On Thu, Mar 3, 2016 at 7:12 PM, Ted Timmons <[email protected]> wrote: > Hi. I'm setting up ossec 2.8.1, running on Ubuntu 14.04LTS. > > I can see alerts (in /var/ossec/logs/alerts/alert.log) but they don't appear > in syslog, even though I've configured it to be there. The following is my > current config; I was running it with only the first two config items at > first. > > <syslog_output> > > <server>127.0.0.1</server> > > <format>json</format> > > <port>514</port> > > <level>1</level> > > </syslog_output> > >
Did you enable csyslogd? I think it's `/var/ossec/bin/ossec-control enable client-syslog` Then restart the processes? > > To round out the configuration details: > > rsyslog is configured to accept UDP input: > > module(load="imudp") > > input(type="imudp" port="514" address="127.0.0.1") > > > I've proven it works with a simple little netcat: > > echo '<14>sourcehost message text' | nc -v -u -w 0 127.0.0.1 514 > > > Here's a sample from alerts.log: > > > ** Alert 1457050265.3945: - syslog,sudo > > 2016 Mar 04 00:11:05 ip-172-31-12-158->/var/log/auth.log > > Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' > > User: ubuntu > > Mar 4 00:11:05 ip-172-31-12-158 sudo: ubuntu : TTY=pts/3 ; > PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/tail -f > /var/ossec/logs/alerts/alerts.log > > > Dan provided an answer to this in May 2015, subject "Syslog output issue", > but it is missing a lot of detail/followup from the user. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
