On Wed, Sep 22, 2010 at 4:15 PM, Jay Christopherson <[email protected]> wrote: > I've done a ton of searching and I can't believe I am the only one with this > question but: > How can I enable OSSEC to receive and parse both my agent messages (secure, > udp 1514) and my firewall IOS messages (syslog, udp 514)? If I enable IOS > logging: > <remote>syslog</remote> > .... > I can receive IOS messages just fine, but not agent messages. If I enable > agent logging: > <remote>secure</remote> > I can receive agent messages, but not IOS. I have attempted to set logging > on IOS to 1514 > logging host internal <host> udp 1514 > and tcpdump shows messages arriving, but OSSEC seems to be ignoring them. > I'm guessing that I can do a bandaid where I syslog my IOS messages to a > server and then feed those logs into OSSEC and if that's the only way to do > it, that's fine. I'd just like to know if I am missing something here. > Thanks! > Jay
I'd send the messages through a syslog collection system. I haven't tried other options though.
