On Wed, Oct 24, 2012 at 9:08 AM, Chris H <[email protected]> wrote: > I've also tried putting the IP ranges in allowed-ips, in the form > 192.168.0.0/16, with the same effect. It is definitely listening, as I've > sent apache logs to it via syslog. > > Thanks >
You could try putting the IP address of the firewall into an <allowed-ips>. Possibly run ossec-remoted in debug mode to see if it adds any useful logs. You could also add some logging into the program, see how far the log messages make it. > On Wednesday, October 24, 2012 1:42:48 PM UTC+1, dan (ddpbsd) wrote: >> >> On Wed, Oct 24, 2012 at 5:48 AM, Chris H <[email protected]> wrote: >> > Hi Dan. >> > >> > my ossec.conf allows remote connections from any: >> > <remote> >> > <connection>syslog</connection> >> > <allowed-ips>any</allowed-ips> >> > </remote> >> > >> >> I didn't know that was valid... My only advice is making sure >> ossec-remoted is listening to udp/514, and actually specifying the >> firewall's IP in allowed-ips. >> >> > I've also tried with IP ranges (192.168.0.0/16). My firewall IP is >> > 192.168.1.254, and this shows up in tpcdump: >> > >> > 10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags [none], >> > proto >> > UDP (17), length 226) >> > 192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, >> > length: >> > 198 >> > Facility local0 (16), Severity info (6) >> > Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: >> > Flags >> > [S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss >> > 1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0 >> > >> > Thanks >> > >> > On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Sat, Oct 20, 2012 at 6:46 AM, Chris H <[email protected]> wrote: >> >> > Hi. >> >> > >> >> > I've just deployed OSSEC for testing on a VM, and I'm looking to use >> >> > it >> >> > for >> >> > log retention, as well as alerting. I've enabled syslog and logall, >> >> > and >> >> > successfully got it alerting and logging from apache logs sent by >> >> > syslog. >> >> > But I'm having issues with pfsense. >> >> > >> >> > I've enabled syslog in pfsense, pointing at my ossec installation, >> >> > but >> >> > nothing is showing up in the archive logs. tcpdump shows the traffic >> >> > coming >> >> > though to the server, as it does with any other syslog traffic, but >> >> > the >> >> > logs >> >> > don't get stored in ossec. Any thoughts? >> >> > >> >> > I know of the OSSEC for pfsense module, but I'm installing this as a >> >> > proof-of-concept and want to make sure that I can get syslog working >> >> > in >> >> > case >> >> > I have a similar issue elsewhere on something other than pfsense. >> >> > >> >> > Thanks. >> >> >> >> Did you set the correct PFSense IP in the allowed ips configuration?
