Hi,
First thing, I’m new with OSSEC and didn’t find any clue in archives.
I would like an OSSEC server to receive logs from a Juniper firewall, in
order to analyse them. Note there is nothing else than OSSEC on the server.
Here is the issue:
- Firewall side: everything is fine, logs are received on OSSEC server on
default port 514(checked via tcpdump).
- OSSEC side:
- remote syslog was enabled during setup
- I change ossec.conf file :
<remote>
<connection>syslog</connection>
<allowed-ips>firewall IP</allowed-ips>
</remote>
- OSSEC was restarted
- I get error “2011/07/18 15:06:56 ossec-remoted(1402): ERROR:
Authentication key file '/etc/client.keys' not found. 2011/07/18 15:06:56
ossec-remoted(1750): ERROR: No remote connection configured. Exiting.”
Here is what I tried, to make it works, but still fails :
- I added firewall IP via manage agents ; restart ; configuring logs on
firewall to be sent on port 1514 ; getting error for each log received from
the firewall “2011/07/18 14:47:44 ossec-remoted(1403): ERROR: Incorrectly
formated message from 'IP adress'.”
- Tried to receive logs on another port, assigning in ossec.conf file
<port>port_number</port> in <remote>…</remote> ; OSSEC restarted ; no
error, but can’t find firewall logs in any log file (/var/log/* &
/var/ossec/logs/*)
Now, I’m wondering what I’m missing.
Can OSSEC receive logs from device with syslog ? I read many articles
answering yes, but can’t make it works.
If you have any idea…
Thanks,
J
