Holy cow!!! It was my mistake i removed all lines in syslog and added only *.* @logserver1
Now i add following two lines and it seem started appending logs on /var/log/ *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure Thanks for your kind support -Satish On Mon, Feb 28, 2011 at 4:36 PM, satish patel <[email protected]> wrote: >> Are you asking about the manager or the agents? >> I thought you were asking about the agents. I thought you wanted to be >> able to monitor the local logs with OSSEC and also have syslog forward >> the logs to splunk. Did I misunderstand? > > I am asking about agents. And yes i want both my agent monitor local > logs and also syslog forward them to splunk. so in short both. > >> You CAN do both. I do both. But you have to configure syslog to do both. > > How do i configure syslog to add logs messages in both /var/log and > forward them to splunk as well. > > > > > On Mon, Feb 28, 2011 at 4:26 PM, dan (ddp) <[email protected]> wrote: >> On Mon, Feb 28, 2011 at 4:11 PM, satish patel <[email protected]> wrote: >>>> Try reverting the configuration to how it was before you made the changes. >>> >>> Before my syslog configured for local files /var/log/* But my >>> requirement is splunk + ossec >>> >> >> Are you asking about the manager or the agents? >> I thought you were asking about the agents. I thought you wanted to be >> able to monitor the local logs with OSSEC and also have syslog forward >> the logs to splunk. Did I misunderstand? >> >> If you want OSSEC to monitor the logs, they have to be written >> somewhere for OSSEC to read them (for example, in /var/log). If you >> want them to be forwarded to another system, you add a line like the >> following: >> *.* @logserver1 >> >> You CAN do both. I do both. But you have to configure syslog to do both. >> >>> OS: Red Hat Enterprise Linux AS release 4 (Nahant Update 8) >>> syslogd 1.4.1 >>> >>> >>> >>> Thanks, >>> >>> Satish Patel >>> >>> >>> >>> >>> >>> On Mon, Feb 28, 2011 at 4:04 PM, dan (ddp) <[email protected]> wrote: >>>> Try reverting the configuration to how it was before you made the changes. >>>> If you need help with that, maybe providing some of this info could >>>> help someone provide the correct info: >>>> What OS/distro? >>>> What syslog daemon (version and implementation)? >>>> >>>> On Mon, Feb 28, 2011 at 3:57 PM, satish patel <[email protected]> wrote: >>>>> Hi Dan, >>>>> >>>>> I have following line in my syslog.conf (send all messages to >>>>> logserver1 which is splunk) >>>>> >>>>> *.* @logserver1 >>>>> >>>>> >>>>> I have checked my /var/log/messages and /var/log/secure and look like >>>>> syslog had stopped appending logs in local file. How do i enable it ? >>>>> I want both option local and remote syslog. >>>>> >>>>> -Satish >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: >>>>>> Hi Satish, >>>>>> Do these systems log to both a local file and a remote syslog system? >>>>>> If so, they can easily parse the local log files without issues. >>>>>> I have a number of systems setup this way. >>>>>> >>>>>> On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> >>>>>> wrote: >>>>>>> Hi All, >>>>>>> >>>>>>> In our network we have splunk centralized log server for all >>>>>>> Linux/Unix box. We have configured syslog to send all logs to Splunk. >>>>>>> Now i am planing to install OSSEC on all Unix/Linux boxes so question >>>>>>> is how ossec agent will parse log file while those boxes sending log >>>>>>> to splunk server via syslog ? >>>>>>> >>>>>>> How do i configure splunk vs ossec logs monitoring ? >>>>>>> >>>>>>> -Satish >>>>>>> >>>>>> >>>>> >>>> >>> >> >
