Wouldn't this be something better handled by syslog-ng?
Haidut wrote:
> I have another question on a similar topic.
> I need to use OSSEC for securely aggregating/parsing/storing logs, but
> i DONT need it to analyze logs and fire rules.
> So I would like the setup to be as follows
>
> 1. A system running OSSEC as a server and also listening on syslog port 514.
> 2. Install OSSEC as an agent on as many system as possible (i.e. all
> system that support running it) and have them forward logs to the
> server.
> 3. For system that can't run OSSEC, configure them to send their logs
> via syslog to the OSSEC server.
>
> So essentially the question is if it is possible to disable the rules
> portion of OSSEC and have it simply receive logs and store them in its
> main log file, preferably without any parsing so that the original
> logs are preserved intact for forensic purposes (i.e. US courts won't
> accept parsed logs as evidence).
> Please let me know.
> Thanks.
>
>
>
>
> On Nov 15, 2007 9:01 AM, Aaron Bliss <[EMAIL PROTECTED]> wrote:
>
>> It looks like I'm receiving events from the remote syslog host, I just
>> didn't realize that I need to configure e-mail alerts for the remote
>> host as well. So again, all looks good so far. Thanks.
>>
>> Aaron
>>
>> Aaron Bliss wrote:
>>
>>> I added the IP of the remote machine that I want to accept syslogs
>>> from in the ossec.conf file, and now the ossec server is listening on
>>> udp 514, however I still don't think that I'm receiving syslogs from
>>> the remote host. The firewall on the ossec server isn't blocking that
>>> traffic, and there aren't any network related reasons that would
>>> prevent the traffic from getting to the ossec server, however ossec
>>> isn't alerting me on events from the remote host that cause triggers
>>> on the ossec server. Any ideas on how I can verify that the ossec
>>> server is receiving the syslogs from the remote host? Thanks.
>>>
>>> <remote>
>>> <connection>syslog</connection>
>>> <allowed-ips>192.168.8.3</allowed-ips>
>>> </remote>
>>>
>>> Aaron Bliss wrote:
>>>
>>>> I figured this out. Thanks.
>>>>
>>>> Aaron
>>>>
>>>> Aaron Bliss wrote:
>>>>
>>>>> Hi everyone,
>>>>> I'm pretty sure that ossec can do this. Before deploying agents to
>>>>> other machines, I would first like to get ossec to accept syslog's
>>>>> from remote machines and just analyze those messages. During the
>>>>> setup of the ossec server, I chose the option to have it accept
>>>>> syslog messages, however the box isn't listening on port 514, even
>>>>> though ossec on the server is working. Here are the remote sections
>>>>> of the ossec.conf file:
>>>>> <remote>
>>>>> <connection>syslog</connection>
>>>>> </remote>
>>>>>
>>>>> <remote>
>>>>> <connection>secure</connection>
>>>>> </remote>
>>>>>
>>>>> Any ideas on this? Thanks.
>>>>>
>>>>> Aaron
>>>>>
>>>>>
>> --
>> Aaron Bliss
>> Systems Administrator
>> SUNY Brockport
>> (585) 395-2417
>>
>>
>>
