Re: [ossec-list] Problem with ossec's syslog options and ossec-remoted process
On Tue, May 1, 2012 at 7:10 AM, carlopmart carlopm...@gmail.com wrote:
On 05/01/2012 02:14 AM, dan (ddp) wrote:
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com
mailto:carlopm...@gmail.com wrote:
Hi all,
I have several problems with ossec-remoted process and ossec's
syslog remote options. My ossec server is configured to receive syslog
messages via tcp port.
The problem is the amount of syslog messages that ossec can receive,
not seem to be many.
Configuration is:
syslog forwarder ossec-remote process...
What are you using as your forwarder?
A rsyslog instance ..
Using this configuration, ossec doesn't trigger alerts because
groups these alerts (sometime three or four messages in the same alert and
What does this mean? If multiple alerts are grouped together in an
alert, an alert is triggered.
sometimes more). As you can see, some alerts works and anothers not ...
I can't see, no examples were provided.
For example this:
166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24 accept
10.196.0.1 Lan2 rule: 5; rule_uid: {DA57B632-3A1F-49B8-920A-64C8729D17E6};
src: 10.201.248.12; dst: 10.196.0.15; proto: tcp; product: VPN-1
FireWall-1; service: 80; s_port: 2039;
166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24 accept
10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 25; rule_uid:
{8348FCBF-8DA1-4486-83AC-8CCFDF29DFE7}; service_id: icmp-proto; ICMP: Echo
Request; src: 192.168.201.20; dst: 10.201.27.102; proto: icmp; ICMP Type: 8;
ICMP Code: 0; product: VPN-1 FireWall-1;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 drop
10.196.0.1 bond0.30 src: 192.168.1.210; dst: 10.133.3.10; proto: udp;
message_info: Address spoofing; product: VPN-1 FireWall-1; service: 123;
s_port: 123;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 accept
10.196.0.1 bond0.405 rule: 55; rule_uid:
{D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src:
10.201.27.101; dst: 192.168.60.170; proto: tcp; product: VPN-1 FireWall-1;
service: 80; s_port: 3822;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 accept
10.196.0.1 bond0.405 rule: 55; rule_uid:
{D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src:
10.201.27.104; dst: 192.168.68.167; proto: tcp; product: VPN-1 FireWall-1;
service: 80; s_port: 1658;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:27 accept
10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 40; rule_uid:
{50FC50FB-176C-4B18-B1F3-31786EC4A01A}; service_id: domain-udp; src:
192.168.44.11; dst: 10.196.0.67; proto: udp; product: VPN-1 FireWall-1;
service: 53; s_port: 62102;
I have defined a rule to trigger an alert when Addresss spoofing in
message_info appears ... In this case, alert was not triggered ...
Please, any ideas?? What I can do to avoid losing messages?
Re: [ossec-list] Problem with ossec's syslog options and ossec-remoted process
On 05/01/2012 02:14 AM, dan (ddp) wrote:
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com
mailto:carlopm...@gmail.com wrote:
Hi all,
I have several problems with ossec-remoted process and ossec's
syslog remote options. My ossec server is configured to receive syslog
messages via tcp port.
The problem is the amount of syslog messages that ossec can receive,
not seem to be many.
Configuration is:
syslog forwarder ossec-remote process...
What are you using as your forwarder?
A rsyslog instance ..
Using this configuration, ossec doesn't trigger alerts because
groups these alerts (sometime three or four messages in the same alert and
What does this mean? If multiple alerts are grouped together in an
alert, an alert is triggered.
sometimes more). As you can see, some alerts works and anothers not ...
I can't see, no examples were provided.
For example this:
166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24
accept 10.196.0.1 Lan2 rule: 5; rule_uid:
{DA57B632-3A1F-49B8-920A-64C8729D17E6}; src: 10.201.248.12; dst:
10.196.0.15; proto: tcp; product: VPN-1 FireWall-1; service: 80;
s_port: 2039;
166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24
accept 10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 25;
rule_uid: {8348FCBF-8DA1-4486-83AC-8CCFDF29DFE7}; service_id:
icmp-proto; ICMP: Echo Request; src: 192.168.201.20; dst: 10.201.27.102;
proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 drop
10.196.0.1 bond0.30 src: 192.168.1.210; dst: 10.133.3.10; proto: udp;
message_info: Address spoofing; product: VPN-1 FireWall-1; service:
123; s_port: 123;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26
accept 10.196.0.1 bond0.405 rule: 55; rule_uid:
{D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src:
10.201.27.101; dst: 192.168.60.170; proto: tcp; product: VPN-1
FireWall-1; service: 80; s_port: 3822;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26
accept 10.196.0.1 bond0.405 rule: 55; rule_uid:
{D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src:
10.201.27.104; dst: 192.168.68.167; proto: tcp; product: VPN-1
FireWall-1; service: 80; s_port: 1658;
166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:27
accept 10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 40;
rule_uid: {50FC50FB-176C-4B18-B1F3-31786EC4A01A}; service_id:
domain-udp; src: 192.168.44.11; dst: 10.196.0.67; proto: udp; product:
VPN-1 FireWall-1; service: 53; s_port: 62102;
I have defined a rule to trigger an alert when Addresss spoofing in
message_info appears ... In this case, alert was not triggered ...
Changing to udp, ossec loose a lot of messages ...
Another option I've tried is to use a third server that redirects
all messages to a text file in syslog format. It was the worst solution:
ossec reads messages two hours late ...
Then, what is tha solution. Is not posible to use remote syslog
option in a production environments??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
[ossec-list] Problem with ossec's syslog options and ossec-remoted process
Hi all,
I have several problems with ossec-remoted process and ossec's syslog
remote options. My ossec server is configured to receive syslog messages
via tcp port.
The problem is the amount of syslog messages that ossec can receive,
not seem to be many.
Configuration is:
syslog forwarder ossec-remote process...
Using this configuration, ossec doesn't trigger alerts because groups
these alerts (sometime three or four messages in the same alert and
sometimes more). As you can see, some alerts works and anothers not ...
Changing to udp, ossec loose a lot of messages ...
Another option I've tried is to use a third server that redirects all
messages to a text file in syslog format. It was the worst solution:
ossec reads messages two hours late ...
Then, what is tha solution. Is not posible to use remote syslog option
in a production environments??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: [ossec-list] Problem with ossec's syslog options and ossec-remoted process
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com wrote:
Hi all,
I have several problems with ossec-remoted process and ossec's syslog
remote options. My ossec server is configured to receive syslog messages
via tcp port.
The problem is the amount of syslog messages that ossec can receive, not
seem to be many.
Configuration is:
syslog forwarder ossec-remote process...
What are you using as your forwarder?
Using this configuration, ossec doesn't trigger alerts because groups
these alerts (sometime three or four messages in the same alert and
What does this mean? If multiple alerts are grouped together in an alert,
an alert is triggered.
sometimes more). As you can see, some alerts works and anothers not ...
I can't see, no examples were provided.
Changing to udp, ossec loose a lot of messages ...
Another option I've tried is to use a third server that redirects all
messages to a text file in syslog format. It was the worst solution: ossec
reads messages two hours late ...
Then, what is tha solution. Is not posible to use remote syslog option
in a production environments??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
