Re: [ossec-list] syslog_output question

Tue, 11 Jul 2017 00:59:24 -0700 

Hi Robert,

OSSEC should take these settings independently:

   - Configuration A will send alerts with level 8 or higher.
   - Configuration B will send alerts with level 4 or higher (including
   alerts sent by the former setting) belonging to these groups.

So you'll receive duplicate alerts. One option would be to enter every
groups but the specified in the configuration B.

Let me tell you that Wazuh agents include an improvement that allow to
negate expressions. So you may use a setting like this one::

<syslog_output>
    <level>8</level>
    <sever>192.168.0.5</server>
    <group>!invalid_login|adduser|blah|andsoon</group>
</syslog_ouptut>

<syslog_output>
    <level>4</level>
    <group>invalid_login|adduser|blah|andsoon</group>
    <sever>192.168.0.5</server>
</syslog_ouptut>


Hence you'll have alerts with level 4 or higher (even 8 or more) belonging
to these groups, plus alerts with level 8 or higher of any other group.

Hope it help.
Best regards.


On Mon, Jul 10, 2017 at 10:29 PM, Robert B <[email protected]> wrote:

> This was a little unclear to me after reading the documenation and
> searching around...pardon if it's been asked and answered, I simply have
> not found it.
>
> We have a single server we want to send syslog output to, however, we also
> want to have different levels for some alerts.   Would it be as simple as
> two syslog_output sections, such as below, or would this create duplicate
> alerts, take the last syslog_output section, or can it be done in a single
> section?
>
> <syslog_output>
>     <level>8</level>
>     <sever>192.168.0.5</server>
> </syslog_ouptut>
>
> <syslog_output>
>     <level>4</level>
>     <group>invalid_login|adduser|blah|andsoon</group>
>     <sever>192.168.0.5</server>
> </syslog_ouptut>
>
>
> Thanks!
> Bob
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to