syslog configuration
Closed this issue · 1 comments
zmarkovic66 commented
Hi,
I am trying to configure log event forwarding via syslog to remote server. I followed your instructions and changed dcept.cfg file by:
- uncommenting syslog_host entry and replacing with IP address of the remote syslog server.
- re-build dcept after that running docker_build.sh
Unfortunately I don't see any syslog message passed to remote server. I confirmed that by running tcpdump on both servers. Is there are anything else that I missed to configure?
The dcept server is running CentOS 7 and rsyslog
thanks,
jamesscwx commented
Currently, DCEPT only sends syslog messages for two reasons:
- A slave node fails to establish an HTTP connection to the master node
- An alert was triggered by using one of the generated credentials
You won't see a syslog message unless there's an error or a security event. You can trigger an event by replaying the example.pcap against the DCEPT interface.
tcpreplay -i example.pcap
The next update will have a startup syslog message or a heartbeat.