On Fri, Nov 8, 2019 at 2:47 PM Mike <[email protected]> wrote: > > I believe I have found the issues using strace to find out what ossec-remoted > was doing. I found: > > 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have > write permissions to /var/ossec/logs so ossec-remoted (which runs under user > "ossecr") could not write anything > 2. After getting error logged to ossec.log, I found that I had simply entered > the "allowed IP" incorrectly and so it was being blocked. > > > So as long as Ossec's own logging works, it's relatively simple to figure out > the problem. >
Nice catch. The virtual appliance isn't really maintained, and I doubt we'll see any updates going forward. > > On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >> >> Hello, >> >> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox >> appliance and everything seemed to run nicely out of the box except... >> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't >> see any references to those syslog entries. I have done the following: >> >> On the firewall, told it to send syslog files to the static IP of the OSSEC >> server >> On the OSSEC server's ossec.conf added a <remote> section with a >> <connection>syslog</connection> and specified the allowed_ip >> Also in the ossec.conf, set logall to yes >> Tested incoming connection using tcpdump -A port 514 and I can see >> syslog-like entries coming in >> Because the format is not quite standard syslog, I created a custom decoder >> and tested it using ossec-logtest. >> >> >> Despite all of these steps (and restarting the service using "ossec-control >> restart" multiple times) I still do not see any of the remote syslog entries >> in the archive.log. >> >> Am I missing something obvious to make this work? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/eac2b4f9-fc73-4e9c-8f36-7cfb680694b9%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMoHMQeY%3DRvnn6tfe_a_rYD%3Dnf2f479V_RbnY%2BL%3DLo818A%40mail.gmail.com.
