Sending OSSEC alerts via syslog

This is a feature that was constantly asked and just now I was able to include it. Basically, it allows you to send the OSSEC alerts to one or more syslog servers (granularly).

First, make sure to get the latest snapshot and install it: http://www.ossec.net/files/snapshots/ossec-hids-080725.tar.gz

After that you can configure OSSEC with the syslog servers of your choice. In my example here, I am sending everything to server 192.168.4.1 and only the alerts above level 10 to 10.1.1.1:

<syslog_output>
<server>192.168.4.1</server>
</syslog_output>

<syslog_output>
<level>10</level>
<server>10.1.1.1</server>
</syslog_output>

After that, run the following command and restart OSSEC:

# /var/ossec/bin/ossec-control enable client-syslog
# /var/ossec/bin/ossec-control start

You should see now ossec-csyslog starting:

OSSEC HIDS v1.5.1 Stopped
Starting OSSEC HIDS v1.5.1 (by Third Brigade, Inc.)…
Started ossec-csyslogd…
..

and on the logs:

# tail -n 1000 /var/ossec/logs/ossec.log |grep csyslog
2008/07/25 12:55:16 ossec-csyslogd: INFO: Started (pid: 19412).
2008/07/25 12:55:16 ossec-csyslogd: INFO: Forwarding alerts via syslog to: ’192.168.4.1:514′.
2008/07/25 12:55:16 ossec-csyslogd: INFO: Forwarding alerts via syslog to: ’10.1.1.1:514′.

On the syslog server, this is what you should get (every log separated by level, rule, location and the actual event that generated it):

Jul 25 12:17:41 enigma ossec: Alert Level: 3; Rule: 5715 – SSHD authentication success.; Location: (jul) 192.168.2.0->/var/log/messages; srcip: 192.168.2.190; user: root; Jul 25 13:26:24 slacker sshd[20440]: Accepted password for root from 192.168.2.190 port 49737 ssh2

As always, suggestions and comments are more than welcome. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *