On Fri, Oct 12, 2012 at 2:46 AM, kay kay <[email protected]> wrote:
> At the moment I use syslog-ng to collect logs from whole servers and analyze
> them on ossec-server with decoders and rules.
>
> How can I configure ossec-server to avoid log collecting with syslog-ng?
>
> I.e. I have two servers (ossec-agents) with nginx. I need to analyze nginx
> logs. Should I configure decoder and rule on each ossec-agents or I can
> create one decoder and one rule on ossec-server and it will be automatically
> pushed to ossec-agents?
Decoders and rules do not exist on the agents, only the OSSEC server.
There should already be a decoder for nginx logs, so that part is
taken care of, plus if you're already forwarding the logs to the OSSEC
server via syslog-ng you should have some rules in place as well.
Are you looking to use the "secure" connection method instead of
"syslog?" If so, you need to set the connection from syslog to secure
in the server's ossec.conf. It'll look something like:
<remote>
<connection>secure</connection>
</remote>
