Check the PIX config stuff that I added to the Wiki. It lists the
exact commands you need to get it to send logs. Or, you could sniff
on the OSSEC box to see if there is anything headed to port 514.
On Sep 11, 2006, at 4:12 PM, Marty E. Hillman wrote:
Ok. I am a real noob on this. I am still having problems getting
OSSEC
to capture the syslog messages from the PIX. I have followed the
setup
instructions and cannot figure out what I might be doing wrong. Will
OSSEC pick up the UDP traffic or do I need to run syslogd to
capture it.
Here is what I have.
On the PIX:
syslog broadcasting on 514/UDP to ossec.localdomain.com <!--
actual IP address was used-->
On ossec.localdomain.com:
<remote>
<connection>syslog</connection>
<allowed-ips>pix.localdomain.com</allowed-ips> <!-- actual
IP address was used-->
</remote>
I did a ./var/ossec/bin/ossec-startd restart but no messages are
coming
though. I was receiving the messages on Solarwinds until I changed
the
IP address of the receiving syslog server, so I am fairly certain that
the PIX is configured correctly. I used the PDM to make it easier to
verify. The OSSEC box is on the same subnet as the Solarwinds box
that
was listening for the messages before, so there should be no issues
there.
To see if anything was working, I looked at the OSSEC log files and
could not see any messages from the PIX. I modified the conf file and
lowered the email alert threshold to 1 from the default of 7. All I
received was more Windows alerts from the other ossec agents that I
knew
what to do with.
What have I overlooked? Should it be TCP traffic rather than UDP?
Should it be a different port? Does it just take time for things to
start appearing?
Any help would be greatly appreciated.
-----Original Message-----
From: [email protected] [mailto:ossec-
[EMAIL PROTECTED]
On Behalf Of Marty E. Hillman
Sent: Monday, September 11, 2006 3:03 PM
To: [email protected]
Subject: [ossec-list] Re: How to PIX
Good deal! That makes my life that much more simple. Thanks!
-----Original Message-----
From: [email protected] [mailto:ossec-
[EMAIL PROTECTED]
On Behalf Of Daniel Cid
Sent: Monday, September 11, 2006 2:18 PM
To: [email protected]
Subject: [ossec-list] Re: How to PIX
Hi Marty,
If you don't add any "allowed-ips" entry, everything will be denied
(as
it is after the install). You are doing it correctly, but if your
network is large, you can give a CIDR after the IP. For example:
<allowed-ips>10.0.0.0/24</allowed-ips>
or
<allowed-ips>192.168.2.0/16</allowed-ips>
Hope it helps..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/11/06, Marty E. Hillman <[EMAIL PROTECTED]> wrote:
If I want to trap the syslog from more than one device, am I
assuming
correctly that I would configure ossec.conf as follows?
<remote>
<connection>syslog</connection>
<allowed-ips>10.0.0.1</allowed-ips>
<allowed-ips>10.0.0.2</allowed-ips>
</remote>
Or, better yet... Would I leave the <allowed-ips> entry blank as
it
is in the default file to allow all syslog messages that are
directed
to the box?
Thanks in advance.
-----Original Message-----
From: [email protected]
[mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Cid
Sent: Monday, August 28, 2006 2:13 PM
To: [email protected]
Subject: [ossec-list] Re: How to PIX
Check out these two links (for the pix side):
http://www.ossec.net/wiki/index.php/Cisco_PIX
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/
products_tech_no
t
e09186a0080094030.shtml#configpix|cisco
For ossec, you just need to allow the cisco IP address in your
syslog configuration and restart ossec.
<remote>
<connection>syslog</connection>
<allowed-ips>pix-ip</allowed-ips>
</remote>
Hope it helps..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/28/06, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote:
How can I have my Pix send messages to my ossec server?
Sincerely
Dennis Borkhus-Veto
Systems Administrator
MEE Material Handling L.L.C
[EMAIL PROTECTED]
This electronic mail (including any attachments) may contain
information that is privileged, confidential, and/or otherwise
protected from disclosure to anyone other than its intended
recipient(s). Any dissemination or use of this electronic email or
its
contents (including any attachments) by persons other than the
intended recipient(s) is strictly prohibited. If you have received
this message in error, please notify us immediately by reply email
so
that we may correct our internal records. Please then delete the
original message (including any attachments) in its entirety. Thank
you.
