On Thu, May 28, 2015 at 2:24 AM, Martynas Buožis <[email protected]> wrote: > Hello > > > > I was expecting all what is in alerts.log will be sent. And it is not sent > via syslog. Do I miss something in my udenrstanding ? >
Try adding <level>1</level> to your syslog output config. > > > Martynas > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of Xavier Mertens > Sent: Wednesday, May 27, 2015 3:24 PM > To: ossec-list > Subject: Re: [ossec-list] Syslog output issue > > > > Only alerts are sent to the syslog output, not logs (if you enabled the > <logall> feature). > > > > /x > > > > On Wed, May 27, 2015 at 11:20 AM, Martynas Buožis <[email protected]> wrote: > > Hello > > I have following configuration in /var/ossec/etc/ossec.conf : > > <syslog_output> > <server>10.10.0.11</server> > </syslog_output> > > I also see that /var/ossec/bin/ossec-csyslogd is running and considering UDP > port to syslog server : > > # lsof -p 3781 | grep UDP > ossec-csy 3781 ossecm 6u IPv4 145795360 0t0 UDP > usm.baipgroup.lt:54414->10.10.0.11:syslog > > But no message is sent to syslog server. Strace show that log file is being > read, but no message is sent via UDP : > > # strace -p 3781 > Process 3781 attached - interrupt to quit > select(0, NULL, NULL, NULL, {0, 891300}) = 0 (Timeout) > read(5, "AV - Alert - \"1432718370\" --> RI"..., 4096) = 4096 > read(5, "ION: \"/var/log/auth.log\"; EVENT:"..., 4096) = 4096 > read(5, "rity-Auditing: MCibulskis@BAIPGR"..., 4096) = 4096 > read(5, "EvtLog\"; LOCATION: \"(NMAIL01) 10"..., 4096) = 2526 > read(5, "", 4096) = 0 > select(0, NULL, NULL, NULL, {5, 0}) = 0 (Timeout) > read(5, "AV - Alert - \"1432718374\" --> RI"..., 4096) = 4096 > read(5, "\"; RL: \"3\"; RG: \"syslog,sudo\"; R"..., 4096) = 1659 > read(5, "", 4096) = 0 > > Why messages are not being delivered via syslog output connection ? > > Thanks a lot for an advice. > > With best regards > Martynas > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
