Hi All, So I am currently still troubleshooting, but noticed that the syslog-ng process was listening on 514 TCP, but also had an entry for 514 UDP, which is the protocol I've set within my ossec.conf. Could this be part of the issue? My guess is that I only want 514 udp listening.
On Thursday, March 16, 2017 at 3:30:46 PM UTC-4, dan (ddpbsd) wrote: > > On Thu, Mar 16, 2017 at 11:33 AM, <eholl...@gmail.com <javascript:>> > wrote: > > Here is the output: > > > > udp 0 0 0.0.0.0:514 0.0.0.0:* > > 21090/syslog-ng > > > > So syslog-ng is listening for incoming messages. > You'll have to figure out what syslog-ng is doing with the log messages. > > > This is the only instance... > > > > > > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Tue, Mar 14, 2017 at 3:37 PM, <eholl...@gmail.com> wrote: > >> > Hello, yes: > >> > > >> > root@xxxxxx:/var/log# netstat -tuna | grep 514 > >> > tcp 0 0 0.0.0.0:514 0.0.0.0:* > >> > udp 0 0 0.0.0.0:514 0.0.0.0:* > >> > > >> > > >> > >> Adding -p to that could tell you the process using that port. > >> `netstat -ptuna | grep 514` > >> > >> Is this securityonion? They may have syslog-ng already listening to the > >> network. > >> > >> > <remote> > >> > <connection>syslog</connection> > >> > <allowed-ips>161.182.xxx.xxx</allowed-ips> > >> > <allowed-ips>161.182.xxx.xxx</allowed-ips> > >> > </remote> > >> > > >> > > >> > > >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > >> >> > >> >> Hi, can you verify if the port it’s open? > >> >> > >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 > >> >> udp 0 0 0.0.0.0:514 0.0.0.0:* > >> >> > >> >> The symantec ip is allowed in ossec.conf right? > >> >> > >> >> > >> >> > >> >> Regards > >> >> ----------------------- > >> >> Jose Luis Ruiz > >> >> Wazuh Inc. > >> >> jo...@wazuh.com > >> >> > >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com > >> >> (eholl...@gmail.com) > >> >> wrote: > >> >> > >> >> It's very strange...I have enabled already enabled syslog over 514 > from > >> >> our symantec server to the OSSEC server, and I see the logs coming > into > >> >> our > >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and > >> >> OSSEC > >> >> alerts files and do not see the log anywhere on the server... Where > >> >> should > >> >> these logs be written when being sent to the server? I've checked > all > >> >> gzipped files in /var/log/ as well as all files in > >> >> /var/ossec/logs/archive/ > >> >> and /var/ossec/logs/alerts/ > >> >> > >> > >> `/var/ossec/logs/archives/archives.log` only contains entries if you > >> enable the logall option in the ossec.conf. > >> I'm not sure if it records messages sent to the syslog remoted stuff. > >> I just haven't tested it. > >> > >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: > >> >>> > >> >>> Hello, > >> >>> > >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you > >> >>> need > >> >>> to enable this in the configuration: > >> >>> > >> >>> Listen in port 514: > >> >>> > >> >>> <ossec_config> > >> >>> <remote> > >> >>> <connection>syslog</connection> > >> >>> <allowed-ips>Symantec AV ip</allowed-ips> > >> >>> </remote> > >> >>> </ossec_config> > >> >>> > >> >>> then you need to restart ossec: > >> >>> > >> >>> /var/ossec/bin/ossec-control restart > >> >>> > >> >>> If after these changes you are still not receiving alerts, enable > >> >>> logall > >> >>> in ossec.conf <logall> yes </logall> and take a look in the file > >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this > file, > >> >>> but > >> >>> not in your alerts, probably the decoders or rules have something > >> >>> wrong. > >> >>> > >> >>> > >> >>> > >> >>> Regards > >> >>> ----------------------- > >> >>> Jose Luis Ruiz > >> >>> Wazuh Inc. > >> >>> jo...@wazuh.com > >> >>> > >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com > >> >>> (eholl...@gmail.com) > >> >>> wrote: > >> >>> > >> >>> Hello All, > >> >>> > >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog > over > >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC > >> >>> alerts. I > >> >>> have created a custom decoder and parser, and can confirm that it > is > >> >>> working: > >> >>> > >> >>> **Phase 2: Completed decoding. > >> >>> decoder: 'Symantec' > >> >>> > >> >>> **Phase 3: Completed filtering (rules). > >> >>> Rule id: '100006' > >> >>> Level: '7' > >> >>> Description: 'Symantec: virus found' > >> >>> **Alert to be generated. > >> >>> > >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it > can > >> >>> alert on it? Again, I am seeing the straight syslog coming into > ELSA, > >> >>> but no > >> >>> OSSEC alert appears to be generated. > >> >>> > >> >>> Thanks > >> >>> -- > >> >>> > >> >>> --- > >> >>> You received this message because you are subscribed to the Google > >> >>> Groups > >> >>> "ossec-list" group. > >> >>> To unsubscribe from this group and stop receiving emails from it, > send > >> >>> an > >> >>> email to ossec-list+...@googlegroups.com. > >> >>> For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
