> On Jun 27, 2018, at 7:53 AM, dan (ddp) <ddp...@gmail.com> wrote: > > On Wed, Jun 27, 2018 at 6:52 AM, <r...@gcstech.net> wrote: >> I have a working OSSEC that I now want to send the output to a Graylog2 >> server. I added the following to the ossec.conf file between the >> ossec_config tags. >> <syslog_output> >> <server>192.168.0.33</server> >> <port>9514</port> >> <format>cef</format> >> </syslog_output> >> I enabled csyslog and restarted OSSEC. It starts csyslogd but never gives >> me "Forwarding alerts via syslog" in the ossec.log file and if I run an >> ossec-control status it gives an error that ossec-csyslogd: Process not used >> by ossec, removing. >> >> If I start ossec-csyslogd in the forground everything works as it should and >> logs are sent to the Graylog server. If I run OSSEC in debug mode >> everything works as it should or did for about 12 hours then failed. If i >> run OSSEC normally it never starts forwarding alerts via syslog. >> >> Any help would be greatly appreciated as I am not sure what to look for >> next. It works in the foreground and in debug mode for a while but will not >> run normally. Thanks in advance. >> > > Check for `/var/ossec/bin/.process_list` > It should contain "CSYSLOG_DAEMON=ossec-csyslogd”
Dan, It does contain multiple lines with the above. After posting I made one change and added a <level>6<level> line to the ossec.conf and it actually started cyslogd correctly and has been sending to the Graylog2 server as it should for the past couple hours. I am not sure why that made it function correctly but it seems to have. Here is the .process_list contents as I am not sure why the multple lines for csyslogd. DB_DAEMON=ossec-dbd CSYSLOG_DAEMON=ossec-csyslogd CSYSLOG_DAEMON=ossec-csyslogd CSYSLOG_DAEMON=ossec-csyslogd CSYSLOG_DAEMON=ossec-csyslogd CSYSLOG_DAEMON="" CSYSLOG_DAEMON=ossec-csyslogd DEBUG_CLI="-d" DEBUG_CLI=“" Thanks for the assistance. Phil > >> Phil >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.