Is it possible to have both services (syslogd and ossec) running on the same box and looking for traffic from the same devices? My PIX only allows me to output on one port. If I configure syslogd to see it, ossec will not see it. The syslogd service always starts before the ossec-remoted process on my box, so the only way for ossec to pick it up is to do it on a port that syslog is not monitoring or turn syslog off altogether on the server. If I could somehow configure both to work, I would be a really happy individual. I suppose I could have a second NIC listening to a SPAN port, but there has to be a single NIC solution somehow, I think. I hope.
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of gentuxx Sent: Friday, September 22, 2006 12:12 AM To: [email protected] Subject: [ossec-list] Re: Remote syslog configuration question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marty E. Hillman wrote: > You should not have a syslog server on Penguin. If you do, it is > intercepting the message before ossec can see it. If you configure > Gateway and Media to use a different port for syslog, configure > ossec.conf on Penguin to listen to the new port. You can either use > ossec or syslogd to listen to the syslog messages on the server ? not both. > > > > Try this article in the FAQ to see if it helps you. > http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config > Not having read the article, another suggestion might be to log remote data to a different file. IOW, use syslog to do the sepration of log events, and then have ossec monitor the alternate log file as a normal syslog file. I'm doing this for a couple of systems, that I'm unable to install ossec on because of differences in glibc (IIRC). > > > ------------------------------------------------------------------------ > > *From:* [email protected] [mailto:[EMAIL PROTECTED] > *On Behalf Of *Johnny Stork > *Sent:* Thursday, September 21, 2006 2:49 PM > *To:* ossec-list > *Subject:* [ossec-list] Remote syslog configuration question > > > > I just setup ossec on three machines as follows > > > > Penguin (RHES4) Installed as "server" > Gateway (RHES4) Installed as "agent" > Media (CentOS 4.4) Installed as "agent". > > > > So far so good, agents and keys all setup as per instructions and when > starting ossec on Server1, I get what looks like the correct response > and indication of communication with the agents, from the > /var/ossec/logs/ossec.log on Penguin, the "Server" install. > > > > 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Gateway: > '0:6480'. > 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Media: > '0:1070'. > 2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068 > > > > Now both Gateway and Media send syslog to Penguin, which is running as > the "server". When I try to login to either Gateway or Media via SSH and > intentionally use a bad password, the syslog on Penguin shows the > correct failures, but this does not seem to be caught by ossec? Have I > missed something in the configuration with regards to having the server > install as the main syslog monitor? > > > > Sep 21 12:47:44 media sshd(pam_unix)[18133]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somedomain.ca user=root > > > > Any suggestions? > > This electronic mail (including any attachments) may contain information > that is privileged, confidential, and/or otherwise protected from > disclosure to anyone other than its intended recipient(s). Any > dissemination or use of this electronic email or its contents (including > any attachments) by persons other than the intended recipient(s) is > strictly prohibited. If you have received this message in error, please > notify us immediately by reply email so that we may correct our internal > records. Please then delete the original message (including any > attachments) in its entirety. Thank you. > - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFE3C2TPA54hjTSp4RAuglAJ0aNYMko2I0sxo+BvJZUVY47IsZ0gCg1/F5 45mecu2MrLcOiGARdavebbs= =3btS -----END PGP SIGNATURE-----
