Hi Jason, Reply inline ...
On Thu, May 15, 2008 at 11:55 PM, Jason Fischer <[EMAIL PROTECTED]> wrote: > Problems: > 1. OSSEC wouldn't listen on 514 udp for syslog connections. I checked > netstat, and nothing was running on 514, but even with this: > <remote> > <connection>syslog</connection> > </remote> > in my ossec.conf file, ossec wouldn't do syslog. Will it only do one or the > other (syslog vs. secure)? I've installed syslog-ng to accept syslog > messages, which is working ok for the most part. Will this cause problems? You probably have syslog-ng using port 514 already, so ossec can't bind to it. Try looking at /var/ossec/logs/ossec.log for more information... > 2. My IT guys are much more likely to accept this as a solution if I don't > have to install the windows agents. They are already using the syslog > program above on windows boxes to send syslog to their syslog server. What > limitations do I face by not using the agent? Lack of active response on the > client would be one, I'm guessing. You would miss the active responses, integrity checking and the policy monitoring/rootkit detection capabilities. Plus, if you use the agent, the connection between agent/server is encrypted and compressed. Besides that, the server should be able to parse all the syslog messages from Windows. > 3. The <match> tag seems very spotty. I'm trying to work with the syslog > format that this windows syslog program generates. On an event starting with > Security: 528: ..., ossec will match the 528, but not the Security. I'm > using Kiwi SyslogGen to send messages and confirmed they are getting there. > Here is what I tried to use to match in a separate rules file: > > <group name="syslog,"> > <rule id="47001" level="1"> > <match>528</match> > <description>Test alert from laptop</description> > </rule> > </group> > > In between each rule change, I'm restarting ossec (is there a better way?) > The above will match the string "Security: 528:". However, if I change the > 528 above to Security, no match. I tried "Application" with a syslog message > of "Application: 1009:", no match. I tried "Jason" with "Jason: 1009:", and > still no match. Check if you don't have a tab instead of a space between the Security and 528. Windows love tabs for some reason... If you can provide a few log samples from your Windows messages, we can help you adding support for it. *Btw, we already support Snare via syslog and NTsyslog, in addition of the OSSEC agent, so it should be easy to add for kiwi too (so you wouldn't need to write rules, since we have a lot already for windows)... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
