On Mar 16, 2015 11:48 AM, "Eric Huffman" <[email protected]> wrote: > > Yes ossec-csyslogd is enabled and running. I should have said default from OSSIM. > >
Does it work if you remove the custom alert output configuration? > thanks > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) > Sent: Monday, March 16, 2015 6:21 AM > To: [email protected] > Subject: Re: [ossec-list] Oseec Server output to Suslog Server > > On Fri, Mar 13, 2015 at 6:14 PM, DirtDiver <[email protected]> wrote: > > All, > > > > I have a fresh install with a default ossec.conf file. Below is the file. > > I can not for the life of me get it to forward alerts/logs to the > > remote syslog server. What i would really want to do is have this > > send all Windows events to the syslog server 10.0.1.116. > > > > > > > > > > > > <ossec_config> > > > > <global> > > > > <email_notification>no</email_notification> > > <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: > > "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: > > "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: > > "[INIT]$FULLLOG[END]"; </custom_alert_output> > > I don't think this is a default ossec.conf. > > > <syslog_output> > > <server>10.0.1.116</server> > > <port>9000</port> > > <format>json</format> > > </syslog_output> > > > > Is ossec-csyslogd running? > > > </ossec_config> > > <!-- rules global entry --> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
