[ossec-list] Re: OSSEC v1.4 - Multiple Logs Definition Error

Mon, 26 Nov 2007 06:38:04 -0800 

hi Kevin,

In my case, I use the 'log' function from Syslog-NG to forward these logs to 
the OSSEC server, when the OSSEC server use a port number other than 514 for 
receiving syslog messages.  So the ossec.conf file contains:

  <remote>
    <connection>syslog</connection>
    <port>3514</port>
  </remote>

And the syslog-ng.conf has:

source s_remote {
        tcp(ip(0.0.0.0) port(514) max-connections(100));
        udp(ip(0.0.0.0) port(514));
};
destination d_ossec { udp("192.168.X.Y" port(3514) spoof_source(yes)); };

log { source(s_remote); destination(d_ossec); };

Notice that Syslog-NG version 2.0.3 or above supports spoof-source attribute.


-Chinh


----- Original Message -----
From: "Kevin Reiter" <[EMAIL PROTECTED]>
To: [email protected]
Sent: Wednesday, November 21, 2007 2:01:42 AM (GMT+0700) Asia/Bangkok
Subject: [ossec-list] OSSEC v1.4 - Multiple Logs Definition Error


All,

I'm currently running OSSEC-HIDS v1.4 on FreeBSD 6.2-RELEASE along with 
Syslog-NG (v2.0.3) and I'm having a problem relating to reading multiple logs.

According to http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs I can 
use a '*' wildcard in the ossec.conf to specify multiple logs within a 
directory, such as:

<localfile>
 <log_format>syslog</log_format>
 <location>/var/log/*.log</location>
</localfile>

However, when I use the following in my ossec.conf:

<localfile>
 <log_format>syslog</log_format>
 <location>/var/log/current/*.log</location>
</localfile>
(where /var/log/current/ is a symlink to another directory that changes daily)

I get the following error when starting ossec:

[EMAIL PROTECTED] [/usr/local/ossec-hids/etc]# ossec-control start
Starting OSSEC HIDS v1.4 (by Daniel B. Cid)...
2007/11/20 12:50:04 ossec-logcollector(1901): Missing 'log_format' element.
2007/11/20 12:50:04 ossec-logcollector(1202): Configuration error at 
'/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2007/11/20 12:50:04 ossec-logcollector(1202): Configuration error at 
'/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
ossec-logcollector: Configuration error. Exiting

Here's the info on the symlink directory:

[EMAIL PROTECTED] [/usr/local/ossec-hids/etc]# ls -l /var/log/current
lrwxr-xr-x  1 root  wheel  33 Nov 20 12:41 /var/log/current@ -> 
/usr/local/logs/remote/2007/11/20

Has anyone else had a similar issue in the past?  If so, what was the 
resolution?

Thanks,
Kevin


Kevin Reiter
Senior Security Engineer
Financial Services, Inc.
21 Harristown Road
Glen Rock, New Jersey 07452
(201)652-6000, ext. 588
PGP ID: 0xEE665233

Reply via email to