Hi Jérémie, On Mon, Jul 18, 2011 at 10:22 AM, Jérémie Belmudes <[email protected]> wrote: > Hi, > > First thing, I’m new with OSSEC and didn’t find any clue in archives. > > > > I would like an OSSEC server to receive logs from a Juniper firewall, in > order to analyse them. Note there is nothing else than OSSEC on the server. >
If you are not planning on adding some real clients, you should probably use a local installation. > > > Here is the issue: > > Firewall side: everything is fine, logs are received on OSSEC server on > default port 514(checked via tcpdump). > OSSEC side: > > remote syslog was enabled during setup > I change ossec.conf file : > > <remote> > <connection>syslog</connection> > <allowed-ips>firewall IP</allowed-ips> > </remote> > > OSSEC was restarted > I get error “2011/07/18 15:06:56 ossec-remoted(1402): ERROR: Authentication > key file '/etc/client.keys' not found. 2011/07/18 15:06:56 Either setup a local install or add an agent (even a fake agent should be ok). > ossec-remoted(1750): ERROR: No remote connection configured. Exiting.” > You can check to see if an ossec-remoted is still alive listening on 514/UDP with "netstat -pan | grep 514" (I'm assuming your manager is Linux). > Here is what I tried, to make it works, but still fails : > > I added firewall IP via manage agents ; restart ; configuring logs on > firewall to be sent on port 1514 ; getting error for each log received from > the firewall “2011/07/18 14:47:44 ossec-remoted(1403): ERROR: Incorrectly > formated message from 'IP adress'.” 1514 is for OSSEC's secure messaging, not syslog. The error is correct. > Tried to receive logs on another port, assigning in ossec.conf file > <port>port_number</port> in <remote>…</remote> ; OSSEC restarted ; no error, > but can’t find firewall logs in any log file (/var/log/* & > /var/ossec/logs/*) > You won't find the firewall logs in any of these files, unless an alert is triggered. OSSEC does not log to /var/log at all, so nothing should go from it to any file there. /var/ossec/logs/alerts/alerts.log will contain the alerts. By default OSSEC does not log all log messages, but you can force it to do so by adding <logall>yes</logall> to the <global> section. After restarting OSSEC you can find all logs received by OSSEC in /var/ossec/logs/archives/archive.log. I think this is really helpful to figure out what is happening on an OSSEC system, and I generally turn it on. If you have a few copies of various logs you can even use ossec-logtest to see how they are being decoded. > Now, I’m wondering what I’m missing. > > Can OSSEC receive logs from device with syslog ? I read many articles > answering yes, but can’t make it works. > Yes, it can. I do it, as do many others daily. :) > If you have any idea… > > Thanks, > > J
