On Thu, Oct 29, 2009 at 10:04 AM, Holger Gläß <[email protected]> wrote: > hi > > yes i did , forward from my snort sensor system via syslog udp the > messages to the > ossec syslog listen ip but nothing happend. > > > my ossec config part of syslog looks > > <remote> > <connection>syslog</connection> > <local_ip>10.90.1.67</local_ip> > <port>514</port> > <allowed-ips>127.0.0.1</allowed-ips> > <allowed-ips>10.90.1.0/24</allowed-ips> > </remote> > > hm, maybe that i miss understood the syslog part of ossec. > > i thinks that the ossec syslog server is an replacement for syslog-ng as > example. > > > holger > > > > >
That is on the ossec server correct? Did you configure the ossec server's syslog-ng for accepting messages from other hosts? I think one of the following links should help explain how to do that: http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html#configuring_sources_tcpudp or http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html#configuring_sources_syslog Did you configure the agent system's syslog to forward the message on to the syslog server? http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s04.html#configuring_destinations_tcpudp or http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html#configuring_sources_syslog
