I'm new to OSSEC, trying to get it setup for the first time. I've gotten pretty far, but still have a few kinks I need help working out. My setup:
Ubuntu 8.04 server OSSEC 1.5 installed in server mode Snort 2.7 Syslog-NG One windows agent One windows box sending syslog via Eventlog to Syslog ( https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys) Problems: 1. OSSEC wouldn't listen on 514 udp for syslog connections. I checked netstat, and nothing was running on 514, but even with this: <remote> <connection>syslog</connection> </remote> in my ossec.conf file, ossec wouldn't do syslog. Will it only do one or the other (syslog vs. secure)? I've installed syslog-ng to accept syslog messages, which is working ok for the most part. Will this cause problems? 2. My IT guys are much more likely to accept this as a solution if I don't have to install the windows agents. They are already using the syslog program above on windows boxes to send syslog to their syslog server. What limitations do I face by not using the agent? Lack of active response on the client would be one, I'm guessing. 3. The <match> tag seems very spotty. I'm trying to work with the syslog format that this windows syslog program generates. On an event starting with Security: 528: ..., ossec will match the 528, but not the Security. I'm using Kiwi SyslogGen to send messages and confirmed they are getting there. Here is what I tried to use to match in a separate rules file: <group name="syslog,"> <rule id="47001" level="1"> <match>528</match> <description>Test alert from laptop</description> </rule> </group> In between each rule change, I'm restarting ossec (is there a better way?) The above will match the string "Security: 528:". However, if I change the 528 above to Security, no match. I tried "Application" with a syslog message of "Application: 1009:", no match. I tried "Jason" with "Jason: 1009:", and still no match. Any help would be greatly appreciated.
