You can put a Splunk Universal Forwarder on the OSSEC server and have it monitor the alerts.log file directly. In this scenario Splunk is getting its data from the alerts file directly, so you would want to remove your <syslog_output> configuration in ossec.conf. That gives you "reliable" TCP transport and encryption as well.
On Fri, Mar 15, 2013 at 2:53 PM, Jb Cheng <[email protected]> wrote: > One way to do this is to use another syslog client that can read from an > input file and forward the content to your syslog server. > > I have done this using syslog4j (https://sites.google.com/site/syslog4j/) > in the past. > Once you have the syslog4j-<version>.jar file downloaded, a command > similar to the following will forward the content of <input_log_file> to > the syslog server. > > java -cp syslog4j.jar org.productivity.java.syslog4j.Syslog -i > <input_log_file> -h <IP_of_syslog_server> -p 514 udp > > > On Monday, March 11, 2013 3:10:19 PM UTC-7, Tony C. wrote: >> >> Hello, >> >> Currently running on OSSEC 2.6 and we have an issue where our >> 'ossec-csyslogd' daemon (which forwards logs to our SPLUNK server) will >> randomly stop. While this is something we hope will get fixed when we >> upgrade to 2.7, we still have the problem of forwarding the logs that were >> recorded by OSSEC in '/var/ossec/logs' while the forwarder was down. I've >> verified that the logs I want do in fact exist (right down to the time >> frame that wasn't forwarded), but is there a way to forward these old logs >> to SPLUNK? I've tried searching for a solution by googling it but either my >> search 'skills' are rusty or no one has had to deal with this yet. Hope >> someone can answer my question. Thanks! >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
