Re: [ossec-list] OSSEC alerts on syslog
On Mon, Mar 27, 2017 at 11:25 AM,wrote: > Hi All, > > So I am currently still troubleshooting, but noticed that the syslog-ng > process was listening on 514 TCP, but also had an entry for 514 UDP, which > is the protocol I've set within my ossec.conf. Could this be part of the > issue? My guess is that I only want 514 udp listening. > Yes, if syslog-ng is utilizing the port, ossec-remoted will not be able to use it. > On Thursday, March 16, 2017 at 3:30:46 PM UTC-4, dan (ddpbsd) wrote: >> >> On Thu, Mar 16, 2017 at 11:33 AM, wrote: >> > Here is the output: >> > >> > udp0 0 0.0.0.0:514 0.0.0.0:* >> > 21090/syslog-ng >> > >> >> So syslog-ng is listening for incoming messages. >> You'll have to figure out what syslog-ng is doing with the log messages. >> >> > This is the only instance... >> > >> > >> > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Tue, Mar 14, 2017 at 3:37 PM, wrote: >> >> > Hello, yes: >> >> > >> >> > root@xx:/var/log# netstat -tuna | grep 514 >> >> > tcp0 0 0.0.0.0:514 0.0.0.0:* >> >> > udp0 0 0.0.0.0:514 0.0.0.0:* >> >> > >> >> > >> >> >> >> Adding -p to that could tell you the process using that port. >> >> `netstat -ptuna | grep 514` >> >> >> >> Is this securityonion? They may have syslog-ng already listening to the >> >> network. >> >> >> >> > >> >> > syslog >> >> > 161.182.xxx.xxx >> >> > 161.182.xxx.xxx >> >> > >> >> > >> >> > >> >> > >> >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: >> >> >> >> >> >> Hi, can you verify if the port it’s open? >> >> >> >> >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 >> >> >> udp0 0 0.0.0.0:514 0.0.0.0:* >> >> >> >> >> >> The symantec ip is allowed in ossec.conf right? >> >> >> >> >> >> >> >> >> >> >> >> Regards >> >> >> --- >> >> >> Jose Luis Ruiz >> >> >> Wazuh Inc. >> >> >> jo...@wazuh.com >> >> >> >> >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com >> >> >> (eholl...@gmail.com) >> >> >> wrote: >> >> >> >> >> >> It's very strange...I have enabled already enabled syslog over 514 >> >> >> from >> >> >> our symantec server to the OSSEC server, and I see the logs coming >> >> >> into >> >> >> our >> >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and >> >> >> OSSEC >> >> >> alerts files and do not see the log anywhere on the server... Where >> >> >> should >> >> >> these logs be written when being sent to the server? I've checked >> >> >> all >> >> >> gzipped files in /var/log/ as well as all files in >> >> >> /var/ossec/logs/archive/ >> >> >> and /var/ossec/logs/alerts/ >> >> >> >> >> >> >> `/var/ossec/logs/archives/archives.log` only contains entries if you >> >> enable the logall option in the ossec.conf. >> >> I'm not sure if it records messages sent to the syslog remoted stuff. >> >> I just haven't tested it. >> >> >> >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >> >> >>> >> >> >>> Hello, >> >> >>> >> >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you >> >> >>> need >> >> >>> to enable this in the configuration: >> >> >>> >> >> >>> Listen in port 514: >> >> >>> >> >> >>> >> >> >>> >> >> >>> syslog >> >> >>> Symantec AV ip >> >> >>> >> >> >>> >> >> >>> >> >> >>> then you need to restart ossec: >> >> >>> >> >> >>> /var/ossec/bin/ossec-control restart >> >> >>> >> >> >>> If after these changes you are still not receiving alerts, enable >> >> >>> logall >> >> >>> in ossec.conf yes and take a look in the file >> >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this >> >> >>> file, >> >> >>> but >> >> >>> not in your alerts, probably the decoders or rules have something >> >> >>> wrong. >> >> >>> >> >> >>> >> >> >>> >> >> >>> Regards >> >> >>> --- >> >> >>> Jose Luis Ruiz >> >> >>> Wazuh Inc. >> >> >>> jo...@wazuh.com >> >> >>> >> >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com >> >> >>> (eholl...@gmail.com) >> >> >>> wrote: >> >> >>> >> >> >>> Hello All, >> >> >>> >> >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog >> >> >>> over >> >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC >> >> >>> alerts. I >> >> >>> have created a custom decoder and parser, and can confirm that it >> >> >>> is >> >> >>> working: >> >> >>> >> >> >>> **Phase 2: Completed decoding. >> >> >>>decoder: 'Symantec' >> >> >>> >> >> >>> **Phase 3: Completed filtering (rules). >> >> >>>Rule id: '16' >> >> >>>Level: '7' >> >> >>>Description: 'Symantec: virus found' >> >> >>> **Alert to be generated. >> >> >>> >> >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it >> >> >>> can >> >> >>> alert on it? Again, I am seeing the straight syslog coming into >> >> >>>
Re: [ossec-list] OSSEC alerts on syslog
Hi All, So I am currently still troubleshooting, but noticed that the syslog-ng process was listening on 514 TCP, but also had an entry for 514 UDP, which is the protocol I've set within my ossec.conf. Could this be part of the issue? My guess is that I only want 514 udp listening. On Thursday, March 16, 2017 at 3:30:46 PM UTC-4, dan (ddpbsd) wrote: > > On Thu, Mar 16, 2017 at 11:33 AM,> wrote: > > Here is the output: > > > > udp0 0 0.0.0.0:514 0.0.0.0:* > > 21090/syslog-ng > > > > So syslog-ng is listening for incoming messages. > You'll have to figure out what syslog-ng is doing with the log messages. > > > This is the only instance... > > > > > > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Tue, Mar 14, 2017 at 3:37 PM, wrote: > >> > Hello, yes: > >> > > >> > root@xx:/var/log# netstat -tuna | grep 514 > >> > tcp0 0 0.0.0.0:514 0.0.0.0:* > >> > udp0 0 0.0.0.0:514 0.0.0.0:* > >> > > >> > > >> > >> Adding -p to that could tell you the process using that port. > >> `netstat -ptuna | grep 514` > >> > >> Is this securityonion? They may have syslog-ng already listening to the > >> network. > >> > >> > > >> > syslog > >> > 161.182.xxx.xxx > >> > 161.182.xxx.xxx > >> > > >> > > >> > > >> > > >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > >> >> > >> >> Hi, can you verify if the port it’s open? > >> >> > >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 > >> >> udp0 0 0.0.0.0:514 0.0.0.0:* > >> >> > >> >> The symantec ip is allowed in ossec.conf right? > >> >> > >> >> > >> >> > >> >> Regards > >> >> --- > >> >> Jose Luis Ruiz > >> >> Wazuh Inc. > >> >> jo...@wazuh.com > >> >> > >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com > >> >> (eholl...@gmail.com) > >> >> wrote: > >> >> > >> >> It's very strange...I have enabled already enabled syslog over 514 > from > >> >> our symantec server to the OSSEC server, and I see the logs coming > into > >> >> our > >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and > >> >> OSSEC > >> >> alerts files and do not see the log anywhere on the server... Where > >> >> should > >> >> these logs be written when being sent to the server? I've checked > all > >> >> gzipped files in /var/log/ as well as all files in > >> >> /var/ossec/logs/archive/ > >> >> and /var/ossec/logs/alerts/ > >> >> > >> > >> `/var/ossec/logs/archives/archives.log` only contains entries if you > >> enable the logall option in the ossec.conf. > >> I'm not sure if it records messages sent to the syslog remoted stuff. > >> I just haven't tested it. > >> > >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: > >> >>> > >> >>> Hello, > >> >>> > >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you > >> >>> need > >> >>> to enable this in the configuration: > >> >>> > >> >>> Listen in port 514: > >> >>> > >> >>> > >> >>> > >> >>> syslog > >> >>> Symantec AV ip > >> >>> > >> >>> > >> >>> > >> >>> then you need to restart ossec: > >> >>> > >> >>> /var/ossec/bin/ossec-control restart > >> >>> > >> >>> If after these changes you are still not receiving alerts, enable > >> >>> logall > >> >>> in ossec.conf yes and take a look in the file > >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this > file, > >> >>> but > >> >>> not in your alerts, probably the decoders or rules have something > >> >>> wrong. > >> >>> > >> >>> > >> >>> > >> >>> Regards > >> >>> --- > >> >>> Jose Luis Ruiz > >> >>> Wazuh Inc. > >> >>> jo...@wazuh.com > >> >>> > >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com > >> >>> (eholl...@gmail.com) > >> >>> wrote: > >> >>> > >> >>> Hello All, > >> >>> > >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog > over > >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC > >> >>> alerts. I > >> >>> have created a custom decoder and parser, and can confirm that it > is > >> >>> working: > >> >>> > >> >>> **Phase 2: Completed decoding. > >> >>>decoder: 'Symantec' > >> >>> > >> >>> **Phase 3: Completed filtering (rules). > >> >>>Rule id: '16' > >> >>>Level: '7' > >> >>>Description: 'Symantec: virus found' > >> >>> **Alert to be generated. > >> >>> > >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it > can > >> >>> alert on it? Again, I am seeing the straight syslog coming into > ELSA, > >> >>> but no > >> >>> OSSEC alert appears to be generated. > >> >>> > >> >>> Thanks > >> >>> -- > >> >>> > >> >>> --- > >> >>> You received this message because you are subscribed to the Google >
Re: [ossec-list] OSSEC alerts on syslog
On Thu, Mar 16, 2017 at 11:33 AM,wrote: > Here is the output: > > udp0 0 0.0.0.0:514 0.0.0.0:* > 21090/syslog-ng > So syslog-ng is listening for incoming messages. You'll have to figure out what syslog-ng is doing with the log messages. > This is the only instance... > > > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Mar 14, 2017 at 3:37 PM, wrote: >> > Hello, yes: >> > >> > root@xx:/var/log# netstat -tuna | grep 514 >> > tcp0 0 0.0.0.0:514 0.0.0.0:* >> > udp0 0 0.0.0.0:514 0.0.0.0:* >> > >> > >> >> Adding -p to that could tell you the process using that port. >> `netstat -ptuna | grep 514` >> >> Is this securityonion? They may have syslog-ng already listening to the >> network. >> >> > >> > syslog >> > 161.182.xxx.xxx >> > 161.182.xxx.xxx >> > >> > >> > >> > >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: >> >> >> >> Hi, can you verify if the port it’s open? >> >> >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 >> >> udp0 0 0.0.0.0:514 0.0.0.0:* >> >> >> >> The symantec ip is allowed in ossec.conf right? >> >> >> >> >> >> >> >> Regards >> >> --- >> >> Jose Luis Ruiz >> >> Wazuh Inc. >> >> jo...@wazuh.com >> >> >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com >> >> (eholl...@gmail.com) >> >> wrote: >> >> >> >> It's very strange...I have enabled already enabled syslog over 514 from >> >> our symantec server to the OSSEC server, and I see the logs coming into >> >> our >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and >> >> OSSEC >> >> alerts files and do not see the log anywhere on the server... Where >> >> should >> >> these logs be written when being sent to the server? I've checked all >> >> gzipped files in /var/log/ as well as all files in >> >> /var/ossec/logs/archive/ >> >> and /var/ossec/logs/alerts/ >> >> >> >> `/var/ossec/logs/archives/archives.log` only contains entries if you >> enable the logall option in the ossec.conf. >> I'm not sure if it records messages sent to the syslog remoted stuff. >> I just haven't tested it. >> >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >> >>> >> >>> Hello, >> >>> >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you >> >>> need >> >>> to enable this in the configuration: >> >>> >> >>> Listen in port 514: >> >>> >> >>> >> >>> >> >>> syslog >> >>> Symantec AV ip >> >>> >> >>> >> >>> >> >>> then you need to restart ossec: >> >>> >> >>> /var/ossec/bin/ossec-control restart >> >>> >> >>> If after these changes you are still not receiving alerts, enable >> >>> logall >> >>> in ossec.conf yes and take a look in the file >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, >> >>> but >> >>> not in your alerts, probably the decoders or rules have something >> >>> wrong. >> >>> >> >>> >> >>> >> >>> Regards >> >>> --- >> >>> Jose Luis Ruiz >> >>> Wazuh Inc. >> >>> jo...@wazuh.com >> >>> >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com >> >>> (eholl...@gmail.com) >> >>> wrote: >> >>> >> >>> Hello All, >> >>> >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC >> >>> alerts. I >> >>> have created a custom decoder and parser, and can confirm that it is >> >>> working: >> >>> >> >>> **Phase 2: Completed decoding. >> >>>decoder: 'Symantec' >> >>> >> >>> **Phase 3: Completed filtering (rules). >> >>>Rule id: '16' >> >>>Level: '7' >> >>>Description: 'Symantec: virus found' >> >>> **Alert to be generated. >> >>> >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can >> >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, >> >>> but no >> >>> OSSEC alert appears to be generated. >> >>> >> >>> Thanks >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to ossec-list+...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com.
Re: [ossec-list] OSSEC alerts on syslog
Here is the output: udp0 0 0.0.0.0:514 0.0.0.0:* 21090/syslog-ng This is the only instance... On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Mar 14, 2017 at 3:37 PM,> wrote: > > Hello, yes: > > > > root@xx:/var/log# netstat -tuna | grep 514 > > tcp0 0 0.0.0.0:514 0.0.0.0:* > > udp0 0 0.0.0.0:514 0.0.0.0:* > > > > > > Adding -p to that could tell you the process using that port. > `netstat -ptuna | grep 514` > > Is this securityonion? They may have syslog-ng already listening to the > network. > > > > > syslog > > 161.182.xxx.xxx > > 161.182.xxx.xxx > > > > > > > > > > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > >> > >> Hi, can you verify if the port it’s open? > >> > >> [root@wazuh-manager /]# netstat -tuna | grep 514 > >> udp0 0 0.0.0.0:514 0.0.0.0:* > >> > >> The symantec ip is allowed in ossec.conf right? > >> > >> > >> > >> Regards > >> --- > >> Jose Luis Ruiz > >> Wazuh Inc. > >> jo...@wazuh.com > >> > >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com ( > eholl...@gmail.com) > >> wrote: > >> > >> It's very strange...I have enabled already enabled syslog over 514 from > >> our symantec server to the OSSEC server, and I see the logs coming into > our > >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and > OSSEC > >> alerts files and do not see the log anywhere on the server... Where > should > >> these logs be written when being sent to the server? I've checked all > >> gzipped files in /var/log/ as well as all files in > /var/ossec/logs/archive/ > >> and /var/ossec/logs/alerts/ > >> > > `/var/ossec/logs/archives/archives.log` only contains entries if you > enable the logall option in the ossec.conf. > I'm not sure if it records messages sent to the syslog remoted stuff. > I just haven't tested it. > > >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: > >>> > >>> Hello, > >>> > >>> In order to permit Ossec recibe your Symantec syslogs messages, you > need > >>> to enable this in the configuration: > >>> > >>> Listen in port 514: > >>> > >>> > >>> > >>> syslog > >>> Symantec AV ip > >>> > >>> > >>> > >>> then you need to restart ossec: > >>> > >>> /var/ossec/bin/ossec-control restart > >>> > >>> If after these changes you are still not receiving alerts, enable > logall > >>> in ossec.conf yes and take a look in the file > >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, > but > >>> not in your alerts, probably the decoders or rules have something > wrong. > >>> > >>> > >>> > >>> Regards > >>> --- > >>> Jose Luis Ruiz > >>> Wazuh Inc. > >>> jo...@wazuh.com > >>> > >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com ( > eholl...@gmail.com) > >>> wrote: > >>> > >>> Hello All, > >>> > >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over > >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC > alerts. I > >>> have created a custom decoder and parser, and can confirm that it is > >>> working: > >>> > >>> **Phase 2: Completed decoding. > >>>decoder: 'Symantec' > >>> > >>> **Phase 3: Completed filtering (rules). > >>>Rule id: '16' > >>>Level: '7' > >>>Description: 'Symantec: virus found' > >>> **Alert to be generated. > >>> > >>> Do I need to point OSSEC to monitor the incoming syslog so that it can > >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, > but no > >>> OSSEC alert appears to be generated. > >>> > >>> Thanks > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC alerts on syslog
On Tue, Mar 14, 2017 at 3:37 PM,wrote: > Hello, yes: > > root@xx:/var/log# netstat -tuna | grep 514 > tcp0 0 0.0.0.0:514 0.0.0.0:* > udp0 0 0.0.0.0:514 0.0.0.0:* > > Adding -p to that could tell you the process using that port. `netstat -ptuna | grep 514` Is this securityonion? They may have syslog-ng already listening to the network. > > syslog > 161.182.xxx.xxx > 161.182.xxx.xxx > > > > > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: >> >> Hi, can you verify if the port it’s open? >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 >> udp0 0 0.0.0.0:514 0.0.0.0:* >> >> The symantec ip is allowed in ossec.conf right? >> >> >> >> Regards >> --- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com (eholl...@gmail.com) >> wrote: >> >> It's very strange...I have enabled already enabled syslog over 514 from >> our symantec server to the OSSEC server, and I see the logs coming into our >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC >> alerts files and do not see the log anywhere on the server... Where should >> these logs be written when being sent to the server? I've checked all >> gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ >> and /var/ossec/logs/alerts/ >> `/var/ossec/logs/archives/archives.log` only contains entries if you enable the logall option in the ossec.conf. I'm not sure if it records messages sent to the syslog remoted stuff. I just haven't tested it. >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >>> >>> Hello, >>> >>> In order to permit Ossec recibe your Symantec syslogs messages, you need >>> to enable this in the configuration: >>> >>> Listen in port 514: >>> >>> >>> >>> syslog >>> Symantec AV ip >>> >>> >>> >>> then you need to restart ossec: >>> >>> /var/ossec/bin/ossec-control restart >>> >>> If after these changes you are still not receiving alerts, enable logall >>> in ossec.conf yes and take a look in the file >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but >>> not in your alerts, probably the decoders or rules have something wrong. >>> >>> >>> >>> Regards >>> --- >>> Jose Luis Ruiz >>> Wazuh Inc. >>> jo...@wazuh.com >>> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com) >>> wrote: >>> >>> Hello All, >>> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I >>> have created a custom decoder and parser, and can confirm that it is >>> working: >>> >>> **Phase 2: Completed decoding. >>>decoder: 'Symantec' >>> >>> **Phase 3: Completed filtering (rules). >>>Rule id: '16' >>>Level: '7' >>>Description: 'Symantec: virus found' >>> **Alert to be generated. >>> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, but no >>> OSSEC alert appears to be generated. >>> >>> Thanks >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC alerts on syslog
On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruizwrote: > Hello, > > In order to permit Ossec recibe your Symantec syslogs messages, you need to > enable this in the configuration: > Unless you're using a proper syslog daemon, which may already be listening on that port. > Listen in port 514: > > > > syslog > Symantec AV ip > > > > then you need to restart ossec: > > /var/ossec/bin/ossec-control restart > > If after these changes you are still not receiving alerts, enable logall in > ossec.conf yes and take a look in the file > “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but > not in your alerts, probably the decoders or rules have something wrong. > > > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > j...@wazuh.com > > On March 14, 2017 at 10:57:55 AM, ehollis3...@gmail.com > (ehollis3...@gmail.com) wrote: > > Hello All, > > I have pointed my Symantec AV logs to our OSSEC server via syslog over port > 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have > created a custom decoder and parser, and can confirm that it is working: > > **Phase 2: Completed decoding. >decoder: 'Symantec' > > **Phase 3: Completed filtering (rules). >Rule id: '16' >Level: '7' >Description: 'Symantec: virus found' > **Alert to be generated. > > Do I need to point OSSEC to monitor the incoming syslog so that it can alert > on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC > alert appears to be generated. > > Thanks > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC alerts on syslog
Hello, yes: root@xx:/var/log# netstat -tuna | grep 514 tcp0 0 0.0.0.0:514 0.0.0.0:* udp0 0 0.0.0.0:514 0.0.0.0:* syslog 161.182.xxx.xxx 161.182.xxx.xxx On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > > Hi, can you verify if the port it’s open? > > [root@wazuh-manager /]# netstat -tuna | grep 514 > udp0 0 0.0.0.0:514 0.0.0.0:* > > The symantec ip is allowed in ossec.conf right? > > > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com ( > eholl...@gmail.com ) wrote: > > It's very strange...I have enabled already enabled syslog over 514 from > our symantec server to the OSSEC server, and I see the logs coming into our > ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC > alerts files and do not see the log anywhere on the server... Where should > these logs be written when being sent to the server? I've checked all > gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ > and /var/ossec/logs/alerts/ > > On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >> >> Hello, >> >> In order to permit Ossec recibe your Symantec syslogs messages, you need >> to enable this in the configuration: >> >> Listen in port 514: >> >> >> >> syslog >> Symantec AV ip >> >> >> >> then you need to restart ossec: >> >> /var/ossec/bin/ossec-control restart >> >> If after these changes you are still not receiving alerts, enable logall >> in ossec.conf yes and take a look in the file >> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but >> not in your alerts, probably the decoders or rules have something wrong. >> >> >> Regards >> --- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com) >> wrote: >> >> Hello All, >> >> I have pointed my Symantec AV logs to our OSSEC server via syslog over >> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I >> have created a custom decoder and parser, and can confirm that it is >> working: >> >> **Phase 2: Completed decoding. >>decoder: 'Symantec' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '16' >>Level: '7' >>Description: 'Symantec: virus found' >> **Alert to be generated. >> >> Do I need to point OSSEC to monitor the incoming syslog so that it can >> alert on it? Again, I am seeing the straight syslog coming into ELSA, but >> no OSSEC alert appears to be generated. >> >> Thanks >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC alerts on syslog
Hi, can you verify if the port it’s open? [root@wazuh-manager /]# netstat -tuna | grep 514 udp0 0 0.0.0.0:514 0.0.0.0:* The symantec ip is allowed in ossec.conf right? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 14, 2017 at 12:44:07 PM, ehollis3...@gmail.com ( ehollis3...@gmail.com) wrote: It's very strange...I have enabled already enabled syslog over 514 from our symantec server to the OSSEC server, and I see the logs coming into our ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC alerts files and do not see the log anywhere on the server... Where should these logs be written when being sent to the server? I've checked all gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ and /var/ossec/logs/alerts/ On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: > > Hello, > > In order to permit Ossec recibe your Symantec syslogs messages, you need > to enable this in the configuration: > > Listen in port 514: > > > > syslog > Symantec AV ip > > > > then you need to restart ossec: > > /var/ossec/bin/ossec-control restart > > If after these changes you are still not receiving alerts, enable logall > in ossec.conf yes and take a look in the file > “/var/ossec/logs/archives/archives.log”, if the logs are in this file, > but not in your alerts, probably the decoders or rules have something wrong. > > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com) > wrote: > > Hello All, > > I have pointed my Symantec AV logs to our OSSEC server via syslog over > port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I > have created a custom decoder and parser, and can confirm that it is > working: > > **Phase 2: Completed decoding. >decoder: 'Symantec' > > **Phase 3: Completed filtering (rules). >Rule id: '16' >Level: '7' >Description: 'Symantec: virus found' > **Alert to be generated. > > Do I need to point OSSEC to monitor the incoming syslog so that it can > alert on it? Again, I am seeing the straight syslog coming into ELSA, but > no OSSEC alert appears to be generated. > > Thanks > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC alerts on syslog
It's very strange...I have enabled already enabled syslog over 514 from our symantec server to the OSSEC server, and I see the logs coming into our ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC alerts files and do not see the log anywhere on the server... Where should these logs be written when being sent to the server? I've checked all gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ and /var/ossec/logs/alerts/ On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: > > Hello, > > In order to permit Ossec recibe your Symantec syslogs messages, you need > to enable this in the configuration: > > Listen in port 514: > > > > syslog > Symantec AV ip > > > > then you need to restart ossec: > > /var/ossec/bin/ossec-control restart > > If after these changes you are still not receiving alerts, enable logall > in ossec.conf yes and take a look in the file > “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but > not in your alerts, probably the decoders or rules have something wrong. > > > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com ( > eholl...@gmail.com ) wrote: > > Hello All, > > I have pointed my Symantec AV logs to our OSSEC server via syslog over > port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I > have created a custom decoder and parser, and can confirm that it is > working: > > **Phase 2: Completed decoding. >decoder: 'Symantec' > > **Phase 3: Completed filtering (rules). >Rule id: '16' >Level: '7' >Description: 'Symantec: virus found' > **Alert to be generated. > > Do I need to point OSSEC to monitor the incoming syslog so that it can > alert on it? Again, I am seeing the straight syslog coming into ELSA, but > no OSSEC alert appears to be generated. > > Thanks > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC alerts on syslog
Hello, In order to permit Ossec recibe your Symantec syslogs messages, you need to enable this in the configuration: Listen in port 514: syslog Symantec AV ip then you need to restart ossec: /var/ossec/bin/ossec-control restart If after these changes you are still not receiving alerts, enable logall in ossec.conf yes and take a look in the file “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but not in your alerts, probably the decoders or rules have something wrong. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 14, 2017 at 10:57:55 AM, ehollis3...@gmail.com ( ehollis3...@gmail.com) wrote: Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working: **Phase 2: Completed decoding. decoder: 'Symantec' **Phase 3: Completed filtering (rules). Rule id: '16' Level: '7' Description: 'Symantec: virus found' **Alert to be generated. Do I need to point OSSEC to monitor the incoming syslog so that it can alert on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC alert appears to be generated. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC alerts on syslog
On Mar 14, 2017 10:57 AM,wrote: Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working: **Phase 2: Completed decoding. decoder: 'Symantec' **Phase 3: Completed filtering (rules). Rule id: '16' Level: '7' Description: 'Symantec: virus found' **Alert to be generated. Do I need to point OSSEC to monitor the incoming syslog so that it can alert on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC alert appears to be generated. Figure out which syslog file they're saved in and make sure ossec has a localfile entey for that file. Make sure you restarted your ossec processes after adding the decoder/rules Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC alerts on syslog
Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working: **Phase 2: Completed decoding. decoder: 'Symantec' **Phase 3: Completed filtering (rules). Rule id: '16' Level: '7' Description: 'Symantec: virus found' **Alert to be generated. Do I need to point OSSEC to monitor the incoming syslog so that it can alert on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC alert appears to be generated. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.