I have the same setup. I'm using syslog-ng as my central syslog host.
In syslog-ng.conf, I set up 2 destinations for incoming syslog messages:
destination df_syslog { file("/var/log/syslog-ng/$HOST/syslog"); };
destination ossec_syslog { udp(127.0.0.1, destport(1025)); };
'df_syslog' places all incoming syslog messages into the file named
'syslog' under a directory corresponding to the oroginating hostname.
'ossec_syslog' forwards the syslog message to UDP port 1025, on
localhost. I have OSSEC listening for syslog on that port. I send all my
syslog messages from my PIX firewalls to both destinations.
* This was a kludgy thing to do, but I found that OSSEC's PIX rules
weren't being used against syslog files. The problem originated on an
older version of OSSEC. I'm running 1.0 now. The problem may be fixed,
but I lack the time to test it out.
If you want to see my syslog-ng.conf and/or ossec.conf, send me a
private message, and I'll forward them to you.
-----
Jeremy
On Tue, 2007-01-30 at 09:02 -0500, John J. Culkin wrote:
> Magnus
>
> Thanks alot that sounds great - would you mind sharing what kind of
planning you had to do and if you would do anything different next time? I
am considering the same implementation.
>
>
>
> -- John C.
>
>
>
> Magnus Egilsson wrote:
>
> >Hi
> >
> >Im using syslog-ng and ossec together. It works great but needs to be
planned ahead a bit.
> >
> >Best regards
> >Magnus
> >
> >
> >Subject: [ossec-list] Log host?
> >
> >
> >Can OSSEC act as a centralized log host for linux machines? Or should I
> >keep investigating solutions like metalog and syslog-ng?
> >
> >If it can act as a centralized log host, are they any examples using it
> >with stunnel to secure the connections?
> >
> >Thanks,
> >
> >-- John C.
> >
> >
> >
>
