Hello, I'm having a problem getting OSSEC to send logs to a Graylog server and I'm hoping someone can offer some advice. I followed the instructions on these pages
https://marketplace.graylog.org/addons/025e1992-8acb-4e37-8434-2785081bf977 http://ossec-docs.readthedocs.io/en/latest/manual/output/syslog-output.html Setup: Graylog 2.1 standalone CentOS 6 server with CEP UDP input listening on 5141 Graylog CEF input plugin 1.1 installed on the server OSSEC 2.8.3 client on CentOS 6 There are no firewalls between these servers, and I have also verified the client can reach port 5141 on the server using both TCP or UDP. A tcpdump verifies this using netcat. On the OSSEC client, I have installed it as a 'local' install and added this to the /var/ossec/etc/ossec.conf file <syslog_output> <server>172.31.1.1</server> <port>5141</port> <format>cef</format> </syslog_output> Restarted the Graylog server service and the OSSEC client service. Then, on the OSSEC client /var/ossec/bin/ossec-control enable client-syslog /var/ossec/bin/ossec-control restart >From that point, OSSEC appears to be working. I get various email alerts that I expect. But I never see anything show up in Graylog. A tcpdump shows no traffic ever making it to the graylog server either. I assume I would see this type of log entry INFO: Forwarding alerts via syslog to: ’172.31.1.1:5141′ But I never do. Have I missed a step somewhere? Would appreciate some advice. Thanks, Jay -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
