On Wed, Jun 27, 2018 at 8:57 AM, GCS Tech <[email protected]> wrote: > >> On Jun 27, 2018, at 7:53 AM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Jun 27, 2018 at 6:52 AM, <[email protected]> wrote: >>> I have a working OSSEC that I now want to send the output to a Graylog2 >>> server. I added the following to the ossec.conf file between the >>> ossec_config tags. >>> <syslog_output> >>> <server>192.168.0.33</server> >>> <port>9514</port> >>> <format>cef</format> >>> </syslog_output> >>> I enabled csyslog and restarted OSSEC. It starts csyslogd but never gives >>> me "Forwarding alerts via syslog" in the ossec.log file and if I run an >>> ossec-control status it gives an error that ossec-csyslogd: Process not used >>> by ossec, removing. >>> >>> If I start ossec-csyslogd in the forground everything works as it should and >>> logs are sent to the Graylog server. If I run OSSEC in debug mode >>> everything works as it should or did for about 12 hours then failed. If i >>> run OSSEC normally it never starts forwarding alerts via syslog. >>> >>> Any help would be greatly appreciated as I am not sure what to look for >>> next. It works in the foreground and in debug mode for a while but will not >>> run normally. Thanks in advance. >>> >> >> Check for `/var/ossec/bin/.process_list` >> It should contain "CSYSLOG_DAEMON=ossec-csyslogd” > > Dan, > It does contain multiple lines with the above. After posting I made > one change and added a <level>6<level> line to the ossec.conf and it actually > started cyslogd correctly and has been sending to the Graylog2 server as it > should for the past couple hours. I am not sure why that made it function > correctly but it seems to have. Here is the .process_list contents as I am > not sure why the multple lines for csyslogd. >
If you ran `/var/ossec/bin/ossec-control enable client-syslog` multiple times, it will add the line multiple times. The script is fairly dumb. > DB_DAEMON=ossec-dbd > CSYSLOG_DAEMON=ossec-csyslogd > CSYSLOG_DAEMON=ossec-csyslogd > CSYSLOG_DAEMON=ossec-csyslogd > CSYSLOG_DAEMON=ossec-csyslogd > CSYSLOG_DAEMON="" > CSYSLOG_DAEMON=ossec-csyslogd > DEBUG_CLI="-d" > DEBUG_CLI=“" > > Thanks for the assistance. > > Phil >> >>> Phil >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
