It's hack-ish, but I run multiple copies of ossec-csyslogd. You can point to an alternate config file with -c.
On Mon, Mar 12, 2012 at 1:24 PM, Swartz, Patrick H <[email protected]> wrote: > > Hi All, > > When using the syslog output, is it possible to send the output to two > different syslog servers? > > This is what I have in our server's ossec.conf -- > > <syslog_output> > <server>192.168.246.96</server> > <port>514</port> > </syslog_output> > > <!-- Splunk --> > <syslog_output> > <server>172.27.146.15</server> > <port>10009</port> > </syslog_output> > > > I ran tcpdump to capture the syslog output using this command: > tcpdump -tttt -w /tmp/ossec_3.pcap -i eth0 port 514 or port 10009 > > However, the only data captured was for port 514. Can only one > <syslog_output> be used? Or is there something else I need to do? > > Thanks, > > Patrick Swartz > > > > ----------------------------------------- > The information in this message may be proprietary and/or > confidential, and protected from disclosure. If the reader of this > message is not the intended recipient, or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify First Data > immediately by replying to this message and deleting it from your > computer.
