On Thu, Feb 20, 2014 at 4:53 PM, Zim plton <[email protected]> wrote: > I am trying to setup Cisco syslog with ossec. The ossec.conf file has a > remote section: > > <remote><connection>syslog</connection><allowed-ips>ip > address</allowed-ips></remote> > > If I run a netstat -anp | grep 514; I see both 514 and 1514 are listening > for UDP connections and ossec-remoted has opened the ports. > > I ran a tcpdump on my server listening to port 514 and I see the router send > over a local7.notice syslog entry, but I can not find it in either my > /var/log/syslog or the /var/ossec/logs/archive ( I put the log-all > statement in the ossec.conf global section). >
I don't know if syslog messages get logged to the archive. Your best bet is to create a rule that should be triggered by one of the logs and see if the rule fires. If it does, it's working. You could also have rsyslog accept the syslog messages and then just have OSSEC read them from the log files. > Do I need to make a change to my rsyslog config to accept and log the > *.notice? Rsyslog isn't running since ossec-remoted can't open port 514 > when it is. > > Server is a Ubuntu 12.04 and OSSEC is 2.7.1 > > Sorry for the long email but any guidance would be appreciated. > > Thank you > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
