Hi Jay,
You need to have two sections to monitor both:
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
In the syslog section, you also need to specify what ip addresses (or networks)
are allowed to send syslog to it (via the allowed ips option).
Thanks,
On Wed, Sep 22, 2010 at 5:15 PM, Jay Christopherson
<[email protected]> wrote:
> I've done a ton of searching and I can't believe I am the only one with this
> question but:
> How can I enable OSSEC to receive and parse both my agent messages (secure,
> udp 1514) and my firewall IOS messages (syslog, udp 514)? If I enable IOS
> logging:
> <remote>syslog</remote>
> ....
> I can receive IOS messages just fine, but not agent messages. If I enable
> agent logging:
> <remote>secure</remote>
> I can receive agent messages, but not IOS. I have attempted to set logging
> on IOS to 1514
> logging host internal <host> udp 1514
> and tcpdump shows messages arriving, but OSSEC seems to be ignoring them.
> I'm guessing that I can do a bandaid where I syslog my IOS messages to a
> server and then feed those logs into OSSEC and if that's the only way to do
> it, that's fine. I'd just like to know if I am missing something here.
> Thanks!
> Jay
