On Tue, Mar 14, 2017 at 3:37 PM, <[email protected]> wrote: > Hello, yes: > > root@xxxxxx:/var/log# netstat -tuna | grep 514 > tcp 0 0 0.0.0.0:514 0.0.0.0:* > udp 0 0 0.0.0.0:514 0.0.0.0:* > >
Adding -p to that could tell you the process using that port. `netstat -ptuna | grep 514` Is this securityonion? They may have syslog-ng already listening to the network. > <remote> > <connection>syslog</connection> > <allowed-ips>161.182.xxx.xxx</allowed-ips> > <allowed-ips>161.182.xxx.xxx</allowed-ips> > </remote> > > > > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: >> >> Hi, can you verify if the port it’s open? >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 >> udp 0 0 0.0.0.0:514 0.0.0.0:* >> >> The symantec ip is allowed in ossec.conf right? >> >> >> >> Regards >> ----------------------- >> Jose Luis Ruiz >> Wazuh Inc. >> [email protected] >> >> On March 14, 2017 at 12:44:07 PM, [email protected] ([email protected]) >> wrote: >> >> It's very strange...I have enabled already enabled syslog over 514 from >> our symantec server to the OSSEC server, and I see the logs coming into our >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC >> alerts files and do not see the log anywhere on the server... Where should >> these logs be written when being sent to the server? I've checked all >> gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ >> and /var/ossec/logs/alerts/ >> `/var/ossec/logs/archives/archives.log` only contains entries if you enable the logall option in the ossec.conf. I'm not sure if it records messages sent to the syslog remoted stuff. I just haven't tested it. >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >>> >>> Hello, >>> >>> In order to permit Ossec recibe your Symantec syslogs messages, you need >>> to enable this in the configuration: >>> >>> Listen in port 514: >>> >>> <ossec_config> >>> <remote> >>> <connection>syslog</connection> >>> <allowed-ips>Symantec AV ip</allowed-ips> >>> </remote> >>> </ossec_config> >>> >>> then you need to restart ossec: >>> >>> /var/ossec/bin/ossec-control restart >>> >>> If after these changes you are still not receiving alerts, enable logall >>> in ossec.conf <logall> yes </logall> and take a look in the file >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but >>> not in your alerts, probably the decoders or rules have something wrong. >>> >>> >>> >>> Regards >>> ----------------------- >>> Jose Luis Ruiz >>> Wazuh Inc. >>> [email protected] >>> >>> On March 14, 2017 at 10:57:55 AM, [email protected] ([email protected]) >>> wrote: >>> >>> Hello All, >>> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I >>> have created a custom decoder and parser, and can confirm that it is >>> working: >>> >>> **Phase 2: Completed decoding. >>> decoder: 'Symantec' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '100006' >>> Level: '7' >>> Description: 'Symantec: virus found' >>> **Alert to be generated. >>> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, but no >>> OSSEC alert appears to be generated. >>> >>> Thanks >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
