subject:"\[ossec\-list\] OSSEC alerts on syslog"

Re: [ossec-list] OSSEC alerts on syslog

2017-03-27 Thread dan (ddp)

On Mon, Mar 27, 2017 at 11:25 AM,   wrote:
> Hi All,
>
> So I am currently still troubleshooting, but noticed that the syslog-ng
> process was listening on 514 TCP, but also had an entry for 514 UDP, which
> is the protocol I've set within my ossec.conf. Could this be part of the
> issue? My guess is that I only want 514 udp listening.
>

Yes, if syslog-ng is utilizing the port, ossec-remoted will not be
able to use it.

> On Thursday, March 16, 2017 at 3:30:46 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Thu, Mar 16, 2017 at 11:33 AM,   wrote:
>> > Here is the output:
>> >
>> > udp0  0 0.0.0.0:514 0.0.0.0:*
>> > 21090/syslog-ng
>> >
>>
>> So syslog-ng is listening for incoming messages.
>> You'll have to figure out what syslog-ng is doing with the log messages.
>>
>> > This is the only instance...
>> >
>> >
>> > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote:
>> >>
>> >> On Tue, Mar 14, 2017 at 3:37 PM,   wrote:
>> >> > Hello, yes:
>> >> >
>> >> > root@xx:/var/log# netstat -tuna | grep 514
>> >> > tcp0  0 0.0.0.0:514 0.0.0.0:*
>> >> > udp0  0 0.0.0.0:514 0.0.0.0:*
>> >> >
>> >> >
>> >>
>> >> Adding -p to that could tell you the process using that port.
>> >> `netstat -ptuna | grep 514`
>> >>
>> >> Is this securityonion? They may have syslog-ng already listening to the
>> >> network.
>> >>
>> >> >   
>> >> > syslog
>> >> >   161.182.xxx.xxx
>> >> >   161.182.xxx.xxx
>> >> >   
>> >> >
>> >> >
>> >> >
>> >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>> >> >>
>> >> >> Hi, can you verify if the port it’s open?
>> >> >>
>> >> >> [root@wazuh-manager /]# netstat -tuna | grep 514
>> >> >> udp0  0 0.0.0.0:514 0.0.0.0:*
>> >> >>
>> >> >> The symantec ip is allowed in ossec.conf right?
>> >> >>
>> >> >>
>> >> >>
>> >> >> Regards
>> >> >> ---
>> >> >> Jose Luis Ruiz
>> >> >> Wazuh Inc.
>> >> >> jo...@wazuh.com
>> >> >>
>> >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com
>> >> >> (eholl...@gmail.com)
>> >> >> wrote:
>> >> >>
>> >> >> It's very strange...I have enabled already enabled syslog over 514
>> >> >> from
>> >> >> our symantec server to the OSSEC server, and I see the logs coming
>> >> >> into
>> >> >> our
>> >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and
>> >> >> OSSEC
>> >> >> alerts files and do not see the log anywhere on the server... Where
>> >> >> should
>> >> >> these logs be written when being sent to the server? I've checked
>> >> >> all
>> >> >> gzipped files in /var/log/ as well as all files in
>> >> >> /var/ossec/logs/archive/
>> >> >> and /var/ossec/logs/alerts/
>> >> >>
>> >>
>> >> `/var/ossec/logs/archives/archives.log` only contains entries if you
>> >> enable the logall option in the ossec.conf.
>> >> I'm not sure if it records messages sent to the syslog remoted stuff.
>> >> I just haven't tested it.
>> >>
>> >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
>> >> >>>
>> >> >>> Hello,
>> >> >>>
>> >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you
>> >> >>> need
>> >> >>> to enable this in the configuration:
>> >> >>>
>> >> >>> Listen in port 514:
>> >> >>>
>> >> >>> 
>> >> >>>   
>> >> >>> syslog
>> >> >>>   Symantec AV ip
>> >> >>>   
>> >> >>> 
>> >> >>>
>> >> >>> then you need to restart ossec:
>> >> >>>
>> >> >>> /var/ossec/bin/ossec-control restart
>> >> >>>
>> >> >>> If after these changes you are still not receiving alerts, enable
>> >> >>> logall
>> >> >>> in ossec.conf  yes  and take a look in the file
>> >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this
>> >> >>> file,
>> >> >>> but
>> >> >>> not in your alerts, probably the decoders or rules have something
>> >> >>> wrong.
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> Regards
>> >> >>> ---
>> >> >>> Jose Luis Ruiz
>> >> >>> Wazuh Inc.
>> >> >>> jo...@wazuh.com
>> >> >>>
>> >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com
>> >> >>> (eholl...@gmail.com)
>> >> >>> wrote:
>> >> >>>
>> >> >>> Hello All,
>> >> >>>
>> >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog
>> >> >>> over
>> >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC
>> >> >>> alerts. I
>> >> >>> have created a custom decoder and parser, and can confirm that it
>> >> >>> is
>> >> >>> working:
>> >> >>>
>> >> >>> **Phase 2: Completed decoding.
>> >> >>>decoder: 'Symantec'
>> >> >>>
>> >> >>> **Phase 3: Completed filtering (rules).
>> >> >>>Rule id: '16'
>> >> >>>Level: '7'
>> >> >>>Description: 'Symantec: virus found'
>> >> >>> **Alert to be generated.
>> >> >>>
>> >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it
>> >> >>> can
>> >> >>> alert on it? Again, I am seeing the straight syslog coming into
>> >> >>>

Re: [ossec-list] OSSEC alerts on syslog

2017-03-27 Thread ehollis3942

Hi All,

So I am currently still troubleshooting, but noticed that the syslog-ng 
process was listening on 514 TCP, but also had an entry for 514 UDP, which 
is the protocol I've set within my ossec.conf. Could this be part of the 
issue? My guess is that I only want 514 udp listening.

On Thursday, March 16, 2017 at 3:30:46 PM UTC-4, dan (ddpbsd) wrote:
>
> On Thu, Mar 16, 2017 at 11:33 AM,   
> wrote: 
> > Here is the output: 
> > 
> > udp0  0 0.0.0.0:514 0.0.0.0:* 
> > 21090/syslog-ng 
> > 
>
> So syslog-ng is listening for incoming messages. 
> You'll have to figure out what syslog-ng is doing with the log messages. 
>
> > This is the only instance... 
> > 
> > 
> > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: 
> >> 
> >> On Tue, Mar 14, 2017 at 3:37 PM,   wrote: 
> >> > Hello, yes: 
> >> > 
> >> > root@xx:/var/log# netstat -tuna | grep 514 
> >> > tcp0  0 0.0.0.0:514 0.0.0.0:* 
> >> > udp0  0 0.0.0.0:514 0.0.0.0:* 
> >> > 
> >> > 
> >> 
> >> Adding -p to that could tell you the process using that port. 
> >> `netstat -ptuna | grep 514` 
> >> 
> >> Is this securityonion? They may have syslog-ng already listening to the 
> >> network. 
> >> 
> >> >
> >> > syslog 
> >> >   161.182.xxx.xxx 
> >> >   161.182.xxx.xxx 
> >> >
> >> > 
> >> > 
> >> > 
> >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: 
> >> >> 
> >> >> Hi, can you verify if the port it’s open? 
> >> >> 
> >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 
> >> >> udp0  0 0.0.0.0:514 0.0.0.0:* 
> >> >> 
> >> >> The symantec ip is allowed in ossec.conf right? 
> >> >> 
> >> >> 
> >> >> 
> >> >> Regards 
> >> >> --- 
> >> >> Jose Luis Ruiz 
> >> >> Wazuh Inc. 
> >> >> jo...@wazuh.com 
> >> >> 
> >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com 
> >> >> (eholl...@gmail.com) 
> >> >> wrote: 
> >> >> 
> >> >> It's very strange...I have enabled already enabled syslog over 514 
> from 
> >> >> our symantec server to the OSSEC server, and I see the logs coming 
> into 
> >> >> our 
> >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and 
> >> >> OSSEC 
> >> >> alerts files and do not see the log anywhere on the server... Where 
> >> >> should 
> >> >> these logs be written when being sent to the server? I've checked 
> all 
> >> >> gzipped files in /var/log/ as well as all files in 
> >> >> /var/ossec/logs/archive/ 
> >> >> and /var/ossec/logs/alerts/ 
> >> >> 
> >> 
> >> `/var/ossec/logs/archives/archives.log` only contains entries if you 
> >> enable the logall option in the ossec.conf. 
> >> I'm not sure if it records messages sent to the syslog remoted stuff. 
> >> I just haven't tested it. 
> >> 
> >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: 
> >> >>> 
> >> >>> Hello, 
> >> >>> 
> >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you 
> >> >>> need 
> >> >>> to enable this in the configuration: 
> >> >>> 
> >> >>> Listen in port 514: 
> >> >>> 
> >> >>>  
> >> >>>
> >> >>> syslog 
> >> >>>   Symantec AV ip 
> >> >>>
> >> >>>  
> >> >>> 
> >> >>> then you need to restart ossec: 
> >> >>> 
> >> >>> /var/ossec/bin/ossec-control restart 
> >> >>> 
> >> >>> If after these changes you are still not receiving alerts, enable 
> >> >>> logall 
> >> >>> in ossec.conf  yes  and take a look in the file 
> >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this 
> file, 
> >> >>> but 
> >> >>> not in your alerts, probably the decoders or rules have something 
> >> >>> wrong. 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Regards 
> >> >>> --- 
> >> >>> Jose Luis Ruiz 
> >> >>> Wazuh Inc. 
> >> >>> jo...@wazuh.com 
> >> >>> 
> >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com 
> >> >>> (eholl...@gmail.com) 
> >> >>> wrote: 
> >> >>> 
> >> >>> Hello All, 
> >> >>> 
> >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog 
> over 
> >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC 
> >> >>> alerts. I 
> >> >>> have created a custom decoder and parser, and can confirm that it 
> is 
> >> >>> working: 
> >> >>> 
> >> >>> **Phase 2: Completed decoding. 
> >> >>>decoder: 'Symantec' 
> >> >>> 
> >> >>> **Phase 3: Completed filtering (rules). 
> >> >>>Rule id: '16' 
> >> >>>Level: '7' 
> >> >>>Description: 'Symantec: virus found' 
> >> >>> **Alert to be generated. 
> >> >>> 
> >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it 
> can 
> >> >>> alert on it? Again, I am seeing the straight syslog coming into 
> ELSA, 
> >> >>> but no 
> >> >>> OSSEC alert appears to be generated. 
> >> >>> 
> >> >>> Thanks 
> >> >>> -- 
> >> >>> 
> >> >>> --- 
> >> >>> You received this message because you are subscribed to the Google 
>

Re: [ossec-list] OSSEC alerts on syslog

2017-03-16 Thread dan (ddp)

On Thu, Mar 16, 2017 at 11:33 AM,   wrote:
> Here is the output:
>
> udp0  0 0.0.0.0:514 0.0.0.0:*
> 21090/syslog-ng
>

So syslog-ng is listening for incoming messages.
You'll have to figure out what syslog-ng is doing with the log messages.

> This is the only instance...
>
>
> On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Tue, Mar 14, 2017 at 3:37 PM,   wrote:
>> > Hello, yes:
>> >
>> > root@xx:/var/log# netstat -tuna | grep 514
>> > tcp0  0 0.0.0.0:514 0.0.0.0:*
>> > udp0  0 0.0.0.0:514 0.0.0.0:*
>> >
>> >
>>
>> Adding -p to that could tell you the process using that port.
>> `netstat -ptuna | grep 514`
>>
>> Is this securityonion? They may have syslog-ng already listening to the
>> network.
>>
>> >   
>> > syslog
>> >   161.182.xxx.xxx
>> >   161.182.xxx.xxx
>> >   
>> >
>> >
>> >
>> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>> >>
>> >> Hi, can you verify if the port it’s open?
>> >>
>> >> [root@wazuh-manager /]# netstat -tuna | grep 514
>> >> udp0  0 0.0.0.0:514 0.0.0.0:*
>> >>
>> >> The symantec ip is allowed in ossec.conf right?
>> >>
>> >>
>> >>
>> >> Regards
>> >> ---
>> >> Jose Luis Ruiz
>> >> Wazuh Inc.
>> >> jo...@wazuh.com
>> >>
>> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com
>> >> (eholl...@gmail.com)
>> >> wrote:
>> >>
>> >> It's very strange...I have enabled already enabled syslog over 514 from
>> >> our symantec server to the OSSEC server, and I see the logs coming into
>> >> our
>> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and
>> >> OSSEC
>> >> alerts files and do not see the log anywhere on the server... Where
>> >> should
>> >> these logs be written when being sent to the server? I've checked all
>> >> gzipped files in /var/log/ as well as all files in
>> >> /var/ossec/logs/archive/
>> >> and /var/ossec/logs/alerts/
>> >>
>>
>> `/var/ossec/logs/archives/archives.log` only contains entries if you
>> enable the logall option in the ossec.conf.
>> I'm not sure if it records messages sent to the syslog remoted stuff.
>> I just haven't tested it.
>>
>> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
>> >>>
>> >>> Hello,
>> >>>
>> >>> In order to permit Ossec recibe your Symantec syslogs messages, you
>> >>> need
>> >>> to enable this in the configuration:
>> >>>
>> >>> Listen in port 514:
>> >>>
>> >>> 
>> >>>   
>> >>> syslog
>> >>>   Symantec AV ip
>> >>>   
>> >>> 
>> >>>
>> >>> then you need to restart ossec:
>> >>>
>> >>> /var/ossec/bin/ossec-control restart
>> >>>
>> >>> If after these changes you are still not receiving alerts, enable
>> >>> logall
>> >>> in ossec.conf  yes  and take a look in the file
>> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file,
>> >>> but
>> >>> not in your alerts, probably the decoders or rules have something
>> >>> wrong.
>> >>>
>> >>>
>> >>>
>> >>> Regards
>> >>> ---
>> >>> Jose Luis Ruiz
>> >>> Wazuh Inc.
>> >>> jo...@wazuh.com
>> >>>
>> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com
>> >>> (eholl...@gmail.com)
>> >>> wrote:
>> >>>
>> >>> Hello All,
>> >>>
>> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over
>> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC
>> >>> alerts. I
>> >>> have created a custom decoder and parser, and can confirm that it is
>> >>> working:
>> >>>
>> >>> **Phase 2: Completed decoding.
>> >>>decoder: 'Symantec'
>> >>>
>> >>> **Phase 3: Completed filtering (rules).
>> >>>Rule id: '16'
>> >>>Level: '7'
>> >>>Description: 'Symantec: virus found'
>> >>> **Alert to be generated.
>> >>>
>> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can
>> >>> alert on it? Again, I am seeing the straight syslog coming into ELSA,
>> >>> but no
>> >>> OSSEC alert appears to be generated.
>> >>>
>> >>> Thanks
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send
>> >>> an
>> >>> email to ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-16 Thread ehollis3942

Here is the output:

udp0  0 0.0.0.0:514 0.0.0.0:*   
21090/syslog-ng

This is the only instance...


On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Mar 14, 2017 at 3:37 PM,   
> wrote: 
> > Hello, yes: 
> > 
> > root@xx:/var/log# netstat -tuna | grep 514 
> > tcp0  0 0.0.0.0:514 0.0.0.0:* 
> > udp0  0 0.0.0.0:514 0.0.0.0:* 
> > 
> > 
>
> Adding -p to that could tell you the process using that port. 
> `netstat -ptuna | grep 514` 
>
> Is this securityonion? They may have syslog-ng already listening to the 
> network. 
>
> >
> > syslog 
> >   161.182.xxx.xxx 
> >   161.182.xxx.xxx 
> >
> > 
> > 
> > 
> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: 
> >> 
> >> Hi, can you verify if the port it’s open? 
> >> 
> >> [root@wazuh-manager /]# netstat -tuna | grep 514 
> >> udp0  0 0.0.0.0:514 0.0.0.0:* 
> >> 
> >> The symantec ip is allowed in ossec.conf right? 
> >> 
> >> 
> >> 
> >> Regards 
> >> --- 
> >> Jose Luis Ruiz 
> >> Wazuh Inc. 
> >> jo...@wazuh.com 
> >> 
> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com (
> eholl...@gmail.com) 
> >> wrote: 
> >> 
> >> It's very strange...I have enabled already enabled syslog over 514 from 
> >> our symantec server to the OSSEC server, and I see the logs coming into 
> our 
> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and 
> OSSEC 
> >> alerts files and do not see the log anywhere on the server... Where 
> should 
> >> these logs be written when being sent to the server? I've checked all 
> >> gzipped files in /var/log/ as well as all files in 
> /var/ossec/logs/archive/ 
> >> and /var/ossec/logs/alerts/ 
> >> 
>
> `/var/ossec/logs/archives/archives.log` only contains entries if you 
> enable the logall option in the ossec.conf. 
> I'm not sure if it records messages sent to the syslog remoted stuff. 
> I just haven't tested it. 
>
> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: 
> >>> 
> >>> Hello, 
> >>> 
> >>> In order to permit Ossec recibe your Symantec syslogs messages, you 
> need 
> >>> to enable this in the configuration: 
> >>> 
> >>> Listen in port 514: 
> >>> 
> >>>  
> >>>
> >>> syslog 
> >>>   Symantec AV ip 
> >>>
> >>>  
> >>> 
> >>> then you need to restart ossec: 
> >>> 
> >>> /var/ossec/bin/ossec-control restart 
> >>> 
> >>> If after these changes you are still not receiving alerts, enable 
> logall 
> >>> in ossec.conf  yes  and take a look in the file 
> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, 
> but 
> >>> not in your alerts, probably the decoders or rules have something 
> wrong. 
> >>> 
> >>> 
> >>> 
> >>> Regards 
> >>> --- 
> >>> Jose Luis Ruiz 
> >>> Wazuh Inc. 
> >>> jo...@wazuh.com 
> >>> 
> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (
> eholl...@gmail.com) 
> >>> wrote: 
> >>> 
> >>> Hello All, 
> >>> 
> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over 
> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC 
> alerts. I 
> >>> have created a custom decoder and parser, and can confirm that it is 
> >>> working: 
> >>> 
> >>> **Phase 2: Completed decoding. 
> >>>decoder: 'Symantec' 
> >>> 
> >>> **Phase 3: Completed filtering (rules). 
> >>>Rule id: '16' 
> >>>Level: '7' 
> >>>Description: 'Symantec: virus found' 
> >>> **Alert to be generated. 
> >>> 
> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can 
> >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, 
> but no 
> >>> OSSEC alert appears to be generated. 
> >>> 
> >>> Thanks 
> >>> -- 
> >>> 
> >>> --- 
> >>> You received this message because you are subscribed to the Google 
> Groups 
> >>> "ossec-list" group. 
> >>> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >>> email to ossec-list+...@googlegroups.com. 
> >>> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-15 Thread dan (ddp)

On Tue, Mar 14, 2017 at 3:37 PM,   wrote:
> Hello, yes:
>
> root@xx:/var/log# netstat -tuna | grep 514
> tcp0  0 0.0.0.0:514 0.0.0.0:*
> udp0  0 0.0.0.0:514 0.0.0.0:*
>
>

Adding -p to that could tell you the process using that port.
`netstat -ptuna | grep 514`

Is this securityonion? They may have syslog-ng already listening to the network.

>   
> syslog
>   161.182.xxx.xxx
>   161.182.xxx.xxx
>   
>
>
>
> On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>>
>> Hi, can you verify if the port it’s open?
>>
>> [root@wazuh-manager /]# netstat -tuna | grep 514
>> udp0  0 0.0.0.0:514 0.0.0.0:*
>>
>> The symantec ip is allowed in ossec.conf right?
>>
>>
>>
>> Regards
>> ---
>> Jose Luis Ruiz
>> Wazuh Inc.
>> jo...@wazuh.com
>>
>> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com (eholl...@gmail.com)
>> wrote:
>>
>> It's very strange...I have enabled already enabled syslog over 514 from
>> our symantec server to the OSSEC server, and I see the logs coming into our
>> ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC
>> alerts files and do not see the log anywhere on the server... Where should
>> these logs be written when being sent to the server? I've checked all
>> gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/
>> and /var/ossec/logs/alerts/
>>

`/var/ossec/logs/archives/archives.log` only contains entries if you
enable the logall option in the ossec.conf.
I'm not sure if it records messages sent to the syslog remoted stuff.
I just haven't tested it.

>> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
>>>
>>> Hello,
>>>
>>> In order to permit Ossec recibe your Symantec syslogs messages, you need
>>> to enable this in the configuration:
>>>
>>> Listen in port 514:
>>>
>>> 
>>>   
>>> syslog
>>>   Symantec AV ip
>>>   
>>> 
>>>
>>> then you need to restart ossec:
>>>
>>> /var/ossec/bin/ossec-control restart
>>>
>>> If after these changes you are still not receiving alerts, enable logall
>>> in ossec.conf  yes  and take a look in the file
>>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but
>>> not in your alerts, probably the decoders or rules have something wrong.
>>>
>>>
>>>
>>> Regards
>>> ---
>>> Jose Luis Ruiz
>>> Wazuh Inc.
>>> jo...@wazuh.com
>>>
>>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com)
>>> wrote:
>>>
>>> Hello All,
>>>
>>> I have pointed my Symantec AV logs to our OSSEC server via syslog over
>>> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I
>>> have created a custom decoder and parser, and can confirm that it is
>>> working:
>>>
>>> **Phase 2: Completed decoding.
>>>decoder: 'Symantec'
>>>
>>> **Phase 3: Completed filtering (rules).
>>>Rule id: '16'
>>>Level: '7'
>>>Description: 'Symantec: virus found'
>>> **Alert to be generated.
>>>
>>> Do I need to point OSSEC to monitor the incoming syslog so that it can
>>> alert on it? Again, I am seeing the straight syslog coming into ELSA, but no
>>> OSSEC alert appears to be generated.
>>>
>>> Thanks
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-15 Thread dan (ddp)

On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruiz  wrote:
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need to
> enable this in the configuration:
>

Unless you're using a proper syslog daemon, which may already be
listening on that port.

> Listen in port 514:
>
> 
>   
> syslog
>   Symantec AV ip
>   
> 
>
> then you need to restart ossec:
>
> /var/ossec/bin/ossec-control restart
>
> If after these changes you are still not receiving alerts, enable logall in
> ossec.conf  yes  and take a look in the file
> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but
> not in your alerts, probably the decoders or rules have something wrong.
>
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> j...@wazuh.com
>
> On March 14, 2017 at 10:57:55 AM, ehollis3...@gmail.com
> (ehollis3...@gmail.com) wrote:
>
> Hello All,
>
> I have pointed my Symantec AV logs to our OSSEC server via syslog over port
> 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
> created a custom decoder and parser, and can confirm that it is working:
>
> **Phase 2: Completed decoding.
>decoder: 'Symantec'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '16'
>Level: '7'
>Description: 'Symantec: virus found'
> **Alert to be generated.
>
> Do I need to point OSSEC to monitor the incoming syslog so that it can alert
> on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC
> alert appears to be generated.
>
> Thanks
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread ehollis3942

Hello, yes:

root@xx:/var/log# netstat -tuna | grep 514
tcp0  0 0.0.0.0:514 0.0.0.0:* 
udp0  0 0.0.0.0:514 0.0.0.0:*


  
syslog
  161.182.xxx.xxx
  161.182.xxx.xxx
  



On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>
> Hi, can you verify if the port it’s open?
>
> [root@wazuh-manager /]# netstat -tuna | grep 514
> udp0  0 0.0.0.0:514 0.0.0.0:*
>
> The symantec ip is allowed in ossec.conf right?
>
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
>
> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com  (
> eholl...@gmail.com ) wrote:
>
> It's very strange...I have enabled already enabled syslog over 514 from 
> our symantec server to the OSSEC server, and I see the logs coming into our 
> ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC 
> alerts files and do not see the log anywhere on the server... Where should 
> these logs be written when being sent to the server? I've checked all 
> gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ 
> and /var/ossec/logs/alerts/
>
> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: 
>>
>> Hello,
>>
>> In order to permit Ossec recibe your Symantec syslogs messages, you need 
>> to enable this in the configuration:
>>
>> Listen in port 514:
>>
>> 
>>   
>> syslog
>>   Symantec AV ip
>>   
>> 
>>
>> then you need to restart ossec:
>>
>> /var/ossec/bin/ossec-control restart
>>
>> If after these changes you are still not receiving alerts, enable logall 
>> in ossec.conf  yes  and take a look in the file 
>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but 
>> not in your alerts, probably the decoders or rules have something wrong.
>>
>>
>> Regards
>> ---
>> Jose Luis Ruiz
>> Wazuh Inc.
>> jo...@wazuh.com
>>
>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com) 
>> wrote:
>>
>> Hello All, 
>>
>> I have pointed my Symantec AV logs to our OSSEC server via syslog over 
>> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I 
>> have created a custom decoder and parser, and can confirm that it is 
>> working:
>>
>> **Phase 2: Completed decoding.
>>decoder: 'Symantec'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '16'
>>Level: '7'
>>Description: 'Symantec: virus found'
>> **Alert to be generated.
>>
>> Do I need to point OSSEC to monitor the incoming syslog so that it can 
>> alert on it? Again, I am seeing the straight syslog coming into ELSA, but 
>> no OSSEC alert appears to be generated.
>>
>> Thanks
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread Jose Luis Ruiz

Hi, can you verify if the port it’s open?

[root@wazuh-manager /]# netstat -tuna | grep 514
udp0  0 0.0.0.0:514 0.0.0.0:*

The symantec ip is allowed in ossec.conf right?



Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On March 14, 2017 at 12:44:07 PM, ehollis3...@gmail.com (
ehollis3...@gmail.com) wrote:

It's very strange...I have enabled already enabled syslog over 514 from our
symantec server to the OSSEC server, and I see the logs coming into our
ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC
alerts files and do not see the log anywhere on the server... Where should
these logs be written when being sent to the server? I've checked all
gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/
and /var/ossec/logs/alerts/

On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
>
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need
> to enable this in the configuration:
>
> Listen in port 514:
>
> 
>   
> syslog
>   Symantec AV ip
>   
> 
>
> then you need to restart ossec:
>
> /var/ossec/bin/ossec-control restart
>
> If after these changes you are still not receiving alerts, enable logall
> in ossec.conf  yes  and take a look in the file
> “/var/ossec/logs/archives/archives.log”, if the logs are in this file,
> but not in your alerts, probably the decoders or rules have something wrong.
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com
>
> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com)
> wrote:
>
> Hello All,
>
> I have pointed my Symantec AV logs to our OSSEC server via syslog over
> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I
> have created a custom decoder and parser, and can confirm that it is
> working:
>
> **Phase 2: Completed decoding.
>decoder: 'Symantec'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '16'
>Level: '7'
>Description: 'Symantec: virus found'
> **Alert to be generated.
>
> Do I need to point OSSEC to monitor the incoming syslog so that it can
> alert on it? Again, I am seeing the straight syslog coming into ELSA, but
> no OSSEC alert appears to be generated.
>
> Thanks
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread ehollis3942

It's very strange...I have enabled already enabled syslog over 514 from our 
symantec server to the OSSEC server, and I see the logs coming into our 
ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC 
alerts files and do not see the log anywhere on the server... Where should 
these logs be written when being sent to the server? I've checked all 
gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ 
and /var/ossec/logs/alerts/

On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
>
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need 
> to enable this in the configuration:
>
> Listen in port 514:
>
> 
>   
> syslog
>   Symantec AV ip
>   
> 
>
> then you need to restart ossec:
>
> /var/ossec/bin/ossec-control restart
>
> If after these changes you are still not receiving alerts, enable logall 
> in ossec.conf  yes  and take a look in the file 
> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but 
> not in your alerts, probably the decoders or rules have something wrong.
>
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
>
> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com  (
> eholl...@gmail.com ) wrote:
>
> Hello All, 
>
> I have pointed my Symantec AV logs to our OSSEC server via syslog over 
> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I 
> have created a custom decoder and parser, and can confirm that it is 
> working:
>
> **Phase 2: Completed decoding.
>decoder: 'Symantec'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '16'
>Level: '7'
>Description: 'Symantec: virus found'
> **Alert to be generated.
>
> Do I need to point OSSEC to monitor the incoming syslog so that it can 
> alert on it? Again, I am seeing the straight syslog coming into ELSA, but 
> no OSSEC alert appears to be generated.
>
> Thanks
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread Jose Luis Ruiz

Hello,

In order to permit Ossec recibe your Symantec syslogs messages, you need to
enable this in the configuration:

Listen in port 514:


  
syslog
  Symantec AV ip
  


then you need to restart ossec:

/var/ossec/bin/ossec-control restart

If after these changes you are still not receiving alerts, enable logall in
ossec.conf  yes  and take a look in the file
“/var/ossec/logs/archives/archives.log”, if the logs are in this file, but
not in your alerts, probably the decoders or rules have something wrong.



Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On March 14, 2017 at 10:57:55 AM, ehollis3...@gmail.com (
ehollis3...@gmail.com) wrote:

Hello All,

I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:

**Phase 2: Completed decoding.
   decoder: 'Symantec'

**Phase 3: Completed filtering (rules).
   Rule id: '16'
   Level: '7'
   Description: 'Symantec: virus found'
**Alert to be generated.

Do I need to point OSSEC to monitor the incoming syslog so that it can
alert on it? Again, I am seeing the straight syslog coming into ELSA, but
no OSSEC alert appears to be generated.

Thanks
--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

2017-03-14 Thread dan (ddp)

On Mar 14, 2017 10:57 AM,  wrote:

Hello All,

I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:

**Phase 2: Completed decoding.
   decoder: 'Symantec'

**Phase 3: Completed filtering (rules).
   Rule id: '16'
   Level: '7'
   Description: 'Symantec: virus found'
**Alert to be generated.

Do I need to point OSSEC to monitor the incoming syslog so that it can
alert on it? Again, I am seeing the straight syslog coming into ELSA, but
no OSSEC alert appears to be generated.


Figure out which syslog file they're saved in and make sure ossec has a
localfile entey for that file.
Make sure you restarted your ossec processes after adding the decoder/rules


Thanks

-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC alerts on syslog

2017-03-14 Thread ehollis3942

Hello All,

I have pointed my Symantec AV logs to our OSSEC server via syslog over port 
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have 
created a custom decoder and parser, and can confirm that it is working:

**Phase 2: Completed decoding.
   decoder: 'Symantec'

**Phase 3: Completed filtering (rules).
   Rule id: '16'
   Level: '7'
   Description: 'Symantec: virus found'
**Alert to be generated.

Do I need to point OSSEC to monitor the incoming syslog so that it can 
alert on it? Again, I am seeing the straight syslog coming into ELSA, but 
no OSSEC alert appears to be generated.

Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

Re: [ossec-list] OSSEC alerts on syslog

[ossec-list] OSSEC alerts on syslog

12 matches

Site Navigation

Mail list logo

Footer information