Not really. Like I said, we'll need log analysis in the future, normal syslog doesn't provide encryption over UDP, syslon-NG provides encryption but can't handle custom application log files (i.e. Websense, Peoplesoft, etc). With OSSEC it seems we can do everything, but we need it originally to just collect ALL the logs and store them, regardless if they fired a rule or not.
On Nov 15, 2007 3:24 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Wouldn't this be something better handled by syslog-ng? > > > Haidut wrote: > > I have another question on a similar topic. > > I need to use OSSEC for securely aggregating/parsing/storing logs, but > > i DONT need it to analyze logs and fire rules. > > So I would like the setup to be as follows > > > > 1. A system running OSSEC as a server and also listening on syslog port 514. > > 2. Install OSSEC as an agent on as many system as possible (i.e. all > > system that support running it) and have them forward logs to the > > server. > > 3. For system that can't run OSSEC, configure them to send their logs > > via syslog to the OSSEC server. > > > > So essentially the question is if it is possible to disable the rules > > portion of OSSEC and have it simply receive logs and store them in its > > main log file, preferably without any parsing so that the original > > logs are preserved intact for forensic purposes (i.e. US courts won't > > accept parsed logs as evidence). > > Please let me know. > > Thanks. > > > > > > > > > > On Nov 15, 2007 9:01 AM, Aaron Bliss <[EMAIL PROTECTED]> wrote: > > > >> It looks like I'm receiving events from the remote syslog host, I just > >> didn't realize that I need to configure e-mail alerts for the remote > >> host as well. So again, all looks good so far. Thanks. > >> > >> Aaron > >> > >> Aaron Bliss wrote: > >> > >>> I added the IP of the remote machine that I want to accept syslogs > >>> from in the ossec.conf file, and now the ossec server is listening on > >>> udp 514, however I still don't think that I'm receiving syslogs from > >>> the remote host. The firewall on the ossec server isn't blocking that > >>> traffic, and there aren't any network related reasons that would > >>> prevent the traffic from getting to the ossec server, however ossec > >>> isn't alerting me on events from the remote host that cause triggers > >>> on the ossec server. Any ideas on how I can verify that the ossec > >>> server is receiving the syslogs from the remote host? Thanks. > >>> > >>> <remote> > >>> <connection>syslog</connection> > >>> <allowed-ips>192.168.8.3</allowed-ips> > >>> </remote> > >>> > >>> Aaron Bliss wrote: > >>> > >>>> I figured this out. Thanks. > >>>> > >>>> Aaron > >>>> > >>>> Aaron Bliss wrote: > >>>> > >>>>> Hi everyone, > >>>>> I'm pretty sure that ossec can do this. Before deploying agents to > >>>>> other machines, I would first like to get ossec to accept syslog's > >>>>> from remote machines and just analyze those messages. During the > >>>>> setup of the ossec server, I chose the option to have it accept > >>>>> syslog messages, however the box isn't listening on port 514, even > >>>>> though ossec on the server is working. Here are the remote sections > >>>>> of the ossec.conf file: > >>>>> <remote> > >>>>> <connection>syslog</connection> > >>>>> </remote> > >>>>> > >>>>> <remote> > >>>>> <connection>secure</connection> > >>>>> </remote> > >>>>> > >>>>> Any ideas on this? Thanks. > >>>>> > >>>>> Aaron > >>>>> > >>>>> > >> -- > >> Aaron Bliss > >> Systems Administrator > >> SUNY Brockport > >> (585) 395-2417 > >> > >> > >> > >
