Re: [ossec-list] Problem with ossec's syslog options and ossec-remoted process
On Tue, May 1, 2012 at 7:10 AM, carlopmart carlopm...@gmail.com wrote: On 05/01/2012 02:14 AM, dan (ddp) wrote: On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com mailto:carlopm...@gmail.com wrote: Hi all, I have several problems with ossec-remoted process and ossec's syslog remote options. My ossec server is configured to receive syslog messages via tcp port. The problem is the amount of syslog messages that ossec can receive, not seem to be many. Configuration is: syslog forwarder ossec-remote process... What are you using as your forwarder? A rsyslog instance .. Using this configuration, ossec doesn't trigger alerts because groups these alerts (sometime three or four messages in the same alert and What does this mean? If multiple alerts are grouped together in an alert, an alert is triggered. sometimes more). As you can see, some alerts works and anothers not ... I can't see, no examples were provided. For example this: 166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24 accept 10.196.0.1 Lan2 rule: 5; rule_uid: {DA57B632-3A1F-49B8-920A-64C8729D17E6}; src: 10.201.248.12; dst: 10.196.0.15; proto: tcp; product: VPN-1 FireWall-1; service: 80; s_port: 2039; 166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24 accept 10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 25; rule_uid: {8348FCBF-8DA1-4486-83AC-8CCFDF29DFE7}; service_id: icmp-proto; ICMP: Echo Request; src: 192.168.201.20; dst: 10.201.27.102; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 drop 10.196.0.1 bond0.30 src: 192.168.1.210; dst: 10.133.3.10; proto: udp; message_info: Address spoofing; product: VPN-1 FireWall-1; service: 123; s_port: 123; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 accept 10.196.0.1 bond0.405 rule: 55; rule_uid: {D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src: 10.201.27.101; dst: 192.168.60.170; proto: tcp; product: VPN-1 FireWall-1; service: 80; s_port: 3822; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 accept 10.196.0.1 bond0.405 rule: 55; rule_uid: {D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src: 10.201.27.104; dst: 192.168.68.167; proto: tcp; product: VPN-1 FireWall-1; service: 80; s_port: 1658; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:27 accept 10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 40; rule_uid: {50FC50FB-176C-4B18-B1F3-31786EC4A01A}; service_id: domain-udp; src: 192.168.44.11; dst: 10.196.0.67; proto: udp; product: VPN-1 FireWall-1; service: 53; s_port: 62102; I have defined a rule to trigger an alert when Addresss spoofing in message_info appears ... In this case, alert was not triggered ... Please, any ideas?? What I can do to avoid losing messages?
Re: [ossec-list] Problem with ossec's syslog options and ossec-remoted process
On 05/01/2012 02:14 AM, dan (ddp) wrote: On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com mailto:carlopm...@gmail.com wrote: Hi all, I have several problems with ossec-remoted process and ossec's syslog remote options. My ossec server is configured to receive syslog messages via tcp port. The problem is the amount of syslog messages that ossec can receive, not seem to be many. Configuration is: syslog forwarder ossec-remote process... What are you using as your forwarder? A rsyslog instance .. Using this configuration, ossec doesn't trigger alerts because groups these alerts (sometime three or four messages in the same alert and What does this mean? If multiple alerts are grouped together in an alert, an alert is triggered. sometimes more). As you can see, some alerts works and anothers not ... I can't see, no examples were provided. For example this: 166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24 accept 10.196.0.1 Lan2 rule: 5; rule_uid: {DA57B632-3A1F-49B8-920A-64C8729D17E6}; src: 10.201.248.12; dst: 10.196.0.15; proto: tcp; product: VPN-1 FireWall-1; service: 80; s_port: 2039; 166May 1 02:08:29 10.196.0.36 checkpoint_logs: 1May2012 2:02:24 accept 10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 25; rule_uid: {8348FCBF-8DA1-4486-83AC-8CCFDF29DFE7}; service_id: icmp-proto; ICMP: Echo Request; src: 192.168.201.20; dst: 10.201.27.102; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 FireWall-1; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 drop 10.196.0.1 bond0.30 src: 192.168.1.210; dst: 10.133.3.10; proto: udp; message_info: Address spoofing; product: VPN-1 FireWall-1; service: 123; s_port: 123; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 accept 10.196.0.1 bond0.405 rule: 55; rule_uid: {D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src: 10.201.27.101; dst: 192.168.60.170; proto: tcp; product: VPN-1 FireWall-1; service: 80; s_port: 3822; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:26 accept 10.196.0.1 bond0.405 rule: 55; rule_uid: {D9A1177A-CA96-4DC5-88DA-07D7A226A522}; service_id: http; src: 10.201.27.104; dst: 192.168.68.167; proto: tcp; product: VPN-1 FireWall-1; service: 80; s_port: 1658; 166May 1 02:03:32 10.196.0.36 checkpoint_logs: 1May2012 1:57:27 accept 10.196.0.1 Lan2 inzone: Internal; outzone: Internal; rule: 40; rule_uid: {50FC50FB-176C-4B18-B1F3-31786EC4A01A}; service_id: domain-udp; src: 192.168.44.11; dst: 10.196.0.67; proto: udp; product: VPN-1 FireWall-1; service: 53; s_port: 62102; I have defined a rule to trigger an alert when Addresss spoofing in message_info appears ... In this case, alert was not triggered ... Changing to udp, ossec loose a lot of messages ... Another option I've tried is to use a third server that redirects all messages to a text file in syslog format. It was the worst solution: ossec reads messages two hours late ... Then, what is tha solution. Is not posible to use remote syslog option in a production environments?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com -- CL Martinez carlopmart {at} gmail {d0t} com
[ossec-list] Problem with ossec's syslog options and ossec-remoted process
Hi all, I have several problems with ossec-remoted process and ossec's syslog remote options. My ossec server is configured to receive syslog messages via tcp port. The problem is the amount of syslog messages that ossec can receive, not seem to be many. Configuration is: syslog forwarder ossec-remote process... Using this configuration, ossec doesn't trigger alerts because groups these alerts (sometime three or four messages in the same alert and sometimes more). As you can see, some alerts works and anothers not ... Changing to udp, ossec loose a lot of messages ... Another option I've tried is to use a third server that redirects all messages to a text file in syslog format. It was the worst solution: ossec reads messages two hours late ... Then, what is tha solution. Is not posible to use remote syslog option in a production environments?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: [ossec-list] Problem with ossec's syslog options and ossec-remoted process
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com wrote: Hi all, I have several problems with ossec-remoted process and ossec's syslog remote options. My ossec server is configured to receive syslog messages via tcp port. The problem is the amount of syslog messages that ossec can receive, not seem to be many. Configuration is: syslog forwarder ossec-remote process... What are you using as your forwarder? Using this configuration, ossec doesn't trigger alerts because groups these alerts (sometime three or four messages in the same alert and What does this mean? If multiple alerts are grouped together in an alert, an alert is triggered. sometimes more). As you can see, some alerts works and anothers not ... I can't see, no examples were provided. Changing to udp, ossec loose a lot of messages ... Another option I've tried is to use a third server that redirects all messages to a text file in syslog format. It was the worst solution: ossec reads messages two hours late ... Then, what is tha solution. Is not posible to use remote syslog option in a production environments?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com