Re: [ossec-list] OSSEC alerts on syslog

2017-03-27 Thread dan (ddp)
On Mon, Mar 27, 2017 at 11:25 AM, wrote: > Hi All, > > So I am currently still troubleshooting, but noticed that the syslog-ng > process was listening on 514 TCP, but also had an entry for 514 UDP, which > is the protocol I've set within my ossec.conf. Could this be part

Re: [ossec-list] OSSEC alerts on syslog

2017-03-27 Thread ehollis3942
Hi All, So I am currently still troubleshooting, but noticed that the syslog-ng process was listening on 514 TCP, but also had an entry for 514 UDP, which is the protocol I've set within my ossec.conf. Could this be part of the issue? My guess is that I only want 514 udp listening. On

Re: [ossec-list] OSSEC alerts on syslog

2017-03-16 Thread dan (ddp)
On Thu, Mar 16, 2017 at 11:33 AM, wrote: > Here is the output: > > udp0 0 0.0.0.0:514 0.0.0.0:* > 21090/syslog-ng > So syslog-ng is listening for incoming messages. You'll have to figure out what syslog-ng is doing with the log messages. > This

Re: [ossec-list] OSSEC alerts on syslog

2017-03-16 Thread ehollis3942
Here is the output: udp0 0 0.0.0.0:514 0.0.0.0:* 21090/syslog-ng This is the only instance... On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Mar 14, 2017 at 3:37 PM, > wrote: > >

Re: [ossec-list] OSSEC alerts on syslog

2017-03-15 Thread dan (ddp)
On Tue, Mar 14, 2017 at 3:37 PM, wrote: > Hello, yes: > > root@xx:/var/log# netstat -tuna | grep 514 > tcp0 0 0.0.0.0:514 0.0.0.0:* > udp0 0 0.0.0.0:514 0.0.0.0:* > > Adding -p to that could tell you the process using

Re: [ossec-list] OSSEC alerts on syslog

2017-03-15 Thread dan (ddp)
On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruiz wrote: > Hello, > > In order to permit Ossec recibe your Symantec syslogs messages, you need to > enable this in the configuration: > Unless you're using a proper syslog daemon, which may already be listening on that port. >

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread ehollis3942
Hello, yes: root@xx:/var/log# netstat -tuna | grep 514 tcp0 0 0.0.0.0:514 0.0.0.0:* udp0 0 0.0.0.0:514 0.0.0.0:* syslog 161.182.xxx.xxx 161.182.xxx.xxx On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > >

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread Jose Luis Ruiz
Hi, can you verify if the port it’s open? [root@wazuh-manager /]# netstat -tuna | grep 514 udp0 0 0.0.0.0:514 0.0.0.0:* The symantec ip is allowed in ossec.conf right? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 14, 2017 at

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread ehollis3942
It's very strange...I have enabled already enabled syslog over 514 from our symantec server to the OSSEC server, and I see the logs coming into our ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC alerts files and do not see the log anywhere on the server... Where

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread Jose Luis Ruiz
Hello, In order to permit Ossec recibe your Symantec syslogs messages, you need to enable this in the configuration: Listen in port 514: syslog Symantec AV ip then you need to restart ossec: /var/ossec/bin/ossec-control restart If after these changes you are still not

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread dan (ddp)
On Mar 14, 2017 10:57 AM, wrote: Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working:

[ossec-list] OSSEC alerts on syslog

2017-03-14 Thread ehollis3942
Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working: **Phase 2: Completed decoding. decoder: 'Symantec'