Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring OSSEC

 

You can configure syslog for OSSEC on a stand-alone installation or management server:

  1. Use SSH to log in to your OSSEC device.
  2. Edit the OSSEC configuration ossec.conf file.

    <installation directory>/ossec/etc/ossec.conf

  3. Add the following syslog configuration:Note

    Add the syslog configuration after the alerts entry and before the localfile entry.

    </alerts>

    <syslog_output> <server>(QRadar IP Address)</server> <port>514</port> </syslog_output>

    <localfile>

    For example,

    <syslog_output> <server>10.100.100.2</server> <port>514</port> </syslog_output>

  4. Save the OSSEC configuration file.
  5. Type the following command to enable the syslog daemon:

    <installation directory>/ossec/bin/ossec-control enable client-syslog

  6. Type the following command to restart the syslog daemon:

    <installation directory>/ossec/bin/ossec-control restart

    The configuration is complete. The log source is added to JSA as OSSEC events are automatically discovered. Events that are forwarded to JSA by OSSEC are displayed on the Log Activity tab of JSA.