[ossec-list] Syslog configuration question

Ozzy Thu, 08 Apr 2010 05:11:32 -0700

I have small problem with configuring my ossec server.I have 3 agents
and ossec server on RHEL 5.4. Agents working correctly and send alerts
to server, then I want to send log data to my syslog server. I
configured my ossec.conf file like below:
<ossec_config>
  <global>
    <email_notification>no</email_notification>
  </global>


  <syslog_output>
    <server>xx.xx.xx.xx</server>
    <port>514</port>
  </syslog_output>

Then i restart my ossec server:
[r...@localhost bin]#/var/ossec/bin/ossec-control enable client-syslog
[r...@localhost bin]# ./ossec-control start
Starting OSSEC HIDS v2.3 (by Trend Micro Inc.)...
Started ossec-dbd...
Started ossec-csyslogd...
2010/04/08 12:11:03 ossec-maild: INFO: E-Mail notification disabled.
Clean Exit.
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...

But I don't see any message at all at /var/ossec/logs/alerts/
alerts.log on the server.

2010/04/08 12:11:03 ossec-dbd: Database not configured. Clean exit.
2010/04/08 12:11:03 ossec-maild: INFO: E-Mail notification disabled.
Clean Exit.
2010/04/08 12:11:03 ossec-execd: INFO: Started (pid: 4030).
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading local decoder file.
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: 'trend-
osce_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'policy_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2010/04/08 12:11:03 ossec-analysisd: INFO: Total rules enabled: '309'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/
mnttab'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/
hosts.deny'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/mail/
statistics'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/random-
seed'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/
adjtime'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/
logs'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/cups/
certs'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/
dumpdates'
2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/svc/
volatile'
2010/04/08 12:11:03 ossec-remoted: INFO: Started (pid: 4042).
2010/04/08 12:11:07 ossec-syscheckd: INFO: Started (pid: 4047).
2010/04/08 12:11:07 ossec-rootcheck: INFO: Started (pid: 4047).
2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/
etc'.
2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/
bin'.
2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/
sbin'.
2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/var/
ossec/etc'.
2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/
local/ossec'.
2010/04/08 12:11:09 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2010/04/08 12:11:09 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2010/04/08 12:11:09 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2010/04/08 12:11:09 ossec-logcollector: INFO: Started (pid: 4038).
2010/04/08 12:11:39 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2010/04/08 12:15:58 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2010/04/08 12:17:58 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).


-- 
To unsubscribe, reply using "remove me" as the subject.

[ossec-list] Syslog configuration question

Reply via email to