I've enabled debug in the config file, and nothing shows in the ossec.log. Running it from the command line with ./bin/ossec-remoted -df shows slightly more before it drops to the background (despite -f), but nothing in the logs when a syslog connection comes in. syslog definitely works, testing with netcat shows results coming through and going in to the archive log:
echo "`date`" | nc -uvvv log-01 514 Thanks. On Wednesday, October 24, 2012 2:18:23 PM UTC+1, dan (ddpbsd) wrote: > > On Wed, Oct 24, 2012 at 9:08 AM, Chris H <[email protected]<javascript:>> > wrote: > > I've also tried putting the IP ranges in allowed-ips, in the form > > 192.168.0.0/16, with the same effect. It is definitely listening, as > I've > > sent apache logs to it via syslog. > > > > Thanks > > > > You could try putting the IP address of the firewall into an > <allowed-ips>. Possibly run ossec-remoted in debug mode to see if it > adds any useful logs. You could also add some logging into the > program, see how far the log messages make it. > > > On Wednesday, October 24, 2012 1:42:48 PM UTC+1, dan (ddpbsd) wrote: > >> > >> On Wed, Oct 24, 2012 at 5:48 AM, Chris H <[email protected]> wrote: > >> > Hi Dan. > >> > > >> > my ossec.conf allows remote connections from any: > >> > <remote> > >> > <connection>syslog</connection> > >> > <allowed-ips>any</allowed-ips> > >> > </remote> > >> > > >> > >> I didn't know that was valid... My only advice is making sure > >> ossec-remoted is listening to udp/514, and actually specifying the > >> firewall's IP in allowed-ips. > >> > >> > I've also tried with IP ranges (192.168.0.0/16). My firewall IP is > >> > 192.168.1.254, and this shows up in tpcdump: > >> > > >> > 10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags > [none], > >> > proto > >> > UDP (17), length 226) > >> > 192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, > >> > length: > >> > 198 > >> > Facility local0 (16), Severity info (6) > >> > Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: > >> > Flags > >> > [S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss > >> > 1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0 > >> > > >> > Thanks > >> > > >> > On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Sat, Oct 20, 2012 at 6:46 AM, Chris H <[email protected]> > wrote: > >> >> > Hi. > >> >> > > >> >> > I've just deployed OSSEC for testing on a VM, and I'm looking to > use > >> >> > it > >> >> > for > >> >> > log retention, as well as alerting. I've enabled syslog and > logall, > >> >> > and > >> >> > successfully got it alerting and logging from apache logs sent by > >> >> > syslog. > >> >> > But I'm having issues with pfsense. > >> >> > > >> >> > I've enabled syslog in pfsense, pointing at my ossec installation, > >> >> > but > >> >> > nothing is showing up in the archive logs. tcpdump shows the > traffic > >> >> > coming > >> >> > though to the server, as it does with any other syslog traffic, > but > >> >> > the > >> >> > logs > >> >> > don't get stored in ossec. Any thoughts? > >> >> > > >> >> > I know of the OSSEC for pfsense module, but I'm installing this as > a > >> >> > proof-of-concept and want to make sure that I can get syslog > working > >> >> > in > >> >> > case > >> >> > I have a similar issue elsewhere on something other than pfsense. > >> >> > > >> >> > Thanks. > >> >> > >> >> Did you set the correct PFSense IP in the allowed ips configuration? >
