Thank you, I'll test and let you know Best Regards
Iqbal Aroussi 514-627-0438 On Wed, Mar 20, 2013 at 2:32 PM, dan (ddp) <[email protected]> wrote: > On Wed, Mar 20, 2013 at 1:21 PM, Iqbal Aroussi <[email protected]> wrote: > > Hi, > > > > Can you please give me more details about the stunnel way. I have stunnet > > working for syslog but I want to link it to ossec. > > What should be the config on the agent so it sends logs using stunnel. > > > > On the manager this is what I've put: > > <remote> > > <connection>syslog</connection> > > <allowed-ips>127.0.0.1</allowed-ips> > > <protocol>tcp</protocol> > > <port>10514</port> > > </remote> > > > > 10514 is the port where stunnel is sending traffic locally. > > > > I've never tried it. I'd guess the agent should be pointed to > 127.0.0.1 on whatever port you setup stunnel to listen to. Getting the > keys right on the server might be the trickiest part. Since I've never > tried it, I don't know whether it will look like the packets came from > the agent or from the localhost. > It shouldn't be too hard to test. Let us know when you figure it out. > > > Best Regards > > > > Iqbal Aroussi > > 514-627-0438 > > > > > > On Mon, Mar 18, 2013 at 1:07 PM, Iqbal Aroussi <[email protected]> wrote: > >> > >> Thanks Dan for all useful informations. > >> > >> Sincerely yours > >> > >> Best Regards > >> > >> Iqbal Aroussi > >> 514-627-0438 > >> > >> > >> On Mon, Mar 18, 2013 at 1:04 PM, dan (ddp) <[email protected]> wrote: > >>> > >>> On Mon, Mar 18, 2013 at 12:27 PM, Iqbal Aroussi <[email protected]> > wrote: > >>> > Hi Eero, Dan, > >>> > > >>> > Thanks a lot for your quick response. > >>> > So if I got the "secure" way, I should put this in my ossec.conf on > the > >>> > manager > >>> > or there is something else to do ? I want to user TCP for > reliability. > >>> > >>> tcp is not an option for the secure method. > >>> > >>> > what about the port, is it the correct one or I should use 1514 ? > >>> > >>> 514 is usually syslog, but if you aren't using syslog it doesn't > >>> matter what you do with that port. > >>> > >>> > > >>> > <remote> > >>> > <connection>syslog</connection> > >>> > <allowed-ips>192.168.152.138/27</allowed-ips> > >>> > <protocol>tcp</protocol> > >>> > <port>514</port> > >>> > </remote> > >>> > > >>> > Thanks for all of you. > >>> > > >>> > > >>> > Best Regards > >>> > > >>> > Iqbal Aroussi > >>> > 514-627-0438 > >>> > > >>> > > >>> > On Mon, Mar 18, 2013 at 12:17 PM, dan (ddp) <[email protected]> > wrote: > >>> >> > >>> >> On Mon, Mar 18, 2013 at 11:38 AM, Iqbal Aroussi <[email protected]> > >>> >> wrote: > >>> >> > Hi everyone, > >>> >> > > >>> >> > I want to inform you that I'm really new to OSSEC and I have two > >>> >> > questions > >>> >> > actually. > >>> >> > > >>> >> > First: > >>> >> > I configured the manager as a central syslog, I wanted to know if > >>> >> > there > >>> >> > is a > >>> >> > way to encrypt > >>> >> > traffic between agents and manager using TLS or SSL. > >>> >> > > >>> >> > >>> >> You could probably use stunnel, but that seems like a hack. If you > >>> >> want the traffic encrypted (although not with ssl/tls) use the > secure > >>> >> method instead of syslog. > >>> >> > >>> >> > Second: > >>> >> > By default OSSEC archives the logs and compresses them using gzip, > >>> >> > is it > >>> >> > possible to use bzip2 ? > >>> >> > > >>> >> > >>> >> Only if you modify the source. > >>> >> > >>> >> > Thanks a lot in advance for your help > >>> >> > > >>> >> > Best Regards > >>> >> > > >>> >> > Iqbal Aroussi > >>> >> > 514-627-0438 > >>> >> > > >>> >> > -- > >>> >> > > >>> >> > --- > >>> >> > You received this message because you are subscribed to the Google > >>> >> > Groups > >>> >> > "ossec-list" group. > >>> >> > To unsubscribe from this group and stop receiving emails from it, > >>> >> > send > >>> >> > an > >>> >> > email to [email protected]. > >>> >> > For more options, visit https://groups.google.com/groups/opt_out. > >>> >> > > >>> >> > > >>> >> > >>> >> -- > >>> >> > >>> >> --- > >>> >> You received this message because you are subscribed to the Google > >>> >> Groups > >>> >> "ossec-list" group. > >>> >> To unsubscribe from this group and stop receiving emails from it, > send > >>> >> an > >>> >> email to [email protected]. > >>> >> For more options, visit https://groups.google.com/groups/opt_out. > >>> >> > >>> >> > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/groups/opt_out. > >>> > > >>> > > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to [email protected]. > >>> For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> > >> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
