That isn't a problem. I already configured syslog to send all logs to central splunk (And that is working great!). Now i am planing to add ossec agent on all my servers so question is how ossec agent will scan my local /var/log/* logs files because they are blank ( Because syslog already sending messages to central splunk)
my question is how should i tell syslog to append logs in local /var/log/*. Plus send copy to splunk also. On Mon, Feb 28, 2011 at 4:04 PM, <[email protected]> wrote: > Set up a new splunk input, udp listener on a different port (like udp 2514) > > In syslog.conf, > > *.* @server1:2514 > > Restart splunk and syslog > > > -----Original Message----- > From: satish patel <[email protected]> > Sender: [email protected] > Date: Mon, 28 Feb 2011 15:57:39 > To: <[email protected]> > Reply-To: [email protected] > Subject: Re: [ossec-list] OSSEC syslog check > > Hi Dan, > > I have following line in my syslog.conf (send all messages to > logserver1 which is splunk) > > *.* @logserver1 > > > I have checked my /var/log/messages and /var/log/secure and look like > syslog had stopped appending logs in local file. How do i enable it ? > I want both option local and remote syslog. > > -Satish > > > > > > On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: >> Hi Satish, >> Do these systems log to both a local file and a remote syslog system? >> If so, they can easily parse the local log files without issues. >> I have a number of systems setup this way. >> >> On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> wrote: >>> Hi All, >>> >>> In our network we have splunk centralized log server for all >>> Linux/Unix box. We have configured syslog to send all logs to Splunk. >>> Now i am planing to install OSSEC on all Unix/Linux boxes so question >>> is how ossec agent will parse log file while those boxes sending log >>> to splunk server via syslog ? >>> >>> How do i configure splunk vs ossec logs monitoring ? >>> >>> -Satish >>> >> >
