dan (ddp) wrote: > On Thu, Oct 29, 2009 at 10:04 AM, Holger Gläß <[email protected]> wrote: > >> hi >> >> yes i did , forward from my snort sensor system via syslog udp the >> messages to the >> ossec syslog listen ip but nothing happend. >> >> >> my ossec config part of syslog looks >> >> <remote> >> <connection>syslog</connection> >> <local_ip>10.90.1.67</local_ip> >> <port>514</port> >> <allowed-ips>127.0.0.1</allowed-ips> >> <allowed-ips>10.90.1.0/24</allowed-ips> >> </remote> >> >> hm, maybe that i miss understood the syslog part of ossec. >> >> i thinks that the ossec syslog server is an replacement for syslog-ng as >> example. >> >> >> holger >> >> >> >> >> >> > > That is on the ossec server correct? Did you configure the ossec > server's syslog-ng > for accepting messages from other hosts? I think one of the following > links should help > explain how to do that: > http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html#configuring_sources_tcpudp > or > http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html#configuring_sources_syslog > Did you configure the agent system's syslog to forward the message on > to the syslog > server? > http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s04.html#configuring_destinations_tcpudp > or > http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s03.html#configuring_sources_syslog > hi thanks for the links , and yes syslog-ng and connected hosts are working well.
at the moment my syslog-ng server receive from close to 30 hosts the logging messages and write it to an specific file. so how can i setup an seperate log file per hosts in ossec where he write the received log ? then i start my test again. holger
