> Are you asking about the manager or the agents? > I thought you were asking about the agents. I thought you wanted to be > able to monitor the local logs with OSSEC and also have syslog forward > the logs to splunk. Did I misunderstand?
I am asking about agents. And yes i want both my agent monitor local logs and also syslog forward them to splunk. so in short both. > You CAN do both. I do both. But you have to configure syslog to do both. How do i configure syslog to add logs messages in both /var/log and forward them to splunk as well. On Mon, Feb 28, 2011 at 4:26 PM, dan (ddp) <[email protected]> wrote: > On Mon, Feb 28, 2011 at 4:11 PM, satish patel <[email protected]> wrote: >>> Try reverting the configuration to how it was before you made the changes. >> >> Before my syslog configured for local files /var/log/* But my >> requirement is splunk + ossec >> > > Are you asking about the manager or the agents? > I thought you were asking about the agents. I thought you wanted to be > able to monitor the local logs with OSSEC and also have syslog forward > the logs to splunk. Did I misunderstand? > > If you want OSSEC to monitor the logs, they have to be written > somewhere for OSSEC to read them (for example, in /var/log). If you > want them to be forwarded to another system, you add a line like the > following: > *.* @logserver1 > > You CAN do both. I do both. But you have to configure syslog to do both. > >> OS: Red Hat Enterprise Linux AS release 4 (Nahant Update 8) >> syslogd 1.4.1 >> >> >> >> Thanks, >> >> Satish Patel >> >> >> >> >> >> On Mon, Feb 28, 2011 at 4:04 PM, dan (ddp) <[email protected]> wrote: >>> Try reverting the configuration to how it was before you made the changes. >>> If you need help with that, maybe providing some of this info could >>> help someone provide the correct info: >>> What OS/distro? >>> What syslog daemon (version and implementation)? >>> >>> On Mon, Feb 28, 2011 at 3:57 PM, satish patel <[email protected]> wrote: >>>> Hi Dan, >>>> >>>> I have following line in my syslog.conf (send all messages to >>>> logserver1 which is splunk) >>>> >>>> *.* @logserver1 >>>> >>>> >>>> I have checked my /var/log/messages and /var/log/secure and look like >>>> syslog had stopped appending logs in local file. How do i enable it ? >>>> I want both option local and remote syslog. >>>> >>>> -Satish >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: >>>>> Hi Satish, >>>>> Do these systems log to both a local file and a remote syslog system? >>>>> If so, they can easily parse the local log files without issues. >>>>> I have a number of systems setup this way. >>>>> >>>>> On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> wrote: >>>>>> Hi All, >>>>>> >>>>>> In our network we have splunk centralized log server for all >>>>>> Linux/Unix box. We have configured syslog to send all logs to Splunk. >>>>>> Now i am planing to install OSSEC on all Unix/Linux boxes so question >>>>>> is how ossec agent will parse log file while those boxes sending log >>>>>> to splunk server via syslog ? >>>>>> >>>>>> How do i configure splunk vs ossec logs monitoring ? >>>>>> >>>>>> -Satish >>>>>> >>>>> >>>> >>> >> >
