ossec.conf: Syslog Output options

Overview

Supported types

Syslog Output options are available in the the following installation types:

• server

• local

Location

All syslog_output options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

<ossec_config>
    <syslog_output>
        <!--
        Syslog Output options here
        -->
    </syslog_output>
</ossec_config>

Options

• syslog_output

  • server

    • IP Address of the syslog server.

    • Allowed: any valid IP address

  • port

    • Port to forward alerts to.

    • Default 514

    • Allowed: Any valid port

  • level

    • Minimum alert level of the alerts to be forwarded.

    • Allowed: 1 - 16

  • group

    • Alerts belonging to this group will be forwarded.

    • Allowed: Any valid group. Separate multiple groups with the pipe (|) character.

    • Examples:

    <group>syscheck</group>
    <group>authentication_failure|authentication_success</group>
    

  • rule_id

    • Alerts matching this rule_id will be forwarded.

    • Allowed: Any valid rule_id

  • location

    • Alerts from this location will be forwarded.

    • Allowed: Any valid logfile location

  • use_fqdn

    Added in version 2.9.0.

    • By default, ossec truncates the hostname at the first period (‘.’) when generating syslog messages. Setting this option to ‘yes’ will cause it to use the full hostname configured on the server.

    • Default no

    • Allowed yes, no

  • format

    • Format of alert output. The default format is “default”, or full syslog output.

    • CEF is the ArcSight Common Event Format.

    • json can be used with a variety of tools.

    • The splunk option is for sending data to a Splunk server.

    • Allowed default, cef, splunk, json

    • Example:

    <syslog_output>
              <server>10.0.0.1</server>
              <port>514</port>
              <format>cef</format>
    </syslog_output>