On Fri, Aug 17, 2012 at 2:08 PM, Adriel Desautels <[email protected]> wrote: > Comments embedded below: > > On 8/17/12 1:27 PM, dan (ddp) wrote: >> On Fri, Aug 17, 2012 at 1:20 PM, Adriel Desautels >> <[email protected]> wrote: >>> Dan, >>> >>> Not only have I stopped and restarted but I even reinstalled OSSEC. >>> >> Try removing the secure remote option. > I've tried that, the error goes away and then none of the agents seem to > be able to communicate back to the server. But, I also see no evidence > that logs are coming in. Thoughts?
Yeah, that didn't really matter. I set it up again and had no problems with the secure entry being below or above the syslog entry. I generally use syslog servers instead of OSSEC for this, but I know it works. Have you tried using the current source instead of 2.6? I can't think of anything related to this that has changed, but it has been a long time. >> >>> What specifically do you want to know about the machine / server? >>> >> Seriously? You couldn't just throw some information in the email? Forget it. > Wow, I was only trying to be helpful by not bombarding you with useless > information. The current system is a debian squeeze box, but there are > a billion things I could tell you. Is there anything specific you need > / want? You were more than willing to "bombard" us with useless emails last night, but not willing to send us a little too much information in 1? Strange. Why not just include OS/distro and architecture? I mean, that seems like the bare minimum information that might be useful. Since you've installed OSSEC somewhere silly, why not include information on the mount point? What fs? What options are you using for the mountpoint? I don't think it'll be relevant to this problem, but it would take me less time to skim over the information and move on than it takes me to request all of the information that might be useful in helping to fix your problem. But I'll try to be more accommodating in the future. >>> On 8/17/12 11:24 AM, dan (ddp) wrote: >>>> On Fri, Aug 17, 2012 at 10:12 AM, Adriel Desautels >>>> <[email protected]> wrote: >>>>> Here it is: >>>>> >>>>> root@bos-ossec01:/var/ossec/etc# cat ossec.conf >>>>> <ossec_config> >>>>> <global> >>>>> <email_notification>yes</email_notification> >>>>> <email_to>[email protected]</email_to> >>>>> <smtp_server>xx.xx.xx.xx</smtp_server> >>>>> <email_from>[email protected]</email_from> >>>>> </global> >>>>> >>>>> <rules> >>>>> <include>rules_config.xml</include> >>>>> <include>pam_rules.xml</include> >>>>> <include>sshd_rules.xml</include> >>>>> <include>telnetd_rules.xml</include> >>>>> <include>syslog_rules.xml</include> >>>>> <include>arpwatch_rules.xml</include> >>>>> <include>symantec-av_rules.xml</include> >>>>> <include>symantec-ws_rules.xml</include> >>>>> <include>pix_rules.xml</include> >>>>> <include>named_rules.xml</include> >>>>> <include>smbd_rules.xml</include> >>>>> <include>vsftpd_rules.xml</include> >>>>> <include>pure-ftpd_rules.xml</include> >>>>> <include>proftpd_rules.xml</include> >>>>> <include>ms_ftpd_rules.xml</include> >>>>> <include>ftpd_rules.xml</include> >>>>> <include>hordeimp_rules.xml</include> >>>>> <include>roundcube_rules.xml</include> >>>>> <include>wordpress_rules.xml</include> >>>>> <include>cimserver_rules.xml</include> >>>>> <include>vpopmail_rules.xml</include> >>>>> <include>vmpop3d_rules.xml</include> >>>>> <include>courier_rules.xml</include> >>>>> <include>web_rules.xml</include> >>>>> <include>apache_rules.xml</include> >>>>> <include>nginx_rules.xml</include> >>>>> <include>php_rules.xml</include> >>>>> <include>mysql_rules.xml</include> >>>>> <include>postgresql_rules.xml</include> >>>>> <include>ids_rules.xml</include> >>>>> <include>squid_rules.xml</include> >>>>> <include>firewall_rules.xml</include> >>>>> <include>cisco-ios_rules.xml</include> >>>>> <include>netscreenfw_rules.xml</include> >>>>> <include>sonicwall_rules.xml</include> >>>>> <include>postfix_rules.xml</include> >>>>> <include>sendmail_rules.xml</include> >>>>> <include>imapd_rules.xml</include> >>>>> <include>mailscanner_rules.xml</include> >>>>> <include>dovecot_rules.xml</include> >>>>> <include>ms-exchange_rules.xml</include> >>>>> <include>racoon_rules.xml</include> >>>>> <include>vpn_concentrator_rules.xml</include> >>>>> <include>spamd_rules.xml</include> >>>>> <include>msauth_rules.xml</include> >>>>> <include>mcafee_av_rules.xml</include> >>>>> <include>trend-osce_rules.xml</include> >>>>> <include>ms-se_rules.xml</include> >>>>> <!-- <include>policy_rules.xml</include> --> >>>>> <include>zeus_rules.xml</include> >>>>> <include>solaris_bsm_rules.xml</include> >>>>> <include>vmware_rules.xml</include> >>>>> <include>ms_dhcp_rules.xml</include> >>>>> <include>asterisk_rules.xml</include> >>>>> <include>ossec_rules.xml</include> >>>>> <include>attack_rules.xml</include> >>>>> <include>openbsd_rules.xml</include> >>>>> <include>clam_av_rules.xml</include> >>>>> <include>bro-ids_rules.xml</include> >>>>> <include>dropbear_rules.xml</include> >>>>> <include>local_rules.xml</include> >>>>> </rules> >>>>> >>>>> <syscheck> >>>>> <!-- Frequency that syscheck is executed - default to every 22 hours >>>>> --> >>>>> <frequency>79200</frequency> >>>>> >>>>> <!-- Directories to check (perform all possible verifications) --> >>>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>> <directories check_all="yes">/bin,/sbin</directories> >>>>> >>>>> <!-- Files/directories to ignore --> >>>>> <ignore>/etc/mtab</ignore> >>>>> <ignore>/etc/mnttab</ignore> >>>>> <ignore>/etc/hosts.deny</ignore> >>>>> <ignore>/etc/mail/statistics</ignore> >>>>> <ignore>/etc/random-seed</ignore> >>>>> <ignore>/etc/adjtime</ignore> >>>>> <ignore>/etc/httpd/logs</ignore> >>>>> <ignore>/etc/utmpx</ignore> >>>>> <ignore>/etc/wtmpx</ignore> >>>>> <ignore>/etc/cups/certs</ignore> >>>>> <ignore>/etc/dumpdates</ignore> >>>>> <ignore>/etc/svc/volatile</ignore> >>>>> >>>>> <!-- Windows files to ignore --> >>>>> <ignore>C:\WINDOWS/System32/LogFiles</ignore> >>>>> <ignore>C:\WINDOWS/Debug</ignore> >>>>> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >>>>> <ignore>C:\WINDOWS/iis6.log</ignore> >>>>> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >>>>> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >>>>> <ignore>C:\WINDOWS/Prefetch</ignore> >>>>> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >>>>> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >>>>> <ignore>C:\WINDOWS/Temp</ignore> >>>>> <ignore>C:\WINDOWS/system32/config</ignore> >>>>> <ignore>C:\WINDOWS/system32/spool</ignore> >>>>> <ignore>C:\WINDOWS/system32/CatRoot</ignore> >>>>> </syscheck> >>>>> >>>>> <rootcheck> >>>>> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >>>>> >>>>> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >>>>> >>>>> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>>>> >>>>> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>>>> </rootcheck> >>>>> >>>>> <global> >>>>> <white_list>127.0.0.1</white_list> >>>>> <white_list>^localhost.localdomain$</white_list> >>>>> <white_list>10.5.4.1</white_list> >>>>> </global> >>>>> >>>>> <remote> >>>>> <connection>syslog</connection> >>>>> <allowed-ips>10.5.4.1</allowed-ips> >>>>> </remote> >>>>> >>>>> <remote> >>>>> <connection>secure</connection> >>>>> </remote> >>>>> >>>>> <alerts> >>>>> <log_alert_level>1</log_alert_level> >>>>> <email_alert_level>7</email_alert_level> >>>>> </alerts> >>>>> >>>>> <command> >>>>> <name>host-deny</name> >>>>> <executable>host-deny.sh</executable> >>>>> <expect>srcip</expect> >>>>> <timeout_allowed>yes</timeout_allowed> >>>>> </command> >>>>> >>>>> <command> >>>>> <name>firewall-drop</name> >>>>> <executable>firewall-drop.sh</executable> >>>>> <expect>srcip</expect> >>>>> <timeout_allowed>yes</timeout_allowed> >>>>> </command> >>>>> >>>>> <command> >>>>> <name>disable-account</name> >>>>> <executable>disable-account.sh</executable> >>>>> <expect>user</expect> >>>>> <timeout_allowed>yes</timeout_allowed> >>>>> </command> >>>>> >>>>> <command> >>>>> <name>restart-ossec</name> >>>>> <executable>restart-ossec.sh</executable> >>>>> <expect></expect> >>>>> </command> >>>>> >>>>> >>>>> <command> >>>>> <name>route-null</name> >>>>> <executable>route-null.sh</executable> >>>>> <expect>srcip</expect> >>>>> <timeout_allowed>yes</timeout_allowed> >>>>> </command> >>>>> >>>>> >>>>> <!-- Active Response Config --> >>>>> <active-response> >>>>> <!-- This response is going to execute the host-deny >>>>> - command for every event that fires a rule with >>>>> - level (severity) >= 6. >>>>> - The IP is going to be blocked for 600 seconds. >>>>> --> >>>>> <command>host-deny</command> >>>>> <location>local</location> >>>>> <level>6</level> >>>>> <timeout>600</timeout> >>>>> </active-response> >>>>> >>>>> <active-response> >>>>> <!-- Firewall Drop response. Block the IP for >>>>> - 600 seconds on the firewall (iptables, >>>>> - ipfilter, etc). >>>>> --> >>>>> <command>firewall-drop</command> >>>>> <location>local</location> >>>>> <level>6</level> >>>>> <timeout>600</timeout> >>>>> </active-response> >>>>> >>>>> <!-- Files to monitor (localfiles) --> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/messages</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/auth.log</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/syslog</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/mail.info</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>syslog</log_format> >>>>> <location>/var/log/dpkg.log</location> >>>>> </localfile> >>>>> </ossec_config> >>>>> >>>>> >>>>> On 8/17/12 8:34 AM, dan (ddp) wrote: >>>>>> On Thu, Aug 16, 2012 at 9:25 PM, Adriel Desautels >>>>>> <[email protected]> wrote: >>>>>>> I have the following in ossec.conf: >>>>>>> >>>>>>> . >>>>>>> . >>>>>>> . >>>>>>> <remote> >>>>>>> <connection>syslog</connection> >>>>>>> <allowed-ips>10.5.4.1</allowed-ips> >>>>>>> <port>514</port> >>>>>>> </remote> >>>>>>> >>>>>>> <remote> >>>>>>> <connection>secure</connection> >>>>>>> </remote> >>>>>>> . >>>>>>> . >>>>>>> . >>>>>>> >>>>>>> And yet when 10.5.4.1 sends a message to the OSSEC server I get this: >>>>>>> >>>>>>> WARN: Message from 10.5.4.1 not allowed. >>>>>>> >>>>>>> >>>>>>> Am I missing something? >>>>>>> >>>>>>> And yes... I've restarted the server. >>>>>> Please provide your entire ossec.conf. >>>> I've been unable to reproduce this issue. Stop the OSSEC processes, >>>> and make sure they've stopped. Then start them up again. See if that >>>> fixes it. >>>> >>>> Also, can you provide more information about the OSSEC server? >>> >
