On Sat, Sep 24, 2016 at 11:24 AM, <[email protected]> wrote: > Hello, > > I'm having a problem getting OSSEC to send logs to a Graylog server and I'm > hoping someone can offer some advice. I followed the instructions on these > pages > > https://marketplace.graylog.org/addons/025e1992-8acb-4e37-8434-2785081bf977 > http://ossec-docs.readthedocs.io/en/latest/manual/output/syslog-output.html > > Setup: > Graylog 2.1 standalone CentOS 6 server with CEP UDP input listening on 5141 > Graylog CEF input plugin 1.1 installed on the server > OSSEC 2.8.3 client on CentOS 6 > > There are no firewalls between these servers, and I have also verified the > client can reach port 5141 on the server using both TCP or UDP. A tcpdump > verifies this using netcat. > > On the OSSEC client, I have installed it as a 'local' install and added this > to the /var/ossec/etc/ossec.conf file > > <syslog_output> > <server>172.31.1.1</server> > <port>5141</port> > <format>cef</format> > </syslog_output> > > Restarted the Graylog server service and the OSSEC client service. Then, on > the OSSEC client > > /var/ossec/bin/ossec-control enable client-syslog > /var/ossec/bin/ossec-control restart > > From that point, OSSEC appears to be working. I get various email alerts > that I expect. But I never see anything show up in Graylog. A tcpdump > shows no traffic ever making it to the graylog server either. I assume I > would see this type of log entry > > INFO: Forwarding alerts via syslog to: ’172.31.1.1:5141′ > > But I never do. > > Have I missed a step somewhere? Would appreciate some advice. >
Try running csyslogd manually: `/var/ossec/bin/ossec-csyslogd -df` to see if there are any additional debug messages that might help. I haven't ever tried the cef format, so I'm not sure how it works. > Thanks, > Jay > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
