[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Send OSSEC logs to graylog
From: "dan (ddp)" <ddpbsd () gmail ! com>
Date: 2016-09-26 12:27:46
Message-ID: CAMyQvMosh_68WZRFrWQKw6em77vs+1PBSZ8zZ5KpcZ6DtuPuuw () mail ! gmail ! com
[Download RAW message or body]
On Sat, Sep 24, 2016 at 11:24 AM, <titleistfour@gmail.com> wrote:
> Hello,
>
> I'm having a problem getting OSSEC to send logs to a Graylog server and I'm
> hoping someone can offer some advice. I followed the instructions on these
> pages
>
> https://marketplace.graylog.org/addons/025e1992-8acb-4e37-8434-2785081bf977
> http://ossec-docs.readthedocs.io/en/latest/manual/output/syslog-output.html
>
> Setup:
> Graylog 2.1 standalone CentOS 6 server with CEP UDP input listening on 5141
> Graylog CEF input plugin 1.1 installed on the server
> OSSEC 2.8.3 client on CentOS 6
>
> There are no firewalls between these servers, and I have also verified the
> client can reach port 5141 on the server using both TCP or UDP. A tcpdump
> verifies this using netcat.
>
> On the OSSEC client, I have installed it as a 'local' install and added this
> to the /var/ossec/etc/ossec.conf file
>
> <syslog_output>
> <server>172.31.1.1</server>
> <port>5141</port>
> <format>cef</format>
> </syslog_output>
>
> Restarted the Graylog server service and the OSSEC client service. Then, on
> the OSSEC client
>
> /var/ossec/bin/ossec-control enable client-syslog
> /var/ossec/bin/ossec-control restart
>
> From that point, OSSEC appears to be working. I get various email alerts
> that I expect. But I never see anything show up in Graylog. A tcpdump
> shows no traffic ever making it to the graylog server either. I assume I
> would see this type of log entry
>
> INFO: Forwarding alerts via syslog to: '172.31.1.1:5141′
>
> But I never do.
>
> Have I missed a step somewhere? Would appreciate some advice.
>
Try running csyslogd manually:
`/var/ossec/bin/ossec-csyslogd -df`
to see if there are any additional debug messages that might help. I
haven't ever tried the cef format, so I'm not sure how it works.
> Thanks,
> Jay
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic