On Wed, Mar 20, 2013 at 1:21 PM, Iqbal Aroussi <[email protected]> wrote: > Hi, > > Can you please give me more details about the stunnel way. I have stunnet > working for syslog but I want to link it to ossec. > What should be the config on the agent so it sends logs using stunnel. > > On the manager this is what I've put: > <remote> > <connection>syslog</connection> > <allowed-ips>127.0.0.1</allowed-ips> > <protocol>tcp</protocol> > <port>10514</port> > </remote> > > 10514 is the port where stunnel is sending traffic locally. >
I've never tried it. I'd guess the agent should be pointed to 127.0.0.1 on whatever port you setup stunnel to listen to. Getting the keys right on the server might be the trickiest part. Since I've never tried it, I don't know whether it will look like the packets came from the agent or from the localhost. It shouldn't be too hard to test. Let us know when you figure it out. > Best Regards > > Iqbal Aroussi > 514-627-0438 > > > On Mon, Mar 18, 2013 at 1:07 PM, Iqbal Aroussi <[email protected]> wrote: >> >> Thanks Dan for all useful informations. >> >> Sincerely yours >> >> Best Regards >> >> Iqbal Aroussi >> 514-627-0438 >> >> >> On Mon, Mar 18, 2013 at 1:04 PM, dan (ddp) <[email protected]> wrote: >>> >>> On Mon, Mar 18, 2013 at 12:27 PM, Iqbal Aroussi <[email protected]> wrote: >>> > Hi Eero, Dan, >>> > >>> > Thanks a lot for your quick response. >>> > So if I got the "secure" way, I should put this in my ossec.conf on the >>> > manager >>> > or there is something else to do ? I want to user TCP for reliability. >>> >>> tcp is not an option for the secure method. >>> >>> > what about the port, is it the correct one or I should use 1514 ? >>> >>> 514 is usually syslog, but if you aren't using syslog it doesn't >>> matter what you do with that port. >>> >>> > >>> > <remote> >>> > <connection>syslog</connection> >>> > <allowed-ips>192.168.152.138/27</allowed-ips> >>> > <protocol>tcp</protocol> >>> > <port>514</port> >>> > </remote> >>> > >>> > Thanks for all of you. >>> > >>> > >>> > Best Regards >>> > >>> > Iqbal Aroussi >>> > 514-627-0438 >>> > >>> > >>> > On Mon, Mar 18, 2013 at 12:17 PM, dan (ddp) <[email protected]> wrote: >>> >> >>> >> On Mon, Mar 18, 2013 at 11:38 AM, Iqbal Aroussi <[email protected]> >>> >> wrote: >>> >> > Hi everyone, >>> >> > >>> >> > I want to inform you that I'm really new to OSSEC and I have two >>> >> > questions >>> >> > actually. >>> >> > >>> >> > First: >>> >> > I configured the manager as a central syslog, I wanted to know if >>> >> > there >>> >> > is a >>> >> > way to encrypt >>> >> > traffic between agents and manager using TLS or SSL. >>> >> > >>> >> >>> >> You could probably use stunnel, but that seems like a hack. If you >>> >> want the traffic encrypted (although not with ssl/tls) use the secure >>> >> method instead of syslog. >>> >> >>> >> > Second: >>> >> > By default OSSEC archives the logs and compresses them using gzip, >>> >> > is it >>> >> > possible to use bzip2 ? >>> >> > >>> >> >>> >> Only if you modify the source. >>> >> >>> >> > Thanks a lot in advance for your help >>> >> > >>> >> > Best Regards >>> >> > >>> >> > Iqbal Aroussi >>> >> > 514-627-0438 >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/groups/opt_out. >>> >> > >>> >> > >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google >>> >> Groups >>> >> "ossec-list" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send >>> >> an >>> >> email to [email protected]. >>> >> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >>> >> >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
