Hi. I'm setting up ossec 2.8.1, running on Ubuntu 14.04LTS.
I can see alerts (in /var/ossec/logs/alerts/alert.log) but they don't
appear in syslog, even though I've configured it to be there. The following
is my current config; I was running it with only the first two config items
at first.
<syslog_output>
<server>127.0.0.1</server>
<format>json</format>
<port>514</port>
<level>1</level>
</syslog_output>
To round out the configuration details:
rsyslog is configured to accept UDP input:
module(load="imudp")
input(type="imudp" port="514" address="127.0.0.1")
I've proven it works with a simple little netcat:
echo '<14>sourcehost message text' | nc -v -u -w 0 127.0.0.1 514
Here's a sample from alerts.log:
** Alert 1457050265.3945: - syslog,sudo
2016 Mar 04 00:11:05 ip-172-31-12-158->/var/log/auth.log
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: ubuntu
Mar 4 00:11:05 ip-172-31-12-158 sudo: ubuntu : TTY=pts/3 ;
PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/tail -f
/var/ossec/logs/alerts/alerts.log
Dan provided an answer to this in May 2015, subject "Syslog output issue",
but it is missing a lot of detail/followup from the user.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
