syslog_output¶
XML section name
<syslog_output>
</syslog_output>
Configuration options for sending alerts to a syslog server.
Options¶
level¶
The minimum level of the alerts to be forwarded.
Default value |
n/a |
Allowed values |
Any level from 1 to 16 |
group¶
Group of the alerts to be forwarded.
Default value |
n/a |
Allowed values |
Any valid group. Separate multiple groups with the pipe (“|”) character. |
Note
Observe that all groups must be finished by comma.
rule_id¶
The rule_id of the alerts to be forwarded.
Default value |
n/a |
Allowed values |
Any valid rule_id |
location¶
The location field refers to the origin of the alert, that it could be:
syscheck
rootcheck
File path
Command or its alias
command_tag (wodle)
aws-cloudtrail
cis-cat
vulnerability-detector
syscollector
Default value |
n/a |
Allowed values |
Any valid location |
use_fqdn¶
Toggle for full or truncated hostname configured on the server. By default, ossec truncates the hostname at the first period (‘.’) when generating syslog messages.
Default value |
no |
Allowed values |
yes, no |
format¶
Format of alert output. When jsonout_output
in global section is enabled, alerts are read from alerts.json instead of alerts.log for JSON format.
Default value |
default |
|
Allowed values |
default |
|
cef |
will output data in the ArcSight Common Event Format. |
|
splunk |
will output data in a Splunk-friendly format. |
|
json |
will output data in the JSON format that can be consumed by a variety of tools. |
Example of configuration¶
<syslog_output>
<server>192.168.1.3</server>
<level>7</level>
<format>json</format>
</syslog_output>