Configuring syslog output

Wazuh may be configured to send alerts to syslog as follows:

Configuration

Syslog output is configured in the ossec.conf file. All of the available options are detailed in Syslog output.

<ossec_config>
  <syslog_output>
    <level>9</level>
    <server>192.168.1.241</server>
  </syslog_output>

  <syslog_output>
    <server>192.168.1.240</server>
  </syslog_output>
</ossec_config>

The above configuration will send alerts to 192.168.1.240 and, if the alert level is higher than 9, also to 192.168.1.241.

After the configuration of the ossec.conf file, the client-syslog must be enabled, followed by a restart of Wazuh using the following command:

# /var/ossec/bin/ossec-control enable client-syslog
  1. For Systemd:
# systemctl restart wazuh-manager
  1. For SysV Init:
# service wazuh-manager restart