True, and the messages look horrible, with double headers. My current idea is to run a remote on an agent -- remoted sends to queue/ossec just like logcollector, so agentd should simply forward them on to the server. Am I crazy?
To reiterate: I am trying to forward syslog udp 514 output from a dsl modem over a potentially flakey VPN to a central syslog server. The agent will know (I hope -- I haven't tested this) that it can't talk to the ossec server whereas the DSL modem wouldn't. I'm trying to capture and alert using ossec, and I'd like it to be centralized. On Friday, November 23, 2012 7:20:45 AM UTC-6, dan (ddpbsd) wrote: > > On Wed, Nov 21, 2012 at 3:47 PM, Scott Nelson <[email protected]<javascript:>> > wrote: > > On Nov 21, 2012, at 2:23 PM, dan (ddp) wrote: > > > >>> Hmm. Okay, please have patience with me, so if I then forget about > hybrid mode, then how do I forward logs safely and securely over the > internet to my central ossec server? > >> > >> I think the point is to have a central repository for the alerts more > >> than having a central repo for all of the logs. Otherwise you could > >> just have 1 central server, and never have to worry about hybrid mode. > > > > For me, it is to have an off-site copy of all logs for compliance > reasons. > > > > How do you do it now? What problems does that method have? > > > How about this: I configure my local ossec server to only log remote > syslog files, but I also install an agent into /var/ossec/ossec-agent, and > have it read /var/ossec/logs/archives/archives.log in addition to the > standard things? > > Sounds like a lot of trouble. There's a lot of potential for false > positive alerts. >
