On Mon, Feb 28, 2011 at 4:11 PM, satish patel <[email protected]> wrote: >> Try reverting the configuration to how it was before you made the changes. > > Before my syslog configured for local files /var/log/* But my > requirement is splunk + ossec >
Are you asking about the manager or the agents? I thought you were asking about the agents. I thought you wanted to be able to monitor the local logs with OSSEC and also have syslog forward the logs to splunk. Did I misunderstand? If you want OSSEC to monitor the logs, they have to be written somewhere for OSSEC to read them (for example, in /var/log). If you want them to be forwarded to another system, you add a line like the following: *.* @logserver1 You CAN do both. I do both. But you have to configure syslog to do both. > OS: Red Hat Enterprise Linux AS release 4 (Nahant Update 8) > syslogd 1.4.1 > > > > Thanks, > > Satish Patel > > > > > > On Mon, Feb 28, 2011 at 4:04 PM, dan (ddp) <[email protected]> wrote: >> Try reverting the configuration to how it was before you made the changes. >> If you need help with that, maybe providing some of this info could >> help someone provide the correct info: >> What OS/distro? >> What syslog daemon (version and implementation)? >> >> On Mon, Feb 28, 2011 at 3:57 PM, satish patel <[email protected]> wrote: >>> Hi Dan, >>> >>> I have following line in my syslog.conf (send all messages to >>> logserver1 which is splunk) >>> >>> *.* @logserver1 >>> >>> >>> I have checked my /var/log/messages and /var/log/secure and look like >>> syslog had stopped appending logs in local file. How do i enable it ? >>> I want both option local and remote syslog. >>> >>> -Satish >>> >>> >>> >>> >>> >>> On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: >>>> Hi Satish, >>>> Do these systems log to both a local file and a remote syslog system? >>>> If so, they can easily parse the local log files without issues. >>>> I have a number of systems setup this way. >>>> >>>> On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> wrote: >>>>> Hi All, >>>>> >>>>> In our network we have splunk centralized log server for all >>>>> Linux/Unix box. We have configured syslog to send all logs to Splunk. >>>>> Now i am planing to install OSSEC on all Unix/Linux boxes so question >>>>> is how ossec agent will parse log file while those boxes sending log >>>>> to splunk server via syslog ? >>>>> >>>>> How do i configure splunk vs ossec logs monitoring ? >>>>> >>>>> -Satish >>>>> >>>> >>> >> >
