I believe I have found the issues using strace to find out what ossec-remoted was doing. I found:
1. Not sure why, but on the Virtual Appliance the "ossec" group did not have write permissions to /var/ossec/logs so ossec-remoted (which runs under user "ossecr") could not write anything 2. After getting error logged to ossec.log, I found that I had simply entered the "allowed IP" incorrectly and so it was being blocked. So as long as Ossec's own logging works, it's relatively simple to figure out the problem. On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: > > Hello, > > I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox > appliance and everything seemed to run nicely out of the box except... > I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't > see any references to those syslog entries. I have done the following: > > > 1. On the firewall, told it to send syslog files to the static IP of > the OSSEC server > 2. On the OSSEC server's ossec.conf added a <remote> section with a > <connection>syslog</connection> and specified the allowed_ip > 3. Also in the ossec.conf, set logall to yes > 4. Tested incoming connection using tcpdump -A port 514 and I can see > syslog-like entries coming in > 5. Because the format is not quite standard syslog, I created a custom > decoder and tested it using ossec-logtest. > > > Despite all of these steps (and restarting the service using > "ossec-control restart" multiple times) I still do not see any of the > remote syslog entries in the archive.log. > > Am I missing something obvious to make this work? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/eac2b4f9-fc73-4e9c-8f36-7cfb680694b9%40googlegroups.com.
