On Mon, Dec 16, 2013 at 8:39 AM, LulzSecurity <[email protected]> wrote: > hi guys, > i have 2 VMs with Internal Network set with these IPs : 192.168.1.100 > (Server) | 192.168.1.101 (Windows Client) > the server is a ubuntu 13.10 , and the client is windows 8.1 enterprise , > both are fully functional. > my agent is installed and works properly when i get the status of my agent : >> >> $ ./agent_control -l >> >> OSSEC HIDS agent_control. List of available agents: >> ID: 000, Name: XXX (server), IP: 127.0.0.1, Active/Local >> ID: 004, Name: Windows8.1, IP: 192.168.1.101, Active > > now i want to configure my windows client to send all it's data to server > for collection, parsing and then sending it to ellasticsearch for easy > access and search. > the problem is that i configure the windows and i is probably sending > everything but on my server it says : > >> 2013/12/15 16:42:23 ossec-csyslogd: DEBUG: Starting ... >> 2013/12/15 16:42:23 ossec-csyslogd: INFO: Remote syslog server not >> configured. Clean exit. >
ossec-csyslogd shouldn't be used on an agent. It's for sending alerts, not logs, to a syslog daemon. If you want to send all of the agent's logs to elasticsearch, you will have to use another application to do that. The OSSEC agent only sends the data to the OSSEC server. > > i dont know what it means or what should i do... > > the windows logs are below : > > 2013/12/15 04:17:47 ossec-agent: INFO: Real time file monitoring started. > 2013/12/15 04:17:47 ossec-agent: INFO: Finished creating syscheck database > (pre-scan completed). > 2013/12/15 04:17:57 ossec-agent: INFO: Ending syscheck scan (forwarding > database). > 2013/12/15 04:18:17 ossec-agent: INFO: Starting rootcheck scan. > 2013/12/15 04:18:22 ossec-agent: INFO: Ending rootcheck scan. > 2013/12/15 04:25:30 ossec-agent Sending keep alive message.... > 2013/12/15 04:34:13 ossec-agent Sending keep alive message.... > 2013/12/15 04:38:35 ossec-agent More than 600 seconds without server > response...sending win32info > 2013/12/15 04:38:35 ossec-agent Sending keep alive message.... > 2013/12/15 04:38:36 ossec-agent Sending keep alive message.... > 2013/12/15 04:47:20 ossec-agent Sending keep alive message.... > 2013/12/15 04:56:04 ossec-agent Sending keep alive message.... > 2013/12/15 05:04:47 ossec-agent Sending keep alive message.... > 2013/12/15 05:09:09 ossec-agent More than 600 seconds without server > response...sending win32info > 2013/12/15 05:09:09 ossec-agent Sending keep alive message.... > 2013/12/15 05:09:10 ossec-agent Sending keep alive message.... > 2013/12/15 05:17:55 ossec-agent Sending keep alive message.... > 2013/12/15 05:26:39 ossec-agent Sending keep alive message.... > > it seems that it's working properly...i then restarted the agent and now > it's the rest: > > 2013/12/15 05:33:23 ossec-agent: INFO: Started (pid: 11376). > 2013/12/15 05:33:24 ossec-agent(4102): INFO: Connected to the server > (192.168.1.100:1514). > 2013/12/15 05:33:24 ossec-agent Sending keep alive message.... > 2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > 2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > 2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: 'System'. > 2013/12/15 05:33:24 ossec-agent: INFO: Started (pid: 11376). > > this is how i configed it to connect to the server for LOGS: > >> <ossec_config> >> <syslog_output> >> <server>192.168.1.100</server> >> <port>514</port> >> <format>cef</format> >> </syslog_output> >> </ossec_config> > This is for client syslog (ossec-csyslogd), and does not belong on an agent system. If you want to use syslog instead of OSSEC's secure log transport, install a syslog daemon on the agent. > > and this is the config log on my server which i'm almost sure is wrong but i > really dont know what i have to do anymore : > >> >> <ossec_config> >> <remote> >> <connection>syslog</connection> >> <port>514</port> >> <protocol>udp</protocol> >> </remote> >> </ossec_config> > This is ossec-remoted configuration, not client syslog (ossec-csyslogd). > i don't understand the concept here, whether i should use Local or Server > settings for the collector server. > > my ossec status is : >> >> $ ./ossec-control status >> ossec-monitord is running... >> ossec-logcollector is running... >> ossec-remoted is running... >> ossec-syscheckd is running... >> ossec-analysisd is running... >> ossec-maild not running... >> ossec-execd is running... >> ossec-csyslogd not running... > > > > which shows that my logging program is not working which is why i'm here if > u need any mnore information let me know, i'm really desperate..i would > appreciate if u share ur thoughts. > tnx > I think you need to break this down into separate problems: 1. Agent <> server communication - Is the OSSEC server receiving the logs from the agent? Is it alerting properly? 2. ??? -> elastic search - What do you want going to EL? What do you need to accomplish this? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
