Thanks. I looked it over, but I must have skimmed more than I should have. I will go through it again.
> -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] > On Behalf Of Erick Kinnee > Sent: Tuesday, September 12, 2006 8:26 AM > To: [email protected] > Subject: [ossec-list] Re: How to PIX > > > Check the PIX config stuff that I added to the Wiki. It lists the exact > commands you need to get it to send logs. Or, you could sniff on the > OSSEC box to see if there is anything headed to port 514. > > On Sep 11, 2006, at 4:12 PM, Marty E. Hillman wrote: > > > > > Ok. I am a real noob on this. I am still having problems getting > > OSSEC to capture the syslog messages from the PIX. I have followed > > the setup instructions and cannot figure out what I might be doing > > wrong. Will OSSEC pick up the UDP traffic or do I need to run > syslogd > > to capture it. > > > > Here is what I have. > > > > On the PIX: > > > > syslog broadcasting on 514/UDP to ossec.localdomain.com <!-- > actual > > IP address was used--> > > > > On ossec.localdomain.com: > > > > <remote> > > <connection>syslog</connection> > > <allowed-ips>pix.localdomain.com</allowed-ips> <!-- actual IP > > address was used--> > > </remote> > > > > I did a ./var/ossec/bin/ossec-startd restart but no messages are > > coming though. I was receiving the messages on Solarwinds until I > > changed the IP address of the receiving syslog server, so I am fairly > > certain that the PIX is configured correctly. I used the PDM to make > > it easier to verify. The OSSEC box is on the same subnet as the > > Solarwinds box that was listening for the messages before, so there > > should be no issues there. > > > > To see if anything was working, I looked at the OSSEC log files and > > could not see any messages from the PIX. I modified the conf file > and > > lowered the email alert threshold to 1 from the default of 7. All I > > received was more Windows alerts from the other ossec agents that I > > knew what to do with. > > > > What have I overlooked? Should it be TCP traffic rather than UDP? > > Should it be a different port? Does it just take time for things to > > start appearing? > > > > Any help would be greatly appreciated. > > > >> -----Original Message----- > >> From: [email protected] [mailto:ossec- > >> [EMAIL PROTECTED] On Behalf Of Marty E. Hillman > >> Sent: Monday, September 11, 2006 3:03 PM > >> To: [email protected] > >> Subject: [ossec-list] Re: How to PIX > >> > >> > >> Good deal! That makes my life that much more simple. Thanks! > >> > >>> -----Original Message----- > >>> From: [email protected] [mailto:ossec- > >> [EMAIL PROTECTED] > >>> On Behalf Of Daniel Cid > >>> Sent: Monday, September 11, 2006 2:18 PM > >>> To: [email protected] > >>> Subject: [ossec-list] Re: How to PIX > >>> > >>> > >>> Hi Marty, > >>> > >>> If you don't add any "allowed-ips" entry, everything will be denied > >> (as > >>> it is after the install). You are doing it correctly, but if your > >>> network is large, you can give a CIDR after the IP. For example: > >>> > >>> <allowed-ips>10.0.0.0/24</allowed-ips> > >>> > >>> or > >>> > >>> <allowed-ips>192.168.2.0/16</allowed-ips> > >>> > >>> Hope it helps.. > >>> > >>> -- > >>> Daniel B. Cid > >>> dcid ( at ) ossec.net > >>> > >>> On 9/11/06, Marty E. Hillman <[EMAIL PROTECTED]> wrote: > >>>> > >>>> If I want to trap the syslog from more than one device, am I > >> assuming > >>>> correctly that I would configure ossec.conf as follows? > >>>> > >>>> <remote> > >>>> <connection>syslog</connection> > >>>> <allowed-ips>10.0.0.1</allowed-ips> > >>>> <allowed-ips>10.0.0.2</allowed-ips> > >>>> </remote> > >>>> > >>>> Or, better yet... Would I leave the <allowed-ips> entry blank as > >> it > >>>> is in the default file to allow all syslog messages that are > >> directed > >>>> to the box? > >>>> > >>>> Thanks in advance. > >>>> > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[EMAIL PROTECTED] > >>>>> On Behalf Of Daniel Cid > >>>>> Sent: Monday, August 28, 2006 2:13 PM > >>>>> To: [email protected] > >>>>> Subject: [ossec-list] Re: How to PIX > >>>>> > >>>>> > >>>>> Check out these two links (for the pix side): > >>>>> > >>>>> http://www.ossec.net/wiki/index.php/Cisco_PIX > >>>>> > >>>> > >>> > >> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ > >> products_tech_no > >>>> t > >>>>> e09186a0080094030.shtml#configpix|cisco > >>>>> > >>>>> For ossec, you just need to allow the cisco IP address in your > >>>>> syslog configuration and restart ossec. > >>>>> > >>>>> <remote> > >>>>> <connection>syslog</connection> > >>>>> <allowed-ips>pix-ip</allowed-ips> > >>>>> </remote> > >>>>> > >>>>> Hope it helps.. > >>>>> > >>>>> -- > >>>>> Daniel B. Cid > >>>>> dcid ( at ) ossec.net > >>>>> > >>>>> > >>>>> On 8/28/06, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> How can I have my Pix send messages to my ossec server? > >>>>>> > >>>>>> > >>>>>> > >>>>>> Sincerely > >>>>>> > >>>>>> Dennis Borkhus-Veto > >>>>>> Systems Administrator > >>>>>> MEE Material Handling L.L.C > >>>>>> [EMAIL PROTECTED] > >>>>>> > >>>>>> > >>>> > >>>> This electronic mail (including any attachments) may contain > >>>> information that is privileged, confidential, and/or otherwise > >>>> protected from disclosure to anyone other than its intended > >>>> recipient(s). Any dissemination or use of this electronic email or > >>> its > >>>> contents (including any attachments) by persons other than the > >>>> intended recipient(s) is strictly prohibited. If you have received > >>>> this message in error, please notify us immediately by reply email > >> so > >>>> that we may correct our internal records. Please then delete the > >>> original message (including any attachments) in its entirety. Thank > >>> you. > >>>> > >>>> > >>>>
