I must be missing something. Ossec accepts messages from my pfsense firewall via remote logging (514 udp). I know it works because ossec is processing some of them. For example if I try to log into the firewall with the wrong ssh password I get a warning.
The firewall sends logs related to what was blocked or permitted by the firewall for example: Oct 11 08:57:43 pf: 192.168.2.68 > 217.212.238.124.3478: UDP, length 33 If I send this message through the rules tester (ossec-logtest) I have a test rule that is to fire if it sees "pf" and it works. But when this packet is received by ossec on 514 nothing happens. It is not logged (logall is set to true) there is no warning nothing. I tried forwarding all messages from the server to the ossec servers syslog folder (I turned off syslog's remote listener) the logs all came into the servers local syslog as I expected. ossec would parse the syslog file and pick up all entries except the pf: log entries from the firewall. I tried creating a decoder that would capture everything (Clearly I am not in full production yet) <decoder name="testme"> <regex>\.+</regex> </decoder> then created a custom rule that looked for anything decoded with the testme decoder (which was everything) This of course caught all kinds of stuff but still ignored my pf logs. I turned on debugging and read through the logs. Again there is no mention of the pf logs at all -- it is like they are invisible to OSSEC. I tried to install the client on the pfsense firewall too but it will not start (I will save that for another e-mail) After that I am completely at a loss. I get messages about other firewall events on other linux computers that are kernel packet filters (ubuntu), but nothing I do will parse the pf logs from my pfsense firewall. What am I doing wrong? Is there a setting somewhere that I don't know about? I am using the latest stable version of ossec 2.7 it is installed on an ubuntu 12.04 lts server. It is a single purpose server nothing else is installed. Any help would be great! Let me know if I can provide more useful information. --Robert C -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
