It started locally and remotely. Thanks -satish
On Mon, Feb 28, 2011 at 4:41 PM, dan (ddp) <[email protected]> wrote: > On Mon, Feb 28, 2011 at 4:36 PM, satish patel <[email protected]> wrote: >>> Are you asking about the manager or the agents? >>> I thought you were asking about the agents. I thought you wanted to be >>> able to monitor the local logs with OSSEC and also have syslog forward >>> the logs to splunk. Did I misunderstand? >> >> I am asking about agents. And yes i want both my agent monitor local >> logs and also syslog forward them to splunk. so in short both. >> >>> You CAN do both. I do both. But you have to configure syslog to do both. >> >> How do i configure syslog to add logs messages in both /var/log and >> forward them to splunk as well. >> >> > > Syslog was originally configured to log to local files. Put that > configuration back in place. > At the end of the file add your remote syslog line: > *.* @logserver1 > > Then restart the syslog daemon. It should log locally and remotely. > >> >> >> On Mon, Feb 28, 2011 at 4:26 PM, dan (ddp) <[email protected]> wrote: >>> On Mon, Feb 28, 2011 at 4:11 PM, satish patel <[email protected]> wrote: >>>>> Try reverting the configuration to how it was before you made the changes. >>>> >>>> Before my syslog configured for local files /var/log/* But my >>>> requirement is splunk + ossec >>>> >>> >>> Are you asking about the manager or the agents? >>> I thought you were asking about the agents. I thought you wanted to be >>> able to monitor the local logs with OSSEC and also have syslog forward >>> the logs to splunk. Did I misunderstand? >>> >>> If you want OSSEC to monitor the logs, they have to be written >>> somewhere for OSSEC to read them (for example, in /var/log). If you >>> want them to be forwarded to another system, you add a line like the >>> following: >>> *.* @logserver1 >>> >>> You CAN do both. I do both. But you have to configure syslog to do both. >>> >>>> OS: Red Hat Enterprise Linux AS release 4 (Nahant Update 8) >>>> syslogd 1.4.1 >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Satish Patel >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Feb 28, 2011 at 4:04 PM, dan (ddp) <[email protected]> wrote: >>>>> Try reverting the configuration to how it was before you made the changes. >>>>> If you need help with that, maybe providing some of this info could >>>>> help someone provide the correct info: >>>>> What OS/distro? >>>>> What syslog daemon (version and implementation)? >>>>> >>>>> On Mon, Feb 28, 2011 at 3:57 PM, satish patel <[email protected]> wrote: >>>>>> Hi Dan, >>>>>> >>>>>> I have following line in my syslog.conf (send all messages to >>>>>> logserver1 which is splunk) >>>>>> >>>>>> *.* @logserver1 >>>>>> >>>>>> >>>>>> I have checked my /var/log/messages and /var/log/secure and look like >>>>>> syslog had stopped appending logs in local file. How do i enable it ? >>>>>> I want both option local and remote syslog. >>>>>> >>>>>> -Satish >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: >>>>>>> Hi Satish, >>>>>>> Do these systems log to both a local file and a remote syslog system? >>>>>>> If so, they can easily parse the local log files without issues. >>>>>>> I have a number of systems setup this way. >>>>>>> >>>>>>> On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> >>>>>>> wrote: >>>>>>>> Hi All, >>>>>>>> >>>>>>>> In our network we have splunk centralized log server for all >>>>>>>> Linux/Unix box. We have configured syslog to send all logs to Splunk. >>>>>>>> Now i am planing to install OSSEC on all Unix/Linux boxes so question >>>>>>>> is how ossec agent will parse log file while those boxes sending log >>>>>>>> to splunk server via syslog ? >>>>>>>> >>>>>>>> How do i configure splunk vs ossec logs monitoring ? >>>>>>>> >>>>>>>> -Satish >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
