-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marty E. Hillman wrote: > You should not have a syslog server on Penguin. If you do, it is > intercepting the message before ossec can see it. If you configure > Gateway and Media to use a different port for syslog, configure > ossec.conf on Penguin to listen to the new port. You can either use > ossec or syslogd to listen to the syslog messages on the server ? not both. > > > > Try this article in the FAQ to see if it helps you. > http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config >
Not having read the article, another suggestion might be to log remote data to a different file. IOW, use syslog to do the sepration of log events, and then have ossec monitor the alternate log file as a normal syslog file. I'm doing this for a couple of systems, that I'm unable to install ossec on because of differences in glibc (IIRC). > > > ------------------------------------------------------------------------ > > *From:* [email protected] [mailto:[EMAIL PROTECTED] > *On Behalf Of *Johnny Stork > *Sent:* Thursday, September 21, 2006 2:49 PM > *To:* ossec-list > *Subject:* [ossec-list] Remote syslog configuration question > > > > I just setup ossec on three machines as follows > > > > Penguin (RHES4) Installed as "server" > Gateway (RHES4) Installed as "agent" > Media (CentOS 4.4) Installed as "agent". > > > > So far so good, agents and keys all setup as per instructions and when > starting ossec on Server1, I get what looks like the correct response > and indication of communication with the agents, from the > /var/ossec/logs/ossec.log on Penguin, the "Server" install. > > > > 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Gateway: > '0:6480'. > 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Media: > '0:1070'. > 2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068 > > > > Now both Gateway and Media send syslog to Penguin, which is running as > the "server". When I try to login to either Gateway or Media via SSH and > intentionally use a bad password, the syslog on Penguin shows the > correct failures, but this does not seem to be caught by ossec? Have I > missed something in the configuration with regards to having the server > install as the main syslog monitor? > > > > Sep 21 12:47:44 media sshd(pam_unix)[18133]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somedomain.ca user=root > > > > Any suggestions? > > This electronic mail (including any attachments) may contain information > that is privileged, confidential, and/or otherwise protected from > disclosure to anyone other than its intended recipient(s). Any > dissemination or use of this electronic email or its contents (including > any attachments) by persons other than the intended recipient(s) is > strictly prohibited. If you have received this message in error, please > notify us immediately by reply email so that we may correct our internal > records. Please then delete the original message (including any > attachments) in its entirety. Thank you. > - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFE3C2TPA54hjTSp4RAuglAJ0aNYMko2I0sxo+BvJZUVY47IsZ0gCg1/F5 45mecu2MrLcOiGARdavebbs= =3btS -----END PGP SIGNATURE-----
