On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruiz <j...@wazuh.com> wrote: > Hello, > > In order to permit Ossec recibe your Symantec syslogs messages, you need to > enable this in the configuration: >
Unless you're using a proper syslog daemon, which may already be listening on that port. > Listen in port 514: > > <ossec_config> > <remote> > <connection>syslog</connection> > <allowed-ips>Symantec AV ip</allowed-ips> > </remote> > </ossec_config> > > then you need to restart ossec: > > /var/ossec/bin/ossec-control restart > > If after these changes you are still not receiving alerts, enable logall in > ossec.conf <logall> yes </logall> and take a look in the file > “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but > not in your alerts, probably the decoders or rules have something wrong. > > > > Regards > ----------------------- > Jose Luis Ruiz > Wazuh Inc. > j...@wazuh.com > > On March 14, 2017 at 10:57:55 AM, ehollis3...@gmail.com > (ehollis3...@gmail.com) wrote: > > Hello All, > > I have pointed my Symantec AV logs to our OSSEC server via syslog over port > 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have > created a custom decoder and parser, and can confirm that it is working: > > **Phase 2: Completed decoding. > decoder: 'Symantec' > > **Phase 3: Completed filtering (rules). > Rule id: '100006' > Level: '7' > Description: 'Symantec: virus found' > **Alert to be generated. > > Do I need to point OSSEC to monitor the incoming syslog so that it can alert > on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC > alert appears to be generated. > > Thanks > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
