Xavier, I'm collecting logs from my ASA and I do see ICMP traffic in my firewall.log -
2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254->external.addr:10254 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510->external.addr:10510 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766->external.addr:10766 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278->external.addr:11278 I'm not sure what the issue might be. Also, thank you for the ossec2dshield script!!! I heard about it on the Internet Storm Center Stormcast, but it might be worth plugging to the list here too :) On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: > > I'm collected firewall logs from many Ubuntu servers (basically the > /var/log/ufw.log). > In this log, I can see events about TCP, UDP and ICMP traffic (allowed or > dropped). > But, on my OSSEC server, in my firewall.log, I don't see any event related > to the ICMP protocol... > > /x > > On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <santiago...@gmail.com > <javascript:>> wrote: > >> I am afraid I don't understand the problem or question, maybe if you >> explain it a little bit more we can help better. >> >> Best >> >> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmer...@gmail.com >> <javascript:>> wrote: >> >>> Hi *, >>> >>> Maybe a stupid question but I'm investigating an issue and I've to >>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>> events and nothing regarding ICMP packets? >>> >>> I tested via ossec-logstest and events are correctly parsed... >>> >>> I never paid attention to this in the past... :-( >>> Any idea? >>> >>> /x >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
