Syslog Output options are available in the the following installation types:
All syslog_output options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.
XML excerpt to show location:
OSSEC<ossec_config>
<syslog_output>
<!--
Syslog Output options here
-->
</syslog_output>
</ossec_config>
syslog_output
server
- IP Address of the syslog server.
- Allowed: any valid IP address
port
- Port to forward alerts to.
- Default 514
- Allowed: Any valid port
level
- Minimum alert level of the alerts to be forwarded.
- Allowed: 1 - 16
group
- Alerts belonging to this group will be forwarded.
- Allowed: Any valid group. Separate multiple groups with the pipe (
|) character.- Examples:
<group>syscheck</group> <group>authentication_failure|authentication_success</group>rule_id
- Alerts matching this rule_id will be forwarded.
- Allowed: Any valid rule_id
location
- Alerts from this location will be forwarded.
- Allowed: Any valid logfile location
use_fqdn
New in version 2.9.0.
- By default, ossec truncates the hostname at the first period (‘.’) when generating syslog messages. Setting this option to ‘yes’ will cause it to use the full hostname configured on the server.
- Default no
- Allowed yes, no
format
- Format of alert output. The default format is “default”, or full syslog output.
- CEF is the ArcSight Common Event Format.
- json can be used with a variety of tools.
- The splunk option is for sending data to a Splunk server.
- Allowed default, cef, splunk, json
- Example:
<syslog_output> <server>10.0.0.1</server> <port>514</port> <format>cef</format> </syslog_output>