Configuring OSSEC
You can configure syslog for OSSEC on a stand-alone installation or management server:
- Use SSH to log in to your OSSEC device.
- Edit the OSSEC configuration ossec.conf file.
<installation directory>/ossec/etc/ossec.conf
- Add the following syslog configuration:Note:
Add the syslog configuration after the alerts entry and before the localfile entry.
</alerts>
<syslog_output> <server>(QRadar IP Address)</server> <port>514</port> </syslog_output>
<localfile>
For example,
<syslog_output> <server>10.100.100.2</server> <port>514</port> </syslog_output>
- Save the OSSEC configuration file.
- Type the following command to enable the syslog daemon:
<installation directory>/ossec/bin/ossec-control enable client-syslog
- Type the following command to restart the syslog daemon:
<installation directory>/ossec/bin/ossec-control restart
The configuration is complete. The log source is added to JSA as OSSEC events are automatically discovered. Events that are forwarded to JSA by OSSEC are displayed on the Log Activity tab of JSA.