On Mon, Mar 27, 2017 at 11:25 AM, <[email protected]> wrote: > Hi All, > > So I am currently still troubleshooting, but noticed that the syslog-ng > process was listening on 514 TCP, but also had an entry for 514 UDP, which > is the protocol I've set within my ossec.conf. Could this be part of the > issue? My guess is that I only want 514 udp listening. >
Yes, if syslog-ng is utilizing the port, ossec-remoted will not be able to use it. > On Thursday, March 16, 2017 at 3:30:46 PM UTC-4, dan (ddpbsd) wrote: >> >> On Thu, Mar 16, 2017 at 11:33 AM, <[email protected]> wrote: >> > Here is the output: >> > >> > udp 0 0 0.0.0.0:514 0.0.0.0:* >> > 21090/syslog-ng >> > >> >> So syslog-ng is listening for incoming messages. >> You'll have to figure out what syslog-ng is doing with the log messages. >> >> > This is the only instance... >> > >> > >> > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Tue, Mar 14, 2017 at 3:37 PM, <[email protected]> wrote: >> >> > Hello, yes: >> >> > >> >> > root@xxxxxx:/var/log# netstat -tuna | grep 514 >> >> > tcp 0 0 0.0.0.0:514 0.0.0.0:* >> >> > udp 0 0 0.0.0.0:514 0.0.0.0:* >> >> > >> >> > >> >> >> >> Adding -p to that could tell you the process using that port. >> >> `netstat -ptuna | grep 514` >> >> >> >> Is this securityonion? They may have syslog-ng already listening to the >> >> network. >> >> >> >> > <remote> >> >> > <connection>syslog</connection> >> >> > <allowed-ips>161.182.xxx.xxx</allowed-ips> >> >> > <allowed-ips>161.182.xxx.xxx</allowed-ips> >> >> > </remote> >> >> > >> >> > >> >> > >> >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: >> >> >> >> >> >> Hi, can you verify if the port it’s open? >> >> >> >> >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 >> >> >> udp 0 0 0.0.0.0:514 0.0.0.0:* >> >> >> >> >> >> The symantec ip is allowed in ossec.conf right? >> >> >> >> >> >> >> >> >> >> >> >> Regards >> >> >> ----------------------- >> >> >> Jose Luis Ruiz >> >> >> Wazuh Inc. >> >> >> [email protected] >> >> >> >> >> >> On March 14, 2017 at 12:44:07 PM, [email protected] >> >> >> ([email protected]) >> >> >> wrote: >> >> >> >> >> >> It's very strange...I have enabled already enabled syslog over 514 >> >> >> from >> >> >> our symantec server to the OSSEC server, and I see the logs coming >> >> >> into >> >> >> our >> >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and >> >> >> OSSEC >> >> >> alerts files and do not see the log anywhere on the server... Where >> >> >> should >> >> >> these logs be written when being sent to the server? I've checked >> >> >> all >> >> >> gzipped files in /var/log/ as well as all files in >> >> >> /var/ossec/logs/archive/ >> >> >> and /var/ossec/logs/alerts/ >> >> >> >> >> >> >> `/var/ossec/logs/archives/archives.log` only contains entries if you >> >> enable the logall option in the ossec.conf. >> >> I'm not sure if it records messages sent to the syslog remoted stuff. >> >> I just haven't tested it. >> >> >> >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >> >> >>> >> >> >>> Hello, >> >> >>> >> >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you >> >> >>> need >> >> >>> to enable this in the configuration: >> >> >>> >> >> >>> Listen in port 514: >> >> >>> >> >> >>> <ossec_config> >> >> >>> <remote> >> >> >>> <connection>syslog</connection> >> >> >>> <allowed-ips>Symantec AV ip</allowed-ips> >> >> >>> </remote> >> >> >>> </ossec_config> >> >> >>> >> >> >>> then you need to restart ossec: >> >> >>> >> >> >>> /var/ossec/bin/ossec-control restart >> >> >>> >> >> >>> If after these changes you are still not receiving alerts, enable >> >> >>> logall >> >> >>> in ossec.conf <logall> yes </logall> and take a look in the file >> >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this >> >> >>> file, >> >> >>> but >> >> >>> not in your alerts, probably the decoders or rules have something >> >> >>> wrong. >> >> >>> >> >> >>> >> >> >>> >> >> >>> Regards >> >> >>> ----------------------- >> >> >>> Jose Luis Ruiz >> >> >>> Wazuh Inc. >> >> >>> [email protected] >> >> >>> >> >> >>> On March 14, 2017 at 10:57:55 AM, [email protected] >> >> >>> ([email protected]) >> >> >>> wrote: >> >> >>> >> >> >>> Hello All, >> >> >>> >> >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog >> >> >>> over >> >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC >> >> >>> alerts. I >> >> >>> have created a custom decoder and parser, and can confirm that it >> >> >>> is >> >> >>> working: >> >> >>> >> >> >>> **Phase 2: Completed decoding. >> >> >>> decoder: 'Symantec' >> >> >>> >> >> >>> **Phase 3: Completed filtering (rules). >> >> >>> Rule id: '100006' >> >> >>> Level: '7' >> >> >>> Description: 'Symantec: virus found' >> >> >>> **Alert to be generated. >> >> >>> >> >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it >> >> >>> can >> >> >>> alert on it? Again, I am seeing the straight syslog coming into >> >> >>> ELSA, >> >> >>> but no >> >> >>> OSSEC alert appears to be generated. >> >> >>> >> >> >>> Thanks >> >> >>> -- >> >> >>> >> >> >>> --- >> >> >>> You received this message because you are subscribed to the Google >> >> >>> Groups >> >> >>> "ossec-list" group. >> >> >>> To unsubscribe from this group and stop receiving emails from it, >> >> >>> send >> >> >>> an >> >> >>> email to [email protected]. >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
