See notes inline > Marty E. Hillman wrote: > > Is it possible to have both services (syslogd and ossec) running on the > > same box and looking for traffic from the same devices? > > Not *exactly* sure what you mean here. Yes you can have syslogd and > ossec running on the same box. IRT looking for traffic from the same > devices - this is what I'm confused about. Are you asking if ossec will > still correlate events from two separate log files? Or if ossec can > listen to the syslog port (as well as syslogd) and monitor the same > traffic?
The latter. Can OSSEC and syslog both monitor the same traffic on 514/UDP? My experience is that it cannot. At least I have been unsuccessful in doing it. > My suggestion below should work for you. What it does is treat the pix > log as a local file. I use syslog-ng, so my old-school syslog.conf > settings are a little fuzzy. But, if you set syslog traffic from your > pix to go to /var/log/pix-log (for example), instead of > /var/log/messages (or /var/log/syslog - depending on platform and system > config), all of your pix syslog data will go there. I tried the syslog-ng trick, but it was taking exclusivity of 514/UDP and not allowing OSSEC to hear any traffic. > Then in ossec, set up a new local file monitor by adding the following > to ossec.conf: > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/pix-log</location> > </localfile> > > > IIRC from what Daniel said, ossec and syslog conflict when listening on > the same port. So, at least theoretically, this will enable OSSEC to read from the file rather than the stream and I would get the same reports that I am having now? And syslog maintains control of the traffic? > If you *really* want to have ossec listen to the syslog stream from the > pix, instead of redirecting and treating it as a local file, you either > need to configure the pix to send on a different port, or you could > probably do some fancy redirection with either a perl script or pipe > command in syslog.conf, or maybe even iptables. Yeah, I have it directed to a different port, but syslog is blind to it. So it takes away my syslog aggregation that I like so much. > Actually, now that I really think about it, you should have your pix > data going to *some* file already, whether it's the /var/log/messages > (likely default), or another file (as described above). If ossec is > monitoring either of those files, you're already monitoring the pix > messages, you don't need to listen to the stream from the pix. > > HTH Thanks. I think I am getting a clearer understanding of how to do what I want. I will test things out early next week and take copious notes. This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.
