XML section name
<syslog_output>
</syslog_output>
Configuration options for sending alerts to a syslog server.
The IP Address or hostname of the syslog server.
Default value | n/a |
Allowed values | Any valid IP address |
The port to forward alerts to.
Default value | 514 |
Allowed values | Any valid port |
The minimum level of the alerts to be forwarded.
Default value | n/a |
Allowed values | Any level from 1 to 16 |
Rule group of the alerts to be forwarded.
Default value | n/a |
Allowed values | Any valid group. Separate multiple groups with the pipe ("|") character. |
Note
Observe that all groups must be finished by comma.
The rule_id of the alerts to be forwarded.
Default value | n/a |
Allowed values | Any valid rule_id |
The location field refers to the origin of the alert, that it could be:
- syscheck
- rootcheck
- File path
- Command or its alias
- command_tag (wodle)
- aws-cloudtrail
- cis-cat
- vulnerability-detector
- syscollector
Default value | n/a |
Allowed values | Any valid location |
Toggle for full or truncated hostname configured on the server. By default, ossec truncates the hostname at the first period ('.') when generating syslog messages.
Default value | no |
Allowed values | yes, no |
Format of alert output. When jsonout_output
in global <global>
section is enabled, alerts are read from alerts.json instead of alerts.log for JSON format.
+--------------------+-------------------------------------------------------------------------------------------+ | Default value | default | +--------------------+---------+---------------------------------------------------------------------------------+ | Allowed values | default | + +---------+---------------------------------------------------------------------------------+ | | cef | will output data in the ArcSight Common Event Format. | + +---------+---------------------------------------------------------------------------------+ | | splunk | will output data in a Splunk-friendly format. | + +---------+---------------------------------------------------------------------------------+ | | json | will output data in the JSON format that can be consumed by a variety of tools. | +--------------------+---------+---------------------------------------------------------------------------------+
<syslog_output>
<server>192.168.1.3</server>
<level>7</level>
<format>json</format>
</syslog_output>