On Tue, Feb 28, 2012 at 9:34 AM, C. L. Martinez <[email protected]> wrote: > Hi all, > > I have a really strange problem with ossec-csyslog process in one > server. I have two ossec servers that trigger all alerts to a central > splunk server. From serverA all works ok, ossec-csyslog connects to > splunk server and send all alerts to it. But with the other server I > have problems. Both ossec servers are CentOS 6.2 with same packages > installed and same configuration (of course with different ip's and > different hostnames). Iptables is disabled in both servers ... > > From serverB, I can see an established connection: > > [root@ossecsrv02 ~]# netstat -atunp |grep 10015 > udp 0 0 192.168.44.3:43130 192.168.44.4:10015 > ESTABLISHED 14206/ossec-csyslog > > But from splunk server side, nothing appears: > > [root@splunksrv init.d]# netstat -atunp |grep 10015 > udp 0 0 192.168.44.4:10015 0.0.0.0:* > 4773/splunkd > > and no alerts from serverB appears in splunk web interface ... > > Some ideas??
Ok, I have found the problem, was on the splunk side. It contains an ip acl to access 10015 port ... Sorry for the noise. Thanks.
