-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marty E. Hillman wrote:
> Is it possible to have both services (syslogd and ossec) running on the
> same box and looking for traffic from the same devices?
Not *exactly* sure what you mean here. Yes you can have syslogd and
ossec running on the same box. IRT looking for traffic from the same
devices - this is what I'm confused about. Are you asking if ossec will
still correlate events from two separate log files? Or if ossec can
listen to the syslog port (as well as syslogd) and monitor the same traffic?
> .......................................................My PIX only
> allows me to output on one port. If I configure syslogd to see it,
> ossec will not see it. The syslogd service always starts before the
> ossec-remoted process on my box, so the only way for ossec to pick it up
> is to do it on a port that syslog is not monitoring or turn syslog off
> altogether on the server. If I could somehow configure both to work, I
> would be a really happy individual. I suppose I could have a second NIC
> listening to a SPAN port, but there has to be a single NIC solution
> somehow, I think. I hope.
My suggestion below should work for you. What it does is treat the pix
log as a local file. I use syslog-ng, so my old-school syslog.conf
settings are a little fuzzy. But, if you set syslog traffic from your
pix to go to /var/log/pix-log (for example), instead of
/var/log/messages (or /var/log/syslog - depending on platform and system
config), all of your pix syslog data will go there.
Then in ossec, set up a new local file monitor by adding the following
to ossec.conf:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/pix-log</location>
</localfile>
IIRC from what Daniel said, ossec and syslog conflict when listening on
the same port.
If you *really* want to have ossec listen to the syslog stream from the
pix, instead of redirecting and treating it as a local file, you either
need to configure the pix to send on a different port, or you could
probably do some fancy redirection with either a perl script or pipe
command in syslog.conf, or maybe even iptables.
Actually, now that I really think about it, you should have your pix
data going to *some* file already, whether it's the /var/log/messages
(likely default), or another file (as described above). If ossec is
monitoring either of those files, you're already monitoring the pix
messages, you don't need to listen to the stream from the pix.
HTH
>
> Marty E. Hillman wrote:
>>> You should not have a syslog server on Penguin. If you do, it is
>>> intercepting the message before ossec can see it. If you configure
>>> Gateway and Media to use a different port for syslog, configure
>>> ossec.conf on Penguin to listen to the new port. You can either use
>>> ossec or syslogd to listen to the syslog messages on the server ? not
> both.
>>>
>>>
>>> Try this article in the FAQ to see if it helps you.
>>> http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config
>>>
>
> Not having read the article, another suggestion might be to log remote
> data to a different file. IOW, use syslog to do the sepration of log
> events, and then have ossec monitor the alternate log file as a normal
> syslog file. I'm doing this for a couple of systems, that I'm unable to
> install ossec on because of differences in glibc (IIRC).
>
>>>
>>> I just setup ossec on three machines as follows
>>>
>>>
>>>
>>> Penguin (RHES4) Installed as "server"
>>> Gateway (RHES4) Installed as "agent"
>>> Media (CentOS 4.4) Installed as "agent".
>>>
>>>
>>>
>>> So far so good, agents and keys all setup as per instructions and when
>>> starting ossec on Server1, I get what looks like the correct response
>>> and indication of communication with the agents, from the
>>> /var/ossec/logs/ossec.log on Penguin, the "Server" install.
>>>
>>>
>>>
>>> 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent
> Gateway:
>>> '0:6480'.
>>> 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Media:
>>> '0:1070'.
>>> 2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068
>>>
>>>
>>>
>>> Now both Gateway and Media send syslog to Penguin, which is running as
>>> the "server". When I try to login to either Gateway or Media via SSH
> and
>>> intentionally use a bad password, the syslog on Penguin shows the
>>> correct failures, but this does not seem to be caught by ossec? Have I
>>> missed something in the configuration with regards to having the
> server
>>> install as the main syslog monitor?
>>>
>>>
>>>
>>> Sep 21 12:47:44 media sshd(pam_unix)[18133]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somedomain.ca
> user=root
>>>
>>>
>>> Any suggestions?
>>>
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFFCdJTPA54hjTSp4RAuvtAJoCvwBcD3D1ZJrG+Xt4WciJDFIEjgCgkpR3
r7LNZ17cl+Jh9RLqdFM+SQI=
=IlS/
-----END PGP SIGNATURE-----
