Thanks for the clue (and the quick response!).
All I had to do was disable timestamp logging on the PIX (my pix log had two timestamps for every entry - now I only get one) - I'm now receiving alerts ...
Thanks again ....
Chris Vanderkolff
EDULINX Canada Corporation
2 Robert Speck Parkway
Mississauga, ON
L4Z 1H8
(905) 306-2547
Cell (416) 818-4082
========================
| "Daniel Cid" <[EMAIL PROTECTED]>
Sent by: [email protected] 08/02/2006 10:24 PM
|
To: [email protected] cc: Subject: [ossec-list] Re: PIX logs .... |
Hi Chris,
Your config seems really good, so I don't think there is a problem there. Can
you show us a few lines of your pix log file? Just to make sure it is in the
expected format?
In addition to that, a few days ago I received some improvents to the
pix rules,
so we will have a lot of improvements on it sometime soon ( just need to run
some tests before releasing it).
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/2/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> I'm attempting to get alerts sent to me from an internal syslog server ,
> running ossec.
>
> A pix debug file is at /var/log/PIX
>
> I've setup a localfile of /var/log/PIX and when ossec starts it says it's
> monitoring the local file (/var/log/PIX) , and the pix_rules.xml file is
> loaded , however whenever any of the alerts occur ( I know they do because
> they show up in the /var/log/PIX file) , I receive no email alert from ossec
> whatsoever.
>
> ( Yes - I do receive e-mail alerts from other processes / error conditions -
> like sshd success authentication etc.)
>
> The only thing I can think of is the log_format may be incorrect ? If it's
> not syslog, what would be the appropriate entry ?
>
> Any ideas ?
>
> Below is my ossec.conf ....
>
>
> <ossec_config>
> <global>
> <email_notification>yes</email_notification>
> <email_to>[EMAIL PROTECTED]</email_to>
> <smtp_server>10.9.8.7</smtp_server>
> <email_from>[EMAIL PROTECTED]</email_from>
> </global>
>
> <rules>
> <include>rules_config.xml</include>
> <include>pam_rules.xml</include>
> <include>sshd_rules.xml</include>
> <include>telnetd_rules.xml</include>
> <include>syslog_rules.xml</include>
> <include>pix_rules.xml</include>
> <include>named_rules.xml</include>
> <include>smbd_rules.xml</include>
> <include>vsftpd_rules.xml</include>
> <include>pure-ftpd_rules.xml</include>
> <include>proftpd_rules.xml</include>
> <include>hordeimp_rules.xml</include>
> <include>web_rules.xml</include>
> <include>apache_rules.xml</include>
> <include>ids_rules.xml</include>
> <include>squid_rules.xml</include>
> <include>firewall_rules.xml</include>
> <include>netscreenfw_rules.xml</include>
> <include>postfix_rules.xml</include>
> <include>sendmail_rules.xml</include>
> <include>imapd_rules.xml</include>
> <include>spamd_rules.xml</include>
> <include>msauth_rules.xml</include>
> <!-- <include>policy_rules.xml</include> -->
> <include>attack_rules.xml</include>
> </rules>
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default every 2 hours -->
> <frequency>7200</frequency>
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories
> check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
>
> <!-- Files/directories to ignore -->
> <ignore>/etc/mtab</ignore>
> <ignore>/etc/mnttab</ignore>
> <ignore>/etc/hosts.deny</ignore>
> <ignore>/etc/mail/statistics</ignore>
> <ignore>/etc/random-seed</ignore>
> <ignore>/etc/adjtime</ignore>
> <ignore>/etc/httpd/logs</ignore>
> <ignore>/etc/utmpx</ignore>
> <ignore>/etc/wtmpx</ignore>
>
> <!-- Windows files to ignore -->
> <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> <ignore>C:\WINDOWS/Prefetch</ignore>
> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
>
> <ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore>
>
> <ignore>C:\WINDOWS/SoftwareDistribution/ReportingEvents.log</ignore>
> <ignore>C:\WINDOWS/Temp</ignore>
> <ignore>C:\WINDOWS/system32/config/systemprofile/Local
> Settings</ignore>
> <ignore>C:\WINDOWS/system32/config</ignore>
> </syscheck>
>
> <rootcheck>
>
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
> </rootcheck>
>
> <active-response>
> <disabled>yes</disabled>
> </active-response>
>
>
> <remote>
> <connection>secure</connection>
> </remote>
>
> <alerts>
> <log_alert_level>1</log_alert_level>
> <email_alert_level>3</email_alert_level>
> </alerts>
> <!-- Files to monitor (localfiles) -->
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/messages</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/secure</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/maillog</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/httpd/error_log</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/httpd/access_log</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/etc/httpd/logs/access_log</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/etc/httpd/logs/error_log</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/PIX</location>
> </localfile>
> </ossec_config>
>
>
>
> Chris Vanderkolff
> EDULINX Canada Corporation
> 2 Robert Speck Parkway
> Mississauga, ON
> L4Z 1H8
>
> (905) 306-2547
> Cell (416) 818-4082
> ========================
>
>
>
> "This email message is intended only for the addressee(s) and contains
> information that may be confidential and/or copyright. If you are not
> the intended recipient please notify the sender by reply email and
> immediately delete this email. Use, disclosure or reproduction of this
> email by anyone other than the intended recipient(s) is strictly
> prohibited. No representation is made that this email or any
> attachments are free of viruses. Virus scanning is
> recommended and is the responsibility of the recipient".
>
> Ce courriel n'est destiné qu'au destinataire et contient des
> renseignements qui peuvent être confidentiels et/ou protégés par le
> droit d'auteur. Si vous n'êtes pas le destinataire visé, veuillez en
> avertir l'expéditeur par réponse au courriel et l'effacer ce courriel
> immédiatement. L'utilisation, la divulgation ou la reproduction de ce
> courriel par toute personne autre que le destinataire sont strictement
> interdites. L'expéditeur ne prétend aucunement que les annexes sont
> exemptes de virus. Une détection de virus est recommandée et le
> destinataire en a la responsabilité.
>
> ..
>
>
"This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient". Ce courriel n’est destiné qu’au destinataire et contient des renseignements qui peuvent être confidentiels et/ou protégés par le droit d’auteur. Si vous n’êtes pas le destinataire visé, veuillez en avertir l’expéditeur par réponse au courriel et l’effacer ce courriel immédiatement. L’utilisation, la divulgation ou la reproduction de ce courriel par toute personne autre que le destinataire sont strictement interdites. L’expéditeur ne prétend aucunement que les annexes sont exemptes de virus. Une détection de virus est recommandée et le destinataire en a la responsabilité. ..
