You are not logged in.

#1 2012-12-31 13:06:34

Registered: 2011-08-10
Posts: 45

Installing OSSEC to read the journalctl log

I've installed OSSEC but it is not properly reading my logs. Most likely because it was made with the old-fashioned syslog in mind. There is a directive where I need to configure the log file (/var/ossec/etc/ossec.conf):


I changed this to:


To test if things are working, I activated the following rule in /var/ossec/rules/sshd_rules.xml:

   <rule id="5722" level="3">
     <match>Connection closed</match>
     <description>ssh connection closed.</description>

Then, I force this entry into the log:

logger Connection closed by user 123

Which properly appears in journalctl:

Dec 31 11:03:45 server user[2920]: Connection closed by user 123

However, no mail is sent.

Mail alerts are configured for level 1 (while testing), and other mail alerts (like OSSEC startup) do arrive.

I really rather not use the old logging method; trying to move forward! Anybody any idea how to make OSSEC work with journalctl?


Board footer

Powered by FluxBB