I am confused as to how OSSEC listening on port 514 works. When I
installed OSSEC I said yes when the installer asked if I wanted OSSEC to
listen on port 514. However, I also have syslog-ng installed and listening
on port 514. I do not have any devices configured as syslog devices in the
ossec.conf file. When I configure a device to log to syslog and point it to
the OSSEC server the devices log are read into the /var/log/messages file.
For example if I use the web interface to search for log messages from my
firewall the location is displayed as:
(Firewall IP)->/var/log/messages. Is this the best way to do this? Should
I disable remote syslog on the ossec server and configure each device in the
ossec.conf file as a syslog device? If I disable remote syslog on the ossec
server will the ossec processes automatically start to listen on port 514?
Thanks Jeff Turley
