Ok. I am a real noob on this. I am still having problems getting OSSEC
to capture the syslog messages from the PIX. I have followed the setup
instructions and cannot figure out what I might be doing wrong. Will
OSSEC pick up the UDP traffic or do I need to run syslogd to capture it.
Here is what I have.
On the PIX:
syslog broadcasting on 514/UDP to ossec.localdomain.com <!--
actual IP address was used-->
On ossec.localdomain.com:
<remote>
<connection>syslog</connection>
<allowed-ips>pix.localdomain.com</allowed-ips> <!-- actual
IP address was used-->
</remote>
I did a ./var/ossec/bin/ossec-startd restart but no messages are coming
though. I was receiving the messages on Solarwinds until I changed the
IP address of the receiving syslog server, so I am fairly certain that
the PIX is configured correctly. I used the PDM to make it easier to
verify. The OSSEC box is on the same subnet as the Solarwinds box that
was listening for the messages before, so there should be no issues
there.
To see if anything was working, I looked at the OSSEC log files and
could not see any messages from the PIX. I modified the conf file and
lowered the email alert threshold to 1 from the default of 7. All I
received was more Windows alerts from the other ossec agents that I knew
what to do with.
What have I overlooked? Should it be TCP traffic rather than UDP?
Should it be a different port? Does it just take time for things to
start appearing?
Any help would be greatly appreciated.
> -----Original Message-----
> From: [email protected] [mailto:[EMAIL PROTECTED]
> On Behalf Of Marty E. Hillman
> Sent: Monday, September 11, 2006 3:03 PM
> To: [email protected]
> Subject: [ossec-list] Re: How to PIX
>
>
> Good deal! That makes my life that much more simple. Thanks!
>
> > -----Original Message-----
> > From: [email protected] [mailto:ossec-
> [EMAIL PROTECTED]
> > On Behalf Of Daniel Cid
> > Sent: Monday, September 11, 2006 2:18 PM
> > To: [email protected]
> > Subject: [ossec-list] Re: How to PIX
> >
> >
> > Hi Marty,
> >
> > If you don't add any "allowed-ips" entry, everything will be denied
> (as
> > it is after the install). You are doing it correctly, but if your
> > network is large, you can give a CIDR after the IP. For example:
> >
> > <allowed-ips>10.0.0.0/24</allowed-ips>
> >
> > or
> >
> > <allowed-ips>192.168.2.0/16</allowed-ips>
> >
> > Hope it helps..
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 9/11/06, Marty E. Hillman <[EMAIL PROTECTED]> wrote:
> > >
> > > If I want to trap the syslog from more than one device, am I
> assuming
> > > correctly that I would configure ossec.conf as follows?
> > >
> > > <remote>
> > > <connection>syslog</connection>
> > > <allowed-ips>10.0.0.1</allowed-ips>
> > > <allowed-ips>10.0.0.2</allowed-ips>
> > > </remote>
> > >
> > > Or, better yet... Would I leave the <allowed-ips> entry blank as
> it
> > > is in the default file to allow all syslog messages that are
> directed
> > > to the box?
> > >
> > > Thanks in advance.
> > >
> > > > -----Original Message-----
> > > > From: [email protected]
> > > > [mailto:[EMAIL PROTECTED]
> > > > On Behalf Of Daniel Cid
> > > > Sent: Monday, August 28, 2006 2:13 PM
> > > > To: [email protected]
> > > > Subject: [ossec-list] Re: How to PIX
> > > >
> > > >
> > > > Check out these two links (for the pix side):
> > > >
> > > > http://www.ossec.net/wiki/index.php/Cisco_PIX
> > > >
> > >
> >
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_no
> > > t
> > > > e09186a0080094030.shtml#configpix|cisco
> > > >
> > > > For ossec, you just need to allow the cisco IP address in your
> > > > syslog configuration and restart ossec.
> > > >
> > > > <remote>
> > > > <connection>syslog</connection>
> > > > <allowed-ips>pix-ip</allowed-ips>
> > > > </remote>
> > > >
> > > > Hope it helps..
> > > >
> > > > --
> > > > Daniel B. Cid
> > > > dcid ( at ) ossec.net
> > > >
> > > >
> > > > On 8/28/06, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > How can I have my Pix send messages to my ossec server?
> > > > >
> > > > >
> > > > >
> > > > > Sincerely
> > > > >
> > > > > Dennis Borkhus-Veto
> > > > > Systems Administrator
> > > > > MEE Material Handling L.L.C
> > > > > [EMAIL PROTECTED]
> > > > >
> > > > >
> > >
> > > This electronic mail (including any attachments) may contain
> > > information that is privileged, confidential, and/or otherwise
> > > protected from disclosure to anyone other than its intended
> > > recipient(s). Any dissemination or use of this electronic email or
> > its
> > > contents (including any attachments) by persons other than the
> > > intended recipient(s) is strictly prohibited. If you have received
> > > this message in error, please notify us immediately by reply email
> so
> > > that we may correct our internal records. Please then delete the
> > original message (including any attachments) in its entirety. Thank
> > you.
> > >
> > >
> > >
