Hi Brent, I think that I found the problem! Here is an sample of my ossec-logtest output:
**Phase 2: Completed decoding. decoder: 'iptables' action: 'AUDIT' srcip: '92.222.185.1' dstip: '51.254.36.238' proto: 'ICMP' But, while diving into the source code (in analysisd/alert/log.c): /* FW_Log: v0.1, 2005/12/30 */ int FW_Log(Eventinfo *lf) { /* If we don't have the srcip or the * action, there is no point in going * forward over here */ if(!lf->action || !lf->srcip || !lf->dstip || !lf->srcport || !lf->dstport || !lf->protocol) { return(0); } I don't have srcport & dstport filled in so no log! I think I'll patch the code and I'm wondering why your ASA firewall provides ports!? About ossec2dshield, I wrote this tool a long time ago to share my logs with DShield.org. Ping me you want details! /x On Tue, Jan 26, 2016 at 9:05 PM, Brent Morris <brent.mor...@gmail.com> wrote: > Xavier, > > I'm collecting logs from my ASA and I do see ICMP traffic in my > firewall.log - > > 2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10254 > ->external.addr:10254 > 2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10510 > ->external.addr:10510 > 2016 Jan 26 12:00:57 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:10766 > ->external.addr:10766 > 2016 Jan 26 12:01:05 ossec->192.168.168.168 CLOSED ICMP 1.2.3.4:11278 > ->external.addr:11278 > > I'm not sure what the issue might be. > > Also, thank you for the ossec2dshield script!!! I heard about it on the > Internet Storm Center Stormcast, but it might be worth plugging to the list > here too :) > > On Tuesday, January 26, 2016 at 1:08:12 AM UTC-8, Xavier Mertens wrote: >> >> I'm collected firewall logs from many Ubuntu servers (basically the >> /var/log/ufw.log). >> In this log, I can see events about TCP, UDP and ICMP traffic (allowed or >> dropped). >> But, on my OSSEC server, in my firewall.log, I don't see any event >> related to the ICMP protocol... >> >> /x >> >> On Sat, Jan 23, 2016 at 11:45 PM, Santiago Bassett <santiago...@gmail.com >> > wrote: >> >>> I am afraid I don't understand the problem or question, maybe if you >>> explain it a little bit more we can help better. >>> >>> Best >>> >>> On Thu, Jan 21, 2016 at 7:56 AM, Xavier Mertens <xmer...@gmail.com> >>> wrote: >>> >>>> Hi *, >>>> >>>> Maybe a stupid question but I'm investigating an issue and I've to >>>> browse my history of firewall.log files. Problem: I find only TCP/UDP >>>> events and nothing regarding ICMP packets? >>>> >>>> I tested via ossec-logstest and events are correctly parsed... >>>> >>>> I never paid attention to this in the past... :-( >>>> Any idea? >>>> >>>> /x >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.