Hi Gagan,
Shorewall logs are in the syslog format, so in the localfile config
just leave it as syslog. Also, by default
we will not alert on every success of denied attempt, so that's
probably why you are not seeing them.
However, they will be all logged to:
/var/ossec/logs/firewall/firewall.log
If you want an alert for every deny, just overwrite the 4101 (on
local_rules.xml) to something like:
<rule id="4101" level="5" overwrite="yes">
<if_sid>4100</if_sid>
<action>DROP</action>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 30, 2008 at 12:32 PM, <[EMAIL PROTECTED]> wrote:
>
> The Shorewall Logs are also attached for ready reference
>
> May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35411
> DF P
> ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35413
> DF P
> ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:10 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0
> OUT=eth1 SR
> C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35414
> DF P
> ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0
> OUT=eth1 SR
> C=x.x.68.95 DST=x.x.6.14 LEN=75 TOS=0x00 PREC=0x00 TTL=127 ID=59079
> PROTO=U
> DP SPT=1025 DPT=53 LEN=55
> May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35415
> DF P
> ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35417
> DF P
> ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35418
> DF P
> ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:14 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32085
> DF PRO
> TO=TCP SPT=1750 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:16 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.200 DST=x.x.7.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42965
> DF PRO
> TO=TCP SPT=3864 DPT=50000 WINDOW=65535 RES=0x00 SYN URGP=0
> May 30 16:06:20 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
> OUT=eth1 SR
> C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32119
> DF PRO
> TO=TCP SPT=1751 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0
>
>
>
>
> Thanks & Regards
> Gagan
>
> On May 30, 10:21 am, [EMAIL PROTECTED] wrote:
>> Dear Mailing List
>>
>> I am trying to connect the shorewall logs with the Ossec HIDS server.
>>
>> The Shorewall is installed on the redhat 9 box with ossec 1.5 agent.
>> It is monitoring the default log files
>> /var/log/messages
>> /var/log/secure
>> The shorewall logs are generated in the file /var/log/messages.
>> After connection with server it is sending the normal OS logs (session
>> opened , session closed etc) generated in /var/log/messages to HIDS
>> server but not the firewall logs.
>> The ossec.conf file states
>>
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/messages</location>
>> </localfile>
>>
>> I had tried to change the config as
>>
>> <localfile>
>> <log_format>iptables-shorewall</log_format>
>> <location>/var/log/messages</location>
>> </localfile>
>>
>> But after doing such change the agent doesn't start & returns the
>> config error.
>> Can anyone suggest were I am going wrong or what is method for
>> attaching shorewall logs.
>> Any help would be highly appreciated.
>>
>> Regards
>> Gagan
>
