Hello mate!, im also using syslog-ng + ossec.
I had configures syslog to log each box to a different directory, so i
can have things in order.
I had also configured ossec to look those logs with:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/hosts/*/*log</location>
</localfile>
Just as heads up, if you are going to use syslogd in the "terminal"
boxes, you will be forced to use udp. If you can change all the syslog
daemons to syslog-ng, you can use tcp and a nice encrypted tunnel (you
also can do this with udp, but is more tricky).
Cheers!
On Tue, 2007-01-30 at 09:02 -0500, John J. Culkin wrote:
> Magnus
>
> Thanks alot that sounds great - would you mind sharing what kind of planning
> you had to do and if you would do anything different next time? I am
> considering the same implementation.
>
>
>
> -- John C.
>
>
>
> Magnus Egilsson wrote:
>
> >Hi
> >
> >Im using syslog-ng and ossec together. It works great but needs to be
> >planned ahead a bit.
> >
> >Best regards
> >Magnus
> >
> >
> >Subject: [ossec-list] Log host?
> >
> >
> >Can OSSEC act as a centralized log host for linux machines? Or should I
> >keep investigating solutions like metalog and syslog-ng?
> >
> >If it can act as a centralized log host, are they any examples using it
> >with stunnel to secure the connections?
> >
> >Thanks,
> >
> >-- John C.
> >
> >
> >
>
