how to send log to a remote log server through rsyslog?

StackOverflow https://stackoverflow.com/questions/10620127

  •  09-06-2021
  •  | 
  •  

Question

I'm very new on ossim. i have installed ossim 3.1 onto a virtual machine (vmware)

I have 2 questions:

1) I have enabled SYSLOG from ossim-setup. Now I'm getting horde of syslog messages in ANALYSIS-> SIEM. How can i modify the logging rate? how can I manage syslog configuration? I looked for syslog conf files but there aren't any. I can find only rsyslog files. Moreover if I do

alienvault:~# ps aux | grep sys
root      3481  0.1  0.0   2492  1416 ?        S    08:51   0:12 /var/ossec/bin/ossec syscheckd
root      5951  0.0  0.0  35512  1416 ?        Sl   08:58   0:00 /usr/sbin/rsyslogd -c3 -x
root     18427  0.0  0.0   1716   636 pts/0    S+   11:29   0:00 grep --color=auto sys

I get that only rsyslogd is running

2) I have enabled Dionaea from ossim-setup and i'm trying to send its log to ossim without any result. How can I do that? After that, am I suppose to do something else to let ossim correlate log from Dioanea with other logs?

Thank you

Was it helpful?

Solution

The log forwarding from rsyslog can be set up very easily. you need to edit /etc/rsyslog.conf file and add the following line:

*.* @@remote-host:514

It will setup your local rsyslog to forward all the syslog messages to "remote-host", 514 is the port number of rsyslogd server. you can add the above line on all the clients from where you want the logs to be sent. you can read more about it at The official Rsyslog Project Website

OTHER TIPS

Check the rsyslog configuration on the remote server ( by default it is at /etc/rsyslog.conf ). It may be using UDP or TCP. If it's UDP, use 

*.* @hostname:<port>

If it's TCP,

*.* @@hostname:<port>

You can get the port numbers by checking the line - 

$UDPServerRun <port>
$TCPServerRun <port>

You can setup filtering rules with Rsyslog based on the hostname or the IP address of your Dioanea server and write it to a separate file (if thats what you want).

There is a recent patch that gives you the ability to send Dionaea events to syslog:

http://sourceforge.net/p/nepenthes/mailman/message/32024205/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top