Skip to content

Latest commit

 

History

History
147 lines (108 loc) · 4.5 KB

syslog-output.rst

File metadata and controls

147 lines (108 loc) · 4.5 KB
Raw

syslog_output

XML section name

<syslog_output>
</syslog_output>

Configuration options for sending alerts to a syslog server.

Options

server

The IP Address or hostname of the syslog server.

Default value n/a
Allowed values Any valid IP address

port

The port to forward alerts to.

Default value 514
Allowed values Any valid port

level

The minimum level of the alerts to be forwarded.

Default value n/a
Allowed values Any level from 1 to 16

group

Rule group of the alerts to be forwarded.

Default value n/a
Allowed values Any valid group. Separate multiple groups with the pipe ("|") character.

Note

Observe that all groups must be finished by comma.

rule_id

The rule_id of the alerts to be forwarded.

Default value n/a
Allowed values Any valid rule_id

location

The location field refers to the origin of the alert, that it could be:

  • syscheck
  • rootcheck
  • File path
  • Command or its alias
  • command_tag (wodle)
  • aws-cloudtrail
  • cis-cat
  • vulnerability-detector
  • syscollector
Default value n/a
Allowed values Any valid location

use_fqdn

Toggle for full or truncated hostname configured on the server. By default, ossec truncates the hostname at the first period ('.') when generating syslog messages.

Default value no
Allowed values yes, no

format

Format of alert output. When jsonout_output in global <global> section is enabled, alerts are read from alerts.json instead of alerts.log for JSON format.

+--------------------+-------------------------------------------------------------------------------------------+ | Default value | default | +--------------------+---------+---------------------------------------------------------------------------------+ | Allowed values | default | + +---------+---------------------------------------------------------------------------------+ | | cef | will output data in the ArcSight Common Event Format. | + +---------+---------------------------------------------------------------------------------+ | | splunk | will output data in a Splunk-friendly format. | + +---------+---------------------------------------------------------------------------------+ | | json | will output data in the JSON format that can be consumed by a variety of tools. | +--------------------+---------+---------------------------------------------------------------------------------+

Example of configuration

<syslog_output>
  <server>192.168.1.3</server>
  <level>7</level>
  <format>json</format>
</syslog_output>