Thank you for explanation, everything is clear and working as expected On Fri, Nov 9, 2018 at 6:14 PM dan (ddp) <[email protected]> wrote:
> On Fri, Nov 9, 2018 at 12:14 PM 700 grm <[email protected]> wrote: > > > > In situation can we install OSSEC Server and syslog backup server on the > same machine? > > Or it will create a lot of issues: double alerts > it will analyse > same var/log/messages on client and server side? > > > > If OSSEC monitors the file syslogd saves the remote log messages to, > you'll get doubled up alerts. > If you want to do both on the same machine, you'll want to save the > messages to files that OSSEC isn't monitoring. > > > thx in advance > > > > On Fri, Nov 9, 2018 at 4:35 PM dan (ddp) <[email protected]> wrote: > >> > >> On Fri, Nov 9, 2018 at 11:21 AM 700 grm <[email protected]> wrote: > >> > > >> > Thank you for your prompt response. > >> > > >> > 1. How can I turn on logall feature on ossec client? > >> > > >> > >> It's a server side setting, not a client side. > >> > http://www.ossec.net/docs/syntax/head_ossec_config.global.html?highlight=logall#element-logall > >> > >> > 2. it mean that OSSEC client can collect all system logs from > /var/log/ forward them to a OSSEC server and store them in > /var/ossec/logs/archive/archives.log ? > >> > > >> > >> Correct. Anything the agent sends to the server will be logged in the > >> archives log. > >> > >> > Thx in advance > >> > > >> > V > >> > > >> > > >> > > >> > > >> > > >> > On Fri, Nov 9, 2018 at 3:41 PM dan (ddp) <[email protected]> wrote: > >> >> > >> >> On Fri, Nov 9, 2018 at 10:39 AM <[email protected]> wrote: > >> >> > > >> >> > Hi, > >> >> > > >> >> > I am new to the OSSEC. I am confused about forwarding logs. > >> >> > > >> >> > > >> >> > Does OSSEC client collects logs from /var/log/messages and > forwards them to the ossec server /var/log/messages? Or should be log > forwarding configured in rsyslog on Red Hat to forward all logs to rsyslog > server? > >> >> > > >> >> > >> >> OSSEC does not write to /var/log/messages. It can store all logs it > >> >> receives in /var/ossec/logs/archive/archives.log, if you turn on the > >> >> logall feature. > >> >> But if you want a syslog backup of log messages, you'll have to > >> >> configure your syslogd to do it for you. > >> >> > >> >> > Thx in advance > >> >> > > >> >> > Regards > >> >> > > >> >> > > >> >> > V > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> >> For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
