We are doing this now and it works well. The caveats I would mention are as follows:
If you are having syslog-ng filter alerts, you'll want to make sure that you include the file where the logs are being sent. If you are creating log files based upon day or time (such that the name of the file changes everyday e.g. /logs/host/2007-10-10 ), I would suggest either writing a copy all alerts to one file that is monitored and then dumped instead of rotating it (a truly ugly option), or creating a symlink to the current file and changing it every time the file is rotated (still not a great method but one we use). A co-worker wrote a very simple (read that as a done-and-dirty, proof-of-concept) script I can share if needed. Yours, John Wilson Lai wrote: > Dear ALL, > > I have now installed the Syslog-NG server for centralizing all > syslog messages from windows > > and linux machines. And now, I am looking forward a monitoring tool that > could check the severity level > > of the incoming message and alert me through e-mail. > > Another question, once the event message has sent to the Syslog-NG > server, could OSSEC alert me > > by e-mail immediately (real time alerting)? > > Thanks. > > > > Regards, > > Wilson Lai > > System Engineer > > IT Dept., SJM > > Office ( : (853)2978585 > > Mobile ( : (853)66506709 > > Email +: : [EMAIL PROTECTED] > > > > > > -- ------------------------------------------------------------------------- John Ives Phone (510) 642-7773 System & Network Security Cell (510) 229-8676 University of California, Berkeley -------------------------------------------------------------------------
