CODEWITHSUNDEEP
loggingrsyslog
Gappa
Gappa

Reputation: 827

how to send log to a remote log server through rsyslog?

I'm very new on ossim. i have installed ossim 3.1 onto a virtual machine (vmware)

I have 2 questions:

1) I have enabled SYSLOG from ossim-setup. Now I'm getting horde of syslog messages in ANALYSIS-> SIEM. How can i modify the logging rate? how can I manage syslog configuration? I looked for syslog conf files but there aren't any. I can find only rsyslog files. Moreover if I do

alienvault:~# ps aux | grep sys
root      3481  0.1  0.0   2492  1416 ?        S    08:51   0:12 /var/ossec/bin/ossec syscheckd
root      5951  0.0  0.0  35512  1416 ?        Sl   08:58   0:00 /usr/sbin/rsyslogd -c3 -x
root     18427  0.0  0.0   1716   636 pts/0    S+   11:29   0:00 grep --color=auto sys

I get that only rsyslogd is running

2) I have enabled Dionaea from ossim-setup and i'm trying to send its log to ossim without any result. How can I do that? After that, am I suppose to do something else to let ossim correlate log from Dioanea with other logs?

Thank you

Upvotes: 0

Views: 28047

Answers (3)

Ankit Kumar
Ankit Kumar

Reputation: 1463

The log forwarding from rsyslog can be set up very easily. you need to edit /etc/rsyslog.conf file and add the following line:

*.* @@remote-host:514

It will setup your local rsyslog to forward all the syslog messages to "remote-host", 514 is the port number of rsyslogd server. you can add the above line on all the clients from where you want the logs to be sent. you can read more about it at The official Rsyslog Project Website

Upvotes: 6

rsFF
rsFF

Reputation: 111

There is a recent patch that gives you the ability to send Dionaea events to syslog:

http://sourceforge.net/p/nepenthes/mailman/message/32024205/

Upvotes: 0

A23
A23

Reputation: 1606

Check the rsyslog configuration on the remote server ( by default it is at /etc/rsyslog.conf ). It may be using UDP or TCP. If it's UDP, use 

*.* @hostname:<port>

If it's TCP,

*.* @@hostname:<port>

You can get the port numbers by checking the line - 

$UDPServerRun <port>
$TCPServerRun <port>

You can setup filtering rules with Rsyslog based on the hostname or the IP address of your Dioanea server and write it to a separate file (if thats what you want).

Upvotes: 9

Related Questions