Sending OSSEC alerts via syslog

This is a feature that was constantly asked and just now I was able to include it. Basically, it allows you to send the OSSEC alerts to one or more syslog servers (granularly).

First, make sure to get the latest snapshot and install it: http://www.ossec.net/files/snapshots/ossec-hids-080725.tar.gz

After that you can configure OSSEC with the syslog servers of your choice. In my example here, I am sending everything to server 192.168.4.1 and only the alerts above level 10 to 10.1.1.1:

<syslog_output>
<server>192.168.4.1</server>
</syslog_output>

<syslog_output>
<level>10</level>
<server>10.1.1.1</server>
</syslog_output>

After that, run the following command and restart OSSEC:

# /var/ossec/bin/ossec-control enable client-syslog
# /var/ossec/bin/ossec-control start

You should see now ossec-csyslog starting:

OSSEC HIDS v1.5.1 Stopped
Starting OSSEC HIDS v1.5.1 (by Third Brigade, Inc.)…
Started ossec-csyslogd…
..

and on the logs:

# tail -n 1000 /var/ossec/logs/ossec.log |grep csyslog
2008/07/25 12:55:16 ossec-csyslogd: INFO: Started (pid: 19412).
2008/07/25 12:55:16 ossec-csyslogd: INFO: Forwarding alerts via syslog to: ’192.168.4.1:514′.
2008/07/25 12:55:16 ossec-csyslogd: INFO: Forwarding alerts via syslog to: ’10.1.1.1:514′.

On the syslog server, this is what you should get (every log separated by level, rule, location and the actual event that generated it):

Jul 25 12:17:41 enigma ossec: Alert Level: 3; Rule: 5715 – SSHD authentication success.; Location: (jul) 192.168.2.0->/var/log/messages; srcip: 192.168.2.190; user: root; Jul 25 13:26:24 slacker sshd[20440]: Accepted password for root from 192.168.2.190 port 49737 ssh2

As always, suggestions and comments are more than welcome. Thanks!

This entry was posted in ossec, v16. Bookmark the permalink.

4 Responses to Sending OSSEC alerts via syslog

  1. Chuck says:

    Nice add Daniel! Now we can get alerts from ossec fed into OpenNMS. w00t!

    Can you change the port that it sends syslog to? And is it only via UDP?

    Great work as always!

  2. Pingback: Multi-server architecture

  3. Elettra says:

    Anyone can tell me how I must configure the syslog.conf file? More precisely, which facility do I have to set for ossec.log file???
    For example, for snort I wrote:
    local3.*@10.168.70.100

    please help :(

  4. vlad says:

    Our setup on 3 computers: c0, c1, c3.
    1. ossec server installed on c0.
    2. ossec agent installed on c1 and c2.

    Question:
    How to make any chages made in watched directories on c0, c1, c2 to be recorded in /var/log/messages on c0?

    Thank you very much.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>