Hello, I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox appliance and everything seemed to run nicely out of the box except... I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't see any references to those syslog entries. I have done the following:
1. On the firewall, told it to send syslog files to the static IP of the OSSEC server 2. On the OSSEC server's ossec.conf added a <remote> section with a <connection>syslog</connection> and specified the allowed_ip 3. Also in the ossec.conf, set logall to yes 4. Tested incoming connection using tcpdump -A port 514 and I can see syslog-like entries coming in 5. Because the format is not quite standard syslog, I created a custom decoder and tested it using ossec-logtest. Despite all of these steps (and restarting the service using "ossec-control restart" multiple times) I still do not see any of the remote syslog entries in the archive.log. Am I missing something obvious to make this work? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6bdbcac5-a51c-4a02-bc86-b88c6833ca92%40googlegroups.com.
