Hi, can you verify if the port it’s open? [root@wazuh-manager /]# netstat -tuna | grep 514 udp 0 0 0.0.0.0:514 0.0.0.0:*
The symantec ip is allowed in ossec.conf right? Regards ----------------------- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 14, 2017 at 12:44:07 PM, ehollis3...@gmail.com ( ehollis3...@gmail.com) wrote: It's very strange...I have enabled already enabled syslog over 514 from our symantec server to the OSSEC server, and I see the logs coming into our ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC alerts files and do not see the log anywhere on the server... Where should these logs be written when being sent to the server? I've checked all gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ and /var/ossec/logs/alerts/ On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: > > Hello, > > In order to permit Ossec recibe your Symantec syslogs messages, you need > to enable this in the configuration: > > Listen in port 514: > > <ossec_config> > <remote> > <connection>syslog</connection> > <allowed-ips>Symantec AV ip</allowed-ips> > </remote> > </ossec_config> > > then you need to restart ossec: > > /var/ossec/bin/ossec-control restart > > If after these changes you are still not receiving alerts, enable logall > in ossec.conf <logall> yes </logall> and take a look in the file > “/var/ossec/logs/archives/archives.log”, if the logs are in this file, > but not in your alerts, probably the decoders or rules have something wrong. > > > Regards > ----------------------- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com) > wrote: > > Hello All, > > I have pointed my Symantec AV logs to our OSSEC server via syslog over > port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I > have created a custom decoder and parser, and can confirm that it is > working: > > **Phase 2: Completed decoding. > decoder: 'Symantec' > > **Phase 3: Completed filtering (rules). > Rule id: '100006' > Level: '7' > Description: 'Symantec: virus found' > **Alert to be generated. > > Do I need to point OSSEC to monitor the incoming syslog so that it can > alert on it? Again, I am seeing the straight syslog coming into ELSA, but > no OSSEC alert appears to be generated. > > Thanks > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
