On Thu, Nov 8, 2012 at 8:59 AM, Scott <[email protected]> wrote: > Hello, I have just upgraded from 2.5.1 to 2.6 and I no longer get remote > syslog messages in the logs (all was working before the upgrade). I wanted > to get on the latest stable version and keep it up-to-date. >
Funny time to be upgrading... > Here is a portion of my ossec.conf: > > <remote> > <connection>syslog</connection> > <allowed-ips>0.0.0.0/0</allowed-ips> > </remote> > Is that exact? I have no idea if 0.0.0.0/0 will actually work or not. > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/system.log</location> > </localfile> > > > Netstat/lsof/ps shows that ossec-remoted has the connection open. I am > getting local syslog information, just not remote. > So ossec-remoted is listening to udp 514? > I inherited this ossec installation and am not all that familiar with it, > but I have read the manual and studied all of the config entries -- but I'm > not sure where to look now. > > Can someone help me get this going again? > > Thanks, > > Scott Turn on the log all option, do you see the log entries in archives.log? Run tcpdump, do the log messages make it to the OSSEC server (on udp 514)? Run ossec-remoted with debugging turned on, any messages of interest? Make sure the host doesn't have a firewall blocking the traffic.
