Re: [ossec-list] Re: ossec server syslog output

Thu, 01 Sep 2016 09:23:12 -0700 

On Thu, Sep 1, 2016 at 11:27 AM, Olivier Doisneau
<[email protected]> wrote:
> yes so this is what I see in the alerts.log
>
> ** Alert 1472743613.1120105: - pam,syslog,
>
> 2016 Sep 01 15:26:53 (dev-login-01) any->/var/log/secure
>
> Rule: 5502 (level 3) -> 'Login session closed.'
>
> Sep  1 15:26:51 dev-login-01 sshd[2930]: pam_unix(sshd:session): session
> closed for user od
>
>
> but nothing for the process except this:
>
>
> 2016/09/01 15:24:06 ossec-csyslogd: DEBUG: Starting ...
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Chrooted to directory: /var/ossec,
> using user: ossecm
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Started (pid: 12106).
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: File queue connected.
>
> 2016/09/01 15:24:06 ossec-csyslogd: INFO: Forwarding alerts via syslog to:
> '127.0.0.1:8089'.
>

I didn't realize this was on loopback (not that it matters
apparently). This works for me:
  <syslog_output>
    <server>127.0.0.1</server>
    <port>9514</port>
  </syslog_output>


Make sure your syslog daemon is listening on localhost udp/8089, and
it's configured to accept the messages.

>
> and nothing else...
>
>
> On Thursday, September 1, 2016 at 10:18:07 AM UTC-4, Olivier Doisneau wrote:
>>
>> So I changed my ossec.conf to have this:
>>
>>   <syslog_output>
>>
>>     <server>127.0.0.1</server>
>>
>>     <port>8089</port>
>>
>>     <format>default</format>
>>
>>   </syslog_output>
>>
>>
>> and /var/ossec/bin/ossec-csyslogd
>>
>> is started.  But I don't see any attempts to push the logs coming in to
>> syslog in the ossec.log file.
>>
>>
>> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to