Is the ossec-csyslogd process running? Have you tried sniffing port 514 to see if it is trying to send messages?
On Thu, Apr 8, 2010 at 2:57 AM, Ozzy <[email protected]> wrote: > I have small problem with configuring my ossec server.I have 3 agents > and ossec server on RHEL 5.4. Agents working correctly and send alerts > to server, then I want to send log data to my syslog server. I > configured my ossec.conf file like below: > <ossec_config> > <global> > <email_notification>no</email_notification> > </global> > > <syslog_output> > <server>xx.xx.xx.xx</server> > <port>514</port> > </syslog_output> > > Then i restart my ossec server: > [r...@localhost bin]#/var/ossec/bin/ossec-control enable client-syslog > [r...@localhost bin]# ./ossec-control start > Starting OSSEC HIDS v2.3 (by Trend Micro Inc.)... > Started ossec-dbd... > Started ossec-csyslogd... > 2010/04/08 12:11:03 ossec-maild: INFO: E-Mail notification disabled. > Clean Exit. > Started ossec-maild... > Started ossec-execd... > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > Started ossec-syscheckd... > Started ossec-monitord... > > But I don't see any message at all at /var/ossec/logs/alerts/ > alerts.log on the server. > > 2010/04/08 12:11:03 ossec-dbd: Database not configured. Clean exit. > 2010/04/08 12:11:03 ossec-maild: INFO: E-Mail notification disabled. > Clean Exit. > 2010/04/08 12:11:03 ossec-execd: INFO: Started (pid: 4030). > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading local decoder file. > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: 'trend- > osce_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'policy_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Total rules enabled: '309' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/ > mnttab' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/ > hosts.deny' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ > statistics' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/random- > seed' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/ > adjtime' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ > logs' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ > certs' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/ > dumpdates' > 2010/04/08 12:11:03 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ > volatile' > 2010/04/08 12:11:03 ossec-remoted: INFO: Started (pid: 4042). > 2010/04/08 12:11:07 ossec-syscheckd: INFO: Started (pid: 4047). > 2010/04/08 12:11:07 ossec-rootcheck: INFO: Started (pid: 4047). > 2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/var/ > ossec/etc'. > 2010/04/08 12:11:07 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > local/ossec'. > 2010/04/08 12:11:09 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2010/04/08 12:11:09 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/secure'. > 2010/04/08 12:11:09 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/maillog'. > 2010/04/08 12:11:09 ossec-logcollector: INFO: Started (pid: 4038). > 2010/04/08 12:11:39 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/04/08 12:15:58 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/04/08 12:17:58 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > > > -- > To unsubscribe, reply using "remove me" as the subject. >
