One more question how ossec going to read logs file ? I meant it going to read all logs like secure.* including gz compressed ? so what rotation should i use for logs
-Satish On Mon, Feb 28, 2011 at 4:44 PM, satish patel <[email protected]> wrote: > It started locally and remotely. Thanks > > -satish > > On Mon, Feb 28, 2011 at 4:41 PM, dan (ddp) <[email protected]> wrote: >> On Mon, Feb 28, 2011 at 4:36 PM, satish patel <[email protected]> wrote: >>>> Are you asking about the manager or the agents? >>>> I thought you were asking about the agents. I thought you wanted to be >>>> able to monitor the local logs with OSSEC and also have syslog forward >>>> the logs to splunk. Did I misunderstand? >>> >>> I am asking about agents. And yes i want both my agent monitor local >>> logs and also syslog forward them to splunk. so in short both. >>> >>>> You CAN do both. I do both. But you have to configure syslog to do both. >>> >>> How do i configure syslog to add logs messages in both /var/log and >>> forward them to splunk as well. >>> >>> >> >> Syslog was originally configured to log to local files. Put that >> configuration back in place. >> At the end of the file add your remote syslog line: >> *.* @logserver1 >> >> Then restart the syslog daemon. It should log locally and remotely. >> >>> >>> >>> On Mon, Feb 28, 2011 at 4:26 PM, dan (ddp) <[email protected]> wrote: >>>> On Mon, Feb 28, 2011 at 4:11 PM, satish patel <[email protected]> wrote: >>>>>> Try reverting the configuration to how it was before you made the >>>>>> changes. >>>>> >>>>> Before my syslog configured for local files /var/log/* But my >>>>> requirement is splunk + ossec >>>>> >>>> >>>> Are you asking about the manager or the agents? >>>> I thought you were asking about the agents. I thought you wanted to be >>>> able to monitor the local logs with OSSEC and also have syslog forward >>>> the logs to splunk. Did I misunderstand? >>>> >>>> If you want OSSEC to monitor the logs, they have to be written >>>> somewhere for OSSEC to read them (for example, in /var/log). If you >>>> want them to be forwarded to another system, you add a line like the >>>> following: >>>> *.* @logserver1 >>>> >>>> You CAN do both. I do both. But you have to configure syslog to do both. >>>> >>>>> OS: Red Hat Enterprise Linux AS release 4 (Nahant Update 8) >>>>> syslogd 1.4.1 >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Satish Patel >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Feb 28, 2011 at 4:04 PM, dan (ddp) <[email protected]> wrote: >>>>>> Try reverting the configuration to how it was before you made the >>>>>> changes. >>>>>> If you need help with that, maybe providing some of this info could >>>>>> help someone provide the correct info: >>>>>> What OS/distro? >>>>>> What syslog daemon (version and implementation)? >>>>>> >>>>>> On Mon, Feb 28, 2011 at 3:57 PM, satish patel <[email protected]> >>>>>> wrote: >>>>>>> Hi Dan, >>>>>>> >>>>>>> I have following line in my syslog.conf (send all messages to >>>>>>> logserver1 which is splunk) >>>>>>> >>>>>>> *.* @logserver1 >>>>>>> >>>>>>> >>>>>>> I have checked my /var/log/messages and /var/log/secure and look like >>>>>>> syslog had stopped appending logs in local file. How do i enable it ? >>>>>>> I want both option local and remote syslog. >>>>>>> >>>>>>> -Satish >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: >>>>>>>> Hi Satish, >>>>>>>> Do these systems log to both a local file and a remote syslog system? >>>>>>>> If so, they can easily parse the local log files without issues. >>>>>>>> I have a number of systems setup this way. >>>>>>>> >>>>>>>> On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> >>>>>>>> wrote: >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> In our network we have splunk centralized log server for all >>>>>>>>> Linux/Unix box. We have configured syslog to send all logs to Splunk. >>>>>>>>> Now i am planing to install OSSEC on all Unix/Linux boxes so question >>>>>>>>> is how ossec agent will parse log file while those boxes sending log >>>>>>>>> to splunk server via syslog ? >>>>>>>>> >>>>>>>>> How do i configure splunk vs ossec logs monitoring ? >>>>>>>>> >>>>>>>>> -Satish >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
