On Mon, Nov 28, 2011 at 5:00 PM, Youngquist, Jason R. <[email protected]> wrote: > In the ossec.conf file I understand that I can set the logall to "yes" (ie > <logall> yes </logall>) and it will log all of the events to > /logs/archives/archives.log. Is there any way to change the destination IP > of where the all of the logfiles get sent? Ideally, I'd like all log files > to go to the IP address of my SIEM, and all events that match a rule can get > stored locally on the OSSEC server IP. (My current OSSEC server doesn't have > enough hard drive space to send a copy of all of the logs to it). > > > If I can't do this, does anyone run both the Windows OSSEC agent and Windows > Snare program (http://www.intersectalliance.com/projects/BackLogNT/) on > their Windows server boxes (2003 and 2008) successfully? I haven't done any > tests on this yet, but thought I'd throw it out there. > >
No, OSSEC Will not forward all of the logs to another system. You can run syslog-ng and filter out OSSEC's header from each log message and forward the message that way. The logs will still be stored on the OSSEC server though. > Appreciate any thoughts. > Jason Youngquist, CISSP > Information Technology Security Engineer > Technology Services > Columbia College > 1001 Rogers Street, Columbia, MO 65216 > (573) 875-7334 > [email protected] > http://www.ccis.edu > >
