On 05/01/2012 02:14 AM, dan (ddp) wrote:
On Apr 30, 2012 4:11 PM, "carlopmart" <carlopm...@gmail.com
<mailto:carlopm...@gmail.com>> wrote:
>
> Hi all,
>
> I have several problems with ossec-remoted process and ossec's
syslog remote options. My ossec server is configured to receive syslog
messages via tcp port.
>
> The problem is the amount of syslog messages that ossec can receive,
not seem to be many.
>
> Configuration is:
>
> syslog forwarder --------> ossec-remote process...
>
What are you using as your "forwarder?"
A rsyslog instance ..
> Using this configuration, ossec doesn't trigger alerts because
groups these alerts (sometime three or four messages in the same alert and
What does this mean? If multiple alerts are grouped together in an
alert, an alert is triggered.
sometimes more). As you can see, some alerts works and anothers not ...
>
I can't see, no examples were provided.
For example this:
<166>May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24
accept 10.196.0.1 >Lan2 rule: 5; rule_uid:
{DA57B632-3A1F-49B8-920A-64C8729D17E6}; src: 10.201.248.12; dst:
10.196.0.15; proto: tcp; product: VPN-1 & FireWall-1; service: 80;
s_port: 2039;
<166>May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24
accept 10.196.0.1 >Lan2 inzone: Internal; outzone: Internal; rule: 25;
rule_uid: {8348FCBF-8DA1-4486-83AC-8CCFDF29DFE7}; service_id:
icmp-proto; ICMP: Echo Request; src: 192.168.201.20; dst: 10.201.27.102;
proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 & FireWall-1;
<166>May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 drop
10.196.0.1 >bond0.30 src: 192.168.1.210; dst: 10.133.3.10; proto: udp;
message_info: Address spoofing; product: VPN-1 & FireWall-1; service:
123; s_port: 123;
<166>May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26
accept 10.196.0.1 >bond0.405 rule: 55; rule_uid:
{D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src:
10.201.27.101; dst: 192.168.60.170; proto: tcp; product: VPN-1 &
FireWall-1; service: 80; s_port: 3822;
<166>May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26
accept 10.196.0.1 >bond0.405 rule: 55; rule_uid:
{D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src:
10.201.27.104; dst: 192.168.68.167; proto: tcp; product: VPN-1 &
FireWall-1; service: 80; s_port: 1658;
<166>May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:27
accept 10.196.0.1 >Lan2 inzone: Internal; outzone: Internal; rule: 40;
rule_uid: {50FC50FB-176C-4B18-B1F3-31786EC4A01A}; service_id:
domain-udp; src: 192.168.44.11; dst: 10.196.0.67; proto: udp; product:
VPN-1 & FireWall-1; service: 53; s_port: 62102;
I have defined a rule to trigger an alert when "Addresss spoofing" in
message_info appears ... In this case, alert was not triggered ...
> Changing to udp, ossec loose a lot of messages ...
>
> Another option I've tried is to use a third server that redirects
all messages to a text file in syslog format. It was the worst solution:
ossec reads messages two hours late ...
>
> Then, what is tha solution. Is not posible to use remote syslog
option in a production environments??
>
> Thanks.
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
