Hi Daniel U Rock!!!
Thanks for the solution Regards Gagan On Jun 2, 7:59 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi Gagan, > > Shorewall logs are in the syslog format, so in the localfile config > just leave it as syslog. Also, by default > we will not alert on every success of denied attempt, so that's > probably why you are not seeing them. > However, they will be all logged to: > > /var/ossec/logs/firewall/firewall.log > > If you want an alert for every deny, just overwrite the 4101 (on > local_rules.xml) to something like: > > <rule id="4101" level="5" overwrite="yes"> > <if_sid>4100</if_sid> > <action>DROP</action> > <description>Firewall drop event.</description> > <group>firewall_drop,</group> > </rule> > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Fri, May 30, 2008 at 12:32 PM, <[EMAIL PROTECTED]> wrote: > > > The Shorewall Logs are also attached for ready reference > > > May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35411 > > DF P > > ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35413 > > DF P > > ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:10 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35414 > > DF P > > ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.95 DST=x.x.6.14 LEN=75 TOS=0x00 PREC=0x00 TTL=127 ID=59079 > > PROTO=U > > DP SPT=1025 DPT=53 LEN=55 > > May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35415 > > DF P > > ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35417 > > DF P > > ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35418 > > DF P > > ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:14 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32085 > > DF PRO > > TO=TCP SPT=1750 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:16 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.200 DST=x.x.7.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42965 > > DF PRO > > TO=TCP SPT=3864 DPT=50000 WINDOW=65535 RES=0x00 SYN URGP=0 > > May 30 16:06:20 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0 > > OUT=eth1 SR > > C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32119 > > DF PRO > > TO=TCP SPT=1751 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0 > > > Thanks & Regards > > Gagan > > > On May 30, 10:21 am, [EMAIL PROTECTED] wrote: > >> Dear Mailing List > > >> I am trying to connect the shorewall logs with the Ossec HIDS server. > > >> The Shorewall is installed on the redhat 9 box with ossec 1.5 agent. > >> It is monitoring the default log files > >> /var/log/messages > >> /var/log/secure > >> The shorewall logs are generated in the file /var/log/messages. > >> After connection with server it is sending the normal OS logs (session > >> opened , session closed etc) generated in /var/log/messages to HIDS > >> server but not the firewall logs. > >> The ossec.conf file states > > >> <localfile> > >> <log_format>syslog</log_format> > >> <location>/var/log/messages</location> > >> </localfile> > > >> I had tried to change the config as > > >> <localfile> > >> <log_format>iptables-shorewall</log_format> > >> <location>/var/log/messages</location> > >> </localfile> > > >> But after doing such change the agent doesn't start & returns the > >> config error. > >> Can anyone suggest were I am going wrong or what is method for > >> attaching shorewall logs. > >> Any help would be highly appreciated. > > >> Regards > >> Gagan- Hide quoted text - > > - Show quoted text -
