Well I think that we'll have to tell the splunk server to accept the logs of this server, like the way we do for, in ossecmconf at the manager end, under the remote tab.
Regards Tanishk Lakhaani Sent from BlackBerry® on Airtel -----Original Message----- From: [email protected] Sender: [email protected] Date: Mon, 28 Feb 2011 21:04:54 To: <[email protected]> Reply-To: [email protected] Subject: Re: [ossec-list] OSSEC syslog check Set up a new splunk input, udp listener on a different port (like udp 2514) In syslog.conf, *.* @server1:2514 Restart splunk and syslog -----Original Message----- From: satish patel <[email protected]> Sender: [email protected] Date: Mon, 28 Feb 2011 15:57:39 To: <[email protected]> Reply-To: [email protected] Subject: Re: [ossec-list] OSSEC syslog check Hi Dan, I have following line in my syslog.conf (send all messages to logserver1 which is splunk) *.* @logserver1 I have checked my /var/log/messages and /var/log/secure and look like syslog had stopped appending logs in local file. How do i enable it ? I want both option local and remote syslog. -Satish On Mon, Feb 28, 2011 at 2:36 PM, dan (ddp) <[email protected]> wrote: > Hi Satish, > Do these systems log to both a local file and a remote syslog system? > If so, they can easily parse the local log files without issues. > I have a number of systems setup this way. > > On Thu, Feb 24, 2011 at 3:34 PM, satish patel <[email protected]> wrote: >> Hi All, >> >> In our network we have splunk centralized log server for all >> Linux/Unix box. We have configured syslog to send all logs to Splunk. >> Now i am planing to install OSSEC on all Unix/Linux boxes so question >> is how ossec agent will parse log file while those boxes sending log >> to splunk server via syslog ? >> >> How do i configure splunk vs ossec logs monitoring ? >> >> -Satish >> >
