Hi Dan.
my ossec.conf allows remote connections from any:
<remote>
<connection>syslog</connection>
<allowed-ips>any</allowed-ips>
</remote>
I've also tried with IP ranges (192.168.0.0/16). My firewall IP is
192.168.1.254, and this shows up in tpcdump:
10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags [none],
proto UDP (17), length 226)
192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, length:
198
Facility local0 (16), Severity info (6)
Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: Flags
[S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss
1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0
Thanks
On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote:
>
> On Sat, Oct 20, 2012 at 6:46 AM, Chris H <[email protected]<javascript:>>
> wrote:
> > Hi.
> >
> > I've just deployed OSSEC for testing on a VM, and I'm looking to use it
> for
> > log retention, as well as alerting. I've enabled syslog and logall, and
> > successfully got it alerting and logging from apache logs sent by
> syslog.
> > But I'm having issues with pfsense.
> >
> > I've enabled syslog in pfsense, pointing at my ossec installation, but
> > nothing is showing up in the archive logs. tcpdump shows the traffic
> coming
> > though to the server, as it does with any other syslog traffic, but the
> logs
> > don't get stored in ossec. Any thoughts?
> >
> > I know of the OSSEC for pfsense module, but I'm installing this as a
> > proof-of-concept and want to make sure that I can get syslog working in
> case
> > I have a similar issue elsewhere on something other than pfsense.
> >
> > Thanks.
>
> Did you set the correct PFSense IP in the allowed ips configuration?
>
