions and when starting ossec on Server1, I get what looks like the correct response and indication of communication with the agents, from the /var/ossec/logs/ossec.log on Penguin, the "Server" install.   2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Gateway: '0:6480'. 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Media: '0:1070'. 2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068   Now both Gateway and Media send syslog to Penguin, which is running as the "server". When I try to login to either Gateway or Media via SSH and intentionally use a bad password, the syslog on Penguin shows the correct failures, but this does not seem to be caught by ossec? Have I missed something in the configuration with regards to having the server install as the main syslog monitor?   Sep 21 12:47:44 media sshd(pam_unix)[18133]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somedomain.ca user=root   Any suggestions? This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.