Add the following line to your ossec.conf file in the <global> section <logall>yes</logall>
You should see the entries in your archive file. On Thursday, February 20, 2014 3:53:09 PM UTC-6, Zim plton wrote: > > I am trying to setup Cisco syslog with ossec. The ossec.conf file has a > remote section: > > <remote><connection>syslog</connection><allowed-ips>ip > address</allowed-ips></remote> > > If I run a netstat -anp | grep 514; I see both 514 and 1514 are > listening for UDP connections and ossec-remoted has opened the ports. > > I ran a tcpdump on my server listening to port 514 and I see the router > send over a local7.notice syslog entry, but I can not find it in either my > /var/log/syslog or the /var/ossec/logs/archive ( I put the log-all > statement in the ossec.conf global section). > > Do I need to make a change to my rsyslog config to accept and log the > *.notice? Rsyslog isn't running since ossec-remoted can't open port 514 > when it is. > > Server is a Ubuntu 12.04 and OSSEC is 2.7.1 > > Sorry for the long email but any guidance would be appreciated. > > Thank you > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
