the problem is probably not on the ossec side. I've got the following in my config and it's working

<syslog_output>
  <server>127.0.0.1</server>
  <port>514</port>
  <format>json</format>
</syslog_output>

what are you sending to? have you done a tcpdump to see what's happening?

David Lang

On Fri, 13 Mar 2015, DirtDiver wrote:

Date: Fri, 13 Mar 2015 15:14:25 -0700 (PDT)
From: DirtDiver <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: [ossec-list] Oseec Server output to Suslog Server

All,

I have a fresh install with a default ossec.conf file.  Below is the file.
I can not for the life of me get it to forward alerts/logs to the remote
syslog server.  What i would really want to do is have this send all
Windows events to the syslog server 10.0.1.116.





<ossec_config>

   <global>

     <email_notification>no</email_notification>
     <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID";
RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER";
SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
"[INIT]$FULLLOG[END]"; </custom_alert_output>
 </global>
   <syscheck>
   <alert_new_files>yes</alert_new_files>
     <frequency>21600</frequency>
     <auto_ignore>no</auto_ignore>
     <alert_new_files>no</alert_new_files>
     <scan_on_start>yes</scan_on_start>
     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
     <directories check_all="yes">/bin,/sbin</directories>
     <directories realtime="yes" report_changes="yes" check_all="yes"
check_sum="yes">C:\Windows\system32</directories>
     <ignore>/etc/mtab</ignore>
     <ignore>/etc/mnttab</ignore>
     <ignore>/etc/hosts.deny</ignore>
     <ignore>/etc/mail/statistics</ignore>
     <ignore>/etc/random-seed</ignore>
     <ignore>/etc/adjtime</ignore>
     <ignore>/etc/httpd/logs</ignore>
     <ignore>/etc/utmpx</ignore>
     <ignore>/etc/wtmpx</ignore>
     <ignore>/etc/cups/certs</ignore>
     <ignore>/etc/dumpdates</ignore>
     <ignore>/etc/svc/volatile</ignore>
     <ignore>C:\WINDOWS/System32/LogFiles</ignore>
     <ignore>C:\WINDOWS/Debug</ignore>
     <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
     <ignore>C:\WINDOWS/iis6.log</ignore>
     <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
     <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
     <ignore>C:\WINDOWS/Prefetch</ignore>
     <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
     <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
     <ignore>C:\WINDOWS/Temp</ignore>
     <ignore>C:\WINDOWS/system32/config</ignore>
     <ignore>C:\WINDOWS/system32/spool</ignore>
     <ignore>C:\WINDOWS/system32/CatRoot</ignore>
   </syscheck>
   <rootcheck>
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
   </rootcheck>
   <active-response>
     <disabled>yes</disabled>
   </active-response>
   <remote>
     <connection>secure</connection>
   </remote>
   <alerts>
     <log_alert_level>1</log_alert_level>
   </alerts>
   <!-- Files to monitor (localfiles) -->
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/messages</location>
   </localfile>
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/auth.log</location>
   </localfile>
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/syslog</location>
   </localfile>
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/mail.info</location>
   </localfile>
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/dpkg.log</location>
   </localfile>
   <localfile>
     <log_format>apache</log_format>
     <location>/var/log/apache2/error.log</location>
   </localfile>
   <localfile>
     <log_format>apache</log_format>
     <location>/var/log/apache2/access.log</location>
   </localfile>
 </ossec_config>
 <ossec_config>

<!-- rules global entry -->
 </ossec_config>
 <!-- rules global entry -->
 <ossec_config>
   <!-- rules global entry -->
 </ossec_config>
 <!-- rules global entry -->
 <ossec_config>
   <!-- rules global entry -->
   <rules>
     <include>rules_config.xml</include>
     <include>pam_rules.xml</include>
     <include>sshd_rules.xml</include>
     <include>telnetd_rules.xml</include>
     <include>syslog_rules.xml</include>
     <include>arpwatch_rules.xml</include>
     <include>symantec-av_rules.xml</include>
     <include>symantec-ws_rules.xml</include>
     <include>pix_rules.xml</include>
     <include>named_rules.xml</include>
     <include>smbd_rules.xml</include>
     <include>vsftpd_rules.xml</include>
     <include>pure-ftpd_rules.xml</include>
     <include>proftpd_rules.xml</include>
     <include>ms_ftpd_rules.xml</include>
     <include>ftpd_rules.xml</include>
     <include>hordeimp_rules.xml</include>
     <include>vpopmail_rules.xml</include>
     <include>vmpop3d_rules.xml</include>
     <include>courier_rules.xml</include>
     <include>web_rules.xml</include>
     <include>apache_rules.xml</include>
     <include>mysql_rules.xml</include>
     <include>postgresql_rules.xml</include>
     <include>ids_rules.xml</include>
     <include>squid_rules.xml</include>
     <include>firewall_rules.xml</include>
     <include>cisco-ios_rules.xml</include>
     <include>netscreenfw_rules.xml</include>
     <include>sonicwall_rules.xml</include>
     <include>postfix_rules.xml</include>
     <include>sendmail_rules.xml</include>
     <include>imapd_rules.xml</include>
     <include>mailscanner_rules.xml</include>
     <include>ms-exchange_rules.xml</include>
     <include>racoon_rules.xml</include>
     <include>vpn_concentrator_rules.xml</include>
     <include>spamd_rules.xml</include>
     <include>msauth_rules.xml</include>
     <include>mcafee_av_rules.xml</include>
     <!-- <include>policy_rules.xml</include> -->
     <include>zeus_rules.xml</include>
     <include>solaris_bsm_rules.xml</include>
     <include>vmware_rules.xml</include>
     <include>ossec_rules.xml</include>
     <include>attack_rules.xml</include>
     <include>local_rules.xml</include>
     <include>ms_dhcp_rules.xml</include>
   <include>alienvault-directory-service_rules.xml</include>
 </rules>


<syslog_output>
 <server>10.0.1.116</server>
 <port>9000</port>
 <format>json</format>
</syslog_output>

 </ossec_config>
 <!-- rules global entry -->


Reply via email to