OSSEC 3.3

ossec.conf: Syslog Output options

Overview

Supported types

Syslog Output options are available in the the following installation types:

  • server
  • local

Location

All syslog_output options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <syslog_output>
        <!--
        Syslog Output options here
        -->
    </syslog_output>
</ossec_config>

Options

syslog_output
server
  • IP Address of the syslog server.
  • Allowed: any valid IP address
port
  • Port to forward alerts to.
  • Default 514
  • Allowed: Any valid port
level
  • Minimum alert level of the alerts to be forwarded.
  • Allowed: 1 - 16
group
  • Alerts belonging to this group will be forwarded.
  • Allowed: Any valid group. Separate multiple groups with the pipe (|) character.
  • Examples:
<group>syscheck</group>
<group>authentication_failure|authentication_success</group>
rule_id
  • Alerts matching this rule_id will be forwarded.
  • Allowed: Any valid rule_id
location
  • Alerts from this location will be forwarded.
  • Allowed: Any valid logfile location
use_fqdn

New in version 2.9.0.

  • By default, ossec truncates the hostname at the first period (‘.’) when generating syslog messages. Setting this option to ‘yes’ will cause it to use the full hostname configured on the server.
  • Default no
  • Allowed yes, no
format
  • Format of alert output. The default format is “default”, or full syslog output.
  • CEF is the ArcSight Common Event Format.
  • json can be used with a variety of tools.
  • The splunk option is for sending data to a Splunk server.
  • Allowed default, cef, splunk, json
  • Example:
<syslog_output>
  <server>10.0.0.1</server>
  <port>514</port>
  <format>cef</format>
</syslog_output>