> On Jun 27, 2018, at 7:53 AM, dan (ddp) <ddp...@gmail.com> wrote:
>
> On Wed, Jun 27, 2018 at 6:52 AM, <r...@gcstech.net> wrote:
>> I have a working OSSEC that I now want to send the output to a Graylog2
>> server. I added the following to the ossec.conf file between the
>> ossec_config tags.
>> <syslog_output>
>> <server>192.168.0.33</server>
>> <port>9514</port>
>> <format>cef</format>
>> </syslog_output>
>> I enabled csyslog and restarted OSSEC. It starts csyslogd but never gives
>> me "Forwarding alerts via syslog" in the ossec.log file and if I run an
>> ossec-control status it gives an error that ossec-csyslogd: Process not used
>> by ossec, removing.
>>
>> If I start ossec-csyslogd in the forground everything works as it should and
>> logs are sent to the Graylog server. If I run OSSEC in debug mode
>> everything works as it should or did for about 12 hours then failed. If i
>> run OSSEC normally it never starts forwarding alerts via syslog.
>>
>> Any help would be greatly appreciated as I am not sure what to look for
>> next. It works in the foreground and in debug mode for a while but will not
>> run normally. Thanks in advance.
>>
>
> Check for `/var/ossec/bin/.process_list`
> It should contain "CSYSLOG_DAEMON=ossec-csyslogd”
Dan,
It does contain multiple lines with the above. After posting I made
one change and added a <level>6<level> line to the ossec.conf and it actually
started cyslogd correctly and has been sending to the Graylog2 server as it
should for the past couple hours. I am not sure why that made it function
correctly but it seems to have. Here is the .process_list contents as I am not
sure why the multple lines for csyslogd.
DB_DAEMON=ossec-dbd
CSYSLOG_DAEMON=ossec-csyslogd
CSYSLOG_DAEMON=ossec-csyslogd
CSYSLOG_DAEMON=ossec-csyslogd
CSYSLOG_DAEMON=ossec-csyslogd
CSYSLOG_DAEMON=""
CSYSLOG_DAEMON=ossec-csyslogd
DEBUG_CLI="-d"
DEBUG_CLI=“"
Thanks for the assistance.
Phil
>
>> Phil
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
