syslog_output
Configuration options for sending alerts to a syslog server.
Options
server
The IP Address or hostname of the syslog server.
Default value |
n/a |
Allowed values |
Any valid IP address |
port
The port to forward alerts to.
Default value |
514 |
Allowed values |
Any valid port |
level
The minimum level of the alerts to be forwarded.
Default value |
n/a |
Allowed values |
Any level from 1 to 16 |
group
Rule group of the alerts to be forwarded.
Default value |
n/a |
Allowed values |
Any valid group. Separate multiple groups with the pipe ("|") character. |
Note
Observe that all groups must be finished by comma.
rule_id
The rule_id of the alerts to be forwarded.
Default value |
n/a |
Allowed values |
Any valid rule_id |
location
The location field refers to the origin of the alert, that it could be:
syscheck
rootcheck
File path
Command or its alias
command_tag (wodle)
aws-cloudtrail
cis-cat
vulnerability-detector
syscollector
Default value |
n/a |
Allowed values |
Any valid location |
use_fqdn
Toggle for full or truncated hostname configured on the server. By default, ossec truncates the hostname at the first period ('.') when generating syslog messages.
Default value |
no |
Allowed values |
yes, no |
format
Format of alert output. When jsonout_output
in global section is enabled, alerts are read from alerts.json instead of alerts.log for JSON format.
Default value |
default |
|
Allowed values |
default |
|
cef |
will output data in the ArcSight Common Event Format. |
|
splunk |
will output data in a Splunk-friendly format. |
|
json |
will output data in the JSON format that can be consumed by a variety of tools. |
Example of configuration
<syslog_output>
<server>192.168.1.3</server>
<level>7</level>
<format>json</format>
</syslog_output>