On Thu, Aug 16, 2012 at 10:13 PM, Adriel Desautels <[email protected]>wrote:
> Something I should mention... > > It is installed in a custom path. /opt/ossec instead of /var/ossec > > Could that be part of the issue? > > No. > > On 8/16/12 9:51 PM, Tony Perez, PMP wrote: > > Hi Adriel > > Gotcha, sorry didn't phrase the question right, but you answered it right. > > Have you been able to turn on debug mode to see if you can see anything > there? Anything that would help understand the failed comm attempts? > > Thanks > > Adriel Desautels <[email protected]> > August 16, 2012 6:43 PM > So, the server (10.5.4.1) is a pfsense firewall. It is sending all of > its syslog data to the OSSEC server on UDP 514. Every time the OSSEC > server receives a syslog message it generates the error "2012/08/16 > 21:41:03 ossec-remoted(1213): WARN: Message from 10.5.4.1 not allowed." > > So, yes pfsense is sending on UDP 514 and is being received by UDP 514 on > the OSSEC box. So based on the error I don't think its a network issue, > but an OSSEC issue. > > Help? > > > > On 8/16/12 9:30 PM, Tony Perez, PMP wrote: > > Tony Perez, PMP <[email protected]> > August 16, 2012 6:30 PM > Hi Adriel > > You have the same port set on both the Agent and Server? Which server does > this ossec.conf belong to? > > Thanks > > Tony > > Adriel Desautels <[email protected]> > August 16, 2012 6:25 PM > I have the following in ossec.conf: > > . > . > . > <remote> > <connection>syslog</connection> > <allowed-ips>10.5.4.1</allowed-ips> > <port>514</port> > </remote> > > <remote> > <connection>secure</connection> > </remote> > . > . > . > > And yet when 10.5.4.1 sends a message to the OSSEC server I get this: > > WARN: Message from 10.5.4.1 not allowed. > > > Am I missing something? > > And yes... I've restarted the server. > > >
<<compose-unknown-contact.jpg>>
<<postbox-contact.jpg>>
