[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Send OSSEC logs to graylog
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2016-09-26 12:27:46
Message-ID: CAMyQvMosh_68WZRFrWQKw6em77vs+1PBSZ8zZ5KpcZ6DtuPuuw () mail ! gmail ! com
[Download RAW message or body]

On Sat, Sep 24, 2016 at 11:24 AM,  <titleistfour@gmail.com> wrote:
> Hello,
> 
> I'm having a problem getting OSSEC to send logs to a Graylog server and I'm
> hoping someone can offer some advice.  I followed the instructions on these
> pages
> 
> https://marketplace.graylog.org/addons/025e1992-8acb-4e37-8434-2785081bf977
> http://ossec-docs.readthedocs.io/en/latest/manual/output/syslog-output.html
> 
> Setup:
> Graylog 2.1 standalone CentOS 6 server with CEP UDP input listening on 5141
> Graylog CEF input plugin 1.1 installed on the server
> OSSEC 2.8.3 client on CentOS 6
> 
> There are no firewalls between these servers, and I have also verified the
> client can reach port 5141 on the server using both TCP or UDP.  A tcpdump
> verifies this using netcat.
> 
> On the OSSEC client, I have installed it as a 'local' install and added this
> to the /var/ossec/etc/ossec.conf file
> 
> <syslog_output>
> <server>172.31.1.1</server>
> <port>5141</port>
> <format>cef</format>
> </syslog_output>
> 
> Restarted the Graylog server service and the OSSEC client service.  Then, on
> the OSSEC client
> 
> /var/ossec/bin/ossec-control enable client-syslog
> /var/ossec/bin/ossec-control restart
> 
> From that point, OSSEC appears to be working.  I get various email alerts
> that I expect.  But I never see anything show up in Graylog.  A tcpdump
> shows no traffic ever making it to the graylog server either.  I assume I
> would see this type of log entry
> 
> INFO: Forwarding alerts via syslog to: '172.31.1.1:5141′
> 
> But I never do.
> 
> Have I missed a step somewhere?  Would appreciate some advice.
> 

Try running csyslogd manually:
`/var/ossec/bin/ossec-csyslogd -df`

to see if there are any additional debug messages that might help. I
haven't ever tried the cef format, so I'm not sure how it works.

> Thanks,
> Jay
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]