On Thu, Mar 16, 2017 at 11:33 AM, <ehollis3...@gmail.com> wrote: > Here is the output: > > udp 0 0 0.0.0.0:514 0.0.0.0:* > 21090/syslog-ng >
So syslog-ng is listening for incoming messages. You'll have to figure out what syslog-ng is doing with the log messages. > This is the only instance... > > > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Mar 14, 2017 at 3:37 PM, <eholl...@gmail.com> wrote: >> > Hello, yes: >> > >> > root@xxxxxx:/var/log# netstat -tuna | grep 514 >> > tcp 0 0 0.0.0.0:514 0.0.0.0:* >> > udp 0 0 0.0.0.0:514 0.0.0.0:* >> > >> > >> >> Adding -p to that could tell you the process using that port. >> `netstat -ptuna | grep 514` >> >> Is this securityonion? They may have syslog-ng already listening to the >> network. >> >> > <remote> >> > <connection>syslog</connection> >> > <allowed-ips>161.182.xxx.xxx</allowed-ips> >> > <allowed-ips>161.182.xxx.xxx</allowed-ips> >> > </remote> >> > >> > >> > >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: >> >> >> >> Hi, can you verify if the port it’s open? >> >> >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 >> >> udp 0 0 0.0.0.0:514 0.0.0.0:* >> >> >> >> The symantec ip is allowed in ossec.conf right? >> >> >> >> >> >> >> >> Regards >> >> ----------------------- >> >> Jose Luis Ruiz >> >> Wazuh Inc. >> >> jo...@wazuh.com >> >> >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com >> >> (eholl...@gmail.com) >> >> wrote: >> >> >> >> It's very strange...I have enabled already enabled syslog over 514 from >> >> our symantec server to the OSSEC server, and I see the logs coming into >> >> our >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and >> >> OSSEC >> >> alerts files and do not see the log anywhere on the server... Where >> >> should >> >> these logs be written when being sent to the server? I've checked all >> >> gzipped files in /var/log/ as well as all files in >> >> /var/ossec/logs/archive/ >> >> and /var/ossec/logs/alerts/ >> >> >> >> `/var/ossec/logs/archives/archives.log` only contains entries if you >> enable the logall option in the ossec.conf. >> I'm not sure if it records messages sent to the syslog remoted stuff. >> I just haven't tested it. >> >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >> >>> >> >>> Hello, >> >>> >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you >> >>> need >> >>> to enable this in the configuration: >> >>> >> >>> Listen in port 514: >> >>> >> >>> <ossec_config> >> >>> <remote> >> >>> <connection>syslog</connection> >> >>> <allowed-ips>Symantec AV ip</allowed-ips> >> >>> </remote> >> >>> </ossec_config> >> >>> >> >>> then you need to restart ossec: >> >>> >> >>> /var/ossec/bin/ossec-control restart >> >>> >> >>> If after these changes you are still not receiving alerts, enable >> >>> logall >> >>> in ossec.conf <logall> yes </logall> and take a look in the file >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, >> >>> but >> >>> not in your alerts, probably the decoders or rules have something >> >>> wrong. >> >>> >> >>> >> >>> >> >>> Regards >> >>> ----------------------- >> >>> Jose Luis Ruiz >> >>> Wazuh Inc. >> >>> jo...@wazuh.com >> >>> >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com >> >>> (eholl...@gmail.com) >> >>> wrote: >> >>> >> >>> Hello All, >> >>> >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC >> >>> alerts. I >> >>> have created a custom decoder and parser, and can confirm that it is >> >>> working: >> >>> >> >>> **Phase 2: Completed decoding. >> >>> decoder: 'Symantec' >> >>> >> >>> **Phase 3: Completed filtering (rules). >> >>> Rule id: '100006' >> >>> Level: '7' >> >>> Description: 'Symantec: virus found' >> >>> **Alert to be generated. >> >>> >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can >> >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, >> >>> but no >> >>> OSSEC alert appears to be generated. >> >>> >> >>> Thanks >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to ossec-list+...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
