Ok, now it makes sense question 3.5 during the installation script is refering to remote syslog. That is the ability for the OSSEC server to send its logs to a syslog server. Thank You
On Mon, Dec 28, 2009 at 1:12 PM, dan (ddp) <[email protected]> wrote: > On Mon, Dec 28, 2009 at 10:17 AM, Jeff Turley <[email protected]> wrote: > > I am confused as to how OSSEC listening on port 514 works. When I > > installed OSSEC I said yes when the installer asked if I wanted OSSEC to > > listen on port 514. However, I also have syslog-ng installed and > listening > > on port 514. I do not have any devices configured as syslog devices in > the > > ossec.conf file. When I configure a device to log to syslog and point it > to > > the OSSEC server the devices log are read into the /var/log/messages > file. > > For example if I use the web interface to search for log messages from my > > firewall the location is displayed as: > > (Firewall IP)->/var/log/messages. Is this the best way to do this? > Should > > I disable remote syslog on the ossec server and configure each device in > the > > ossec.conf file as a syslog device? If I disable remote syslog on the > ossec > > server will the ossec processes automatically start to listen on port > 514? > > Thanks Jeff Turley > > > > > > > > OSSEC doesn't listen on 514, your syslog server (syslog-ng) does. OSSEC > listens on 1514, if you set it up to use secure communication. >
