Related to this, do you accept Pull Requests to add additional timestamp formats to your pre-decoding? I forked and added a simple change to cleanevent.c which has made my parsing much easier for a non-standard syslog time format.
On Friday, 8 November 2019 11:47:23 UTC-8, Mike wrote: > > I believe I have found the issues using strace to find out what > ossec-remoted was doing. I found: > > 1. Not sure why, but on the Virtual Appliance the "ossec" group did not > have write permissions to /var/ossec/logs so ossec-remoted (which runs > under user "ossecr") could not write anything > 2. After getting error logged to ossec.log, I found that I had simply > entered the "allowed IP" incorrectly and so it was being blocked. > > > So as long as Ossec's own logging works, it's relatively simple to figure > out the problem. > > > On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >> >> Hello, >> >> I am new to OSSEC so bare with me. I have setup OSSEC using the >> VirtualBox appliance and everything seemed to run nicely out of the box >> except... >> I am trying to setup OSSEC to monitor a Syslog from a firewall but I >> don't see any references to those syslog entries. I have done the following: >> >> >> 1. On the firewall, told it to send syslog files to the static IP of >> the OSSEC server >> 2. On the OSSEC server's ossec.conf added a <remote> section with a >> <connection>syslog</connection> and specified the allowed_ip >> 3. Also in the ossec.conf, set logall to yes >> 4. Tested incoming connection using tcpdump -A port 514 and I can >> see syslog-like entries coming in >> 5. Because the format is not quite standard syslog, I created a >> custom decoder and tested it using ossec-logtest. >> >> >> Despite all of these steps (and restarting the service using >> "ossec-control restart" multiple times) I still do not see any of the >> remote syslog entries in the archive.log. >> >> Am I missing something obvious to make this work? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b5781be6-a9b3-4e1d-8a27-cc2a56776ed3%40googlegroups.com.
