On Wed, Jul 20, 2011 at 11:56 AM, Jérémie Belmudes <[email protected]> wrote: > Hi, > Thanks for your hints Dan, I make OSSEC starts without any error, but still > have somes issues. > Here is where I am : > > Starting with a clean setup of OSSEC 2.6 on a linux server. Choose "server > mode" to enable syslog in OSSEC. > Adding a fake agent to avoid errors with manage_agents tools. > Adding <allowed-ips> for syslog in ossec.conf file > Finally starting ossec. > > I can see that OSSEC listen on the port UDP514 (via netstat -navup), and > also, that traffic still arrives on the server (via tcpdump). > As you said when logall option is set up, I retrieve all my logs in > logs/archives/archives.log. > I tried as you recommanded to test my logs, but they don't pass the test > (ossec-logtest -f). > I found out the problem comes from the Date prefix of the log. > The prefix generated by OSSEC isn't recognized, but it works when I replace > the prefix by the one presented in decoder.xml as exemple. > > generated prefix = 2011 Jul 20 16:57:21 nameOf Server->@IP_firewall
This is just a header that's added to the entries. You should remove it before pushing it through ossec-logtest. ossec-analysisd does not see this header when trying to decode the messages. > prefix from decoder.xml = Jan 1 10:02:11 xx > > First thing, I don't know where that prefix regex can be updated, surely not > in decoder.xml. It may not have to be. Send a few example logs so I can see what's going on. > At first I thought the remote syslog would be automatically analyzed. If > it's not the case I would like to retrieve them in a specific file. I think > that archives.log file shouldn't be analyzed (<localfile> in ossec.conf). The log messages coming in via syslog are being looked at. They may not be triggering anything, or they may not be decoded properly. It's tough to tell without a log sample. > Thanks, > J > > > > 2011/7/18 dan (ddp) <[email protected]> >> >> Hi Jérémie, >> >> On Mon, Jul 18, 2011 at 10:22 AM, Jérémie Belmudes >> <[email protected]> wrote: >> > Hi, >> > >> > First thing, I’m new with OSSEC and didn’t find any clue in archives. >> > >> > >> > >> > I would like an OSSEC server to receive logs from a Juniper firewall, in >> > order to analyse them. Note there is nothing else than OSSEC on the >> > server. >> > >> >> If you are not planning on adding some real clients, you should >> probably use a local installation. >> >> > >> > >> > Here is the issue: >> > >> > Firewall side: everything is fine, logs are received on OSSEC server on >> > default port 514(checked via tcpdump). >> > OSSEC side: >> > >> > remote syslog was enabled during setup >> > I change ossec.conf file : >> > >> > <remote> >> > <connection>syslog</connection> >> > <allowed-ips>firewall IP</allowed-ips> >> > </remote> >> > >> > OSSEC was restarted >> > I get error “2011/07/18 15:06:56 ossec-remoted(1402): ERROR: >> > Authentication >> > key file '/etc/client.keys' not found. 2011/07/18 15:06:56 >> >> Either setup a local install or add an agent (even a fake agent should be >> ok). >> >> > ossec-remoted(1750): ERROR: No remote connection configured. Exiting.” >> > >> >> You can check to see if an ossec-remoted is still alive listening on >> 514/UDP with "netstat -pan | grep 514" (I'm assuming your manager is >> Linux). >> >> > Here is what I tried, to make it works, but still fails : >> > >> > I added firewall IP via manage agents ; restart ; configuring logs on >> > firewall to be sent on port 1514 ; getting error for each log received >> > from >> > the firewall “2011/07/18 14:47:44 ossec-remoted(1403): ERROR: >> > Incorrectly >> > formated message from 'IP adress'.” >> >> 1514 is for OSSEC's secure messaging, not syslog. The error is correct. >> >> > Tried to receive logs on another port, assigning in ossec.conf file >> > <port>port_number</port> in <remote>…</remote> ; OSSEC restarted ; no >> > error, >> > but can’t find firewall logs in any log file (/var/log/* & >> > /var/ossec/logs/*) >> > >> >> You won't find the firewall logs in any of these files, unless an >> alert is triggered. >> OSSEC does not log to /var/log at all, so nothing should go from it to >> any file there. >> /var/ossec/logs/alerts/alerts.log will contain the alerts. >> By default OSSEC does not log all log messages, but you can force it >> to do so by adding <logall>yes</logall> to the <global> section. >> After restarting OSSEC you can find all logs received by OSSEC in >> /var/ossec/logs/archives/archive.log. I think this is really helpful >> to figure out what is happening on an OSSEC system, and I generally >> turn it on. If you have a few copies of various logs you can even use >> ossec-logtest to see how they are being decoded. >> >> > Now, I’m wondering what I’m missing. >> > >> > Can OSSEC receive logs from device with syslog ? I read many articles >> > answering yes, but can’t make it works. >> > >> >> Yes, it can. I do it, as do many others daily. :) >> >> > If you have any idea… >> > >> > Thanks, >> > >> > J > > > > -- > Cordialement, > > Jérémie BELMUDES > [email protected] >
