ospatrol.conf: Syslog Output options¶
Overview¶
Supported types¶
Syslog Output options are available in the the following installation types:
- server
- local
Location¶
All syslog_output options must be configured in the /var/ospatrol/etc/ospatrol.conf and used within the <ospatrol_config> tag.
XML excerpt to show location:
<ospatrol_config>
<syslog_output>
<!--
Syslog Output options here
-->
</syslog_output>
</ospatrol_config>
Options¶
- syslog_output¶
- server¶
- IP Address of the syslog server.
- Allowed: any valid IP address
- port¶
- Port to forward alerts to.
- Default 514
- Allowed: Any valid port
- level¶
- Alert level of the alerts to forward.
- Allowed: 1 - 16
- group¶
- Alerts belonging to this group will be forwarded.
- Allowed: Any valid group. Separate multiple groups with the pipe (|) character.
- Examples:
<group>syscheck</group> <group>authentication_failure|authentication_success</group>
- rule_id¶
- Alerts matching this rule_id will be forwarded.
- Allowed: Any valid rule_id
- location¶
- Alerts from this location will be forwarded.
- Allowed: Any valid logfile location
- format¶
- Format of alert output. The default format is “default”, or full syslog output.
- CEF is the ArcSight Common Event Format.
- json can be used with a variety of tools.
- The splunk option is for sending data to a Splunk server.
- Allowed default, cef, splunk, json
<syslog_output> <server>10.0.0.1</server> <port>514</port> <format>cef</format> </syslog_output>