Hi Thanks for the reply.
But one more thing may be it is useful for your troubleshooting. I am running syslog-ng on the same server and ossec is configured to scan the files. Also I disabled the syslog-ng and enabled the syslog on ossec but the results are same. Jul 1 06:52:51 x.x.x.x Jul 01 2010 06:45:13 test-RYD-FW : %PIX-2-106001: Inbound TCP connection denied from y.y.y.y/3438 to z.z.z.z/6000 flags SYN on interface ispan-test Jul 1 06:53:04 x.x.x.x Jul 01 2010 06:45:26 ISPAN-RYD-FW : %PIX-2-106001: Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags SYN on interface ispan-test Jul 1 06:53:07 x.x.x.x Jul 01 2010 06:45:29 ISPAN-RYD-FW : %PIX-2-106001: Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags SYN on interface ispan-test Jul 1 06:53:13 x.x.x.x Jul 01 2010 06:45:35 ISPAN-RYD-FW : %PIX-2-106001: Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags Best regards, Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422 Integrated Networks | Faisaliah Tower | Level 7A | PO Box 53553, Riyadh 11593, KSA | GMT +3 | Email [email protected] Disclaimer: This electronic mail message contains information that (a) is or may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the Addressee(s) named herein. If you are not the intended recipient, an addressee, or the person responsible for delivering this to an addressee, you are hereby notified that reading, using, copying, or distributing any part of this message is strictly prohibited. If you have received this electronic mail message in error, please contact us immediately and take the steps necessary to delete the message completely from your computer system. Unless explicitly attributed, the opinions expressed in this message do not necessarily represent the official position or opinions of Integrated Networks LLC., whilst all care has been taken, Integrated Networks LLC. disclaims all liability for loss or damage to person or property arising from this message being infected by computer virus or any type of contamination. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, July 28, 2010 5:13 PM To: [email protected] Subject: Re: [ossec-list] PIX Logging with OSSEC On Wed, Jul 28, 2010 at 2:22 AM, Muraleedaran Kanapathy <[email protected]> wrote: > Thanks Dan > > For the input > > But my concern is that all the alerts related to PIX comes with "Unknown > problem somewhere in the system" > > Also in Web UI I when I filter the logs type as Pix nothing is showing up. > > Is there any workaround to solve this issue > > Best regards, > > Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department > Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422 > Integrated Networks | Faisaliah Tower | Level 7A | > PO Box 53553, Riyadh 11593, KSA | GMT +3 | > Email [email protected] > I'm guessing nothing shows up in the WUI under PIX because the alerts aren't recognized so they are not being grouped properly. The "Unknown problem..." issue is because the alerts aren't being recognized. Try running a few of them through ossec-logtest. Do they turn out like the example I posted, or do they continue to fall under Rule ID 1002? I'm starting to suspect something is off, because I thought the example you posted would show up under the following rule: <rule id="4311" level="5"> <if_sid>4300</if_sid> <id>^2-</id> <description>PIX critical message.</description> </rule> Is there any chance you could post a few more example log messages?
