On Wed, Oct 24, 2012 at 5:48 AM, Chris H <[email protected]> wrote: > Hi Dan. > > my ossec.conf allows remote connections from any: > <remote> > <connection>syslog</connection> > <allowed-ips>any</allowed-ips> > </remote> >
I didn't know that was valid... My only advice is making sure ossec-remoted is listening to udp/514, and actually specifying the firewall's IP in allowed-ips. > I've also tried with IP ranges (192.168.0.0/16). My firewall IP is > 192.168.1.254, and this shows up in tpcdump: > > 10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags [none], proto > UDP (17), length 226) > 192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, length: > 198 > Facility local0 (16), Severity info (6) > Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: Flags > [S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss > 1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0 > > Thanks > > On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote: >> >> On Sat, Oct 20, 2012 at 6:46 AM, Chris H <[email protected]> wrote: >> > Hi. >> > >> > I've just deployed OSSEC for testing on a VM, and I'm looking to use it >> > for >> > log retention, as well as alerting. I've enabled syslog and logall, and >> > successfully got it alerting and logging from apache logs sent by >> > syslog. >> > But I'm having issues with pfsense. >> > >> > I've enabled syslog in pfsense, pointing at my ossec installation, but >> > nothing is showing up in the archive logs. tcpdump shows the traffic >> > coming >> > though to the server, as it does with any other syslog traffic, but the >> > logs >> > don't get stored in ossec. Any thoughts? >> > >> > I know of the OSSEC for pfsense module, but I'm installing this as a >> > proof-of-concept and want to make sure that I can get syslog working in >> > case >> > I have a similar issue elsewhere on something other than pfsense. >> > >> > Thanks. >> >> Did you set the correct PFSense IP in the allowed ips configuration?
