On Tue, Nov 12, 2019 at 7:56 PM Mike <[email protected]> wrote: > > Related to this, do you accept Pull Requests to add additional timestamp > formats to your pre-decoding? I forked and added a simple change to > cleanevent.c which has made my parsing much easier for a non-standard syslog > time format. >
Yes, we do! Feel free to submit a pull request, and I'll get to it as quickly as my schedule allows. > > > On Friday, 8 November 2019 11:47:23 UTC-8, Mike wrote: >> >> I believe I have found the issues using strace to find out what >> ossec-remoted was doing. I found: >> >> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have >> write permissions to /var/ossec/logs so ossec-remoted (which runs under user >> "ossecr") could not write anything >> 2. After getting error logged to ossec.log, I found that I had simply >> entered the "allowed IP" incorrectly and so it was being blocked. >> >> >> So as long as Ossec's own logging works, it's relatively simple to figure >> out the problem. >> >> >> On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >>> >>> Hello, >>> >>> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox >>> appliance and everything seemed to run nicely out of the box except... >>> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't >>> see any references to those syslog entries. I have done the following: >>> >>> On the firewall, told it to send syslog files to the static IP of the OSSEC >>> server >>> On the OSSEC server's ossec.conf added a <remote> section with a >>> <connection>syslog</connection> and specified the allowed_ip >>> Also in the ossec.conf, set logall to yes >>> Tested incoming connection using tcpdump -A port 514 and I can see >>> syslog-like entries coming in >>> Because the format is not quite standard syslog, I created a custom decoder >>> and tested it using ossec-logtest. >>> >>> >>> Despite all of these steps (and restarting the service using "ossec-control >>> restart" multiple times) I still do not see any of the remote syslog >>> entries in the archive.log. >>> >>> Am I missing something obvious to make this work? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b5781be6-a9b3-4e1d-8a27-cc2a56776ed3%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrz2Ln%2BueyjevxYWSQaGH8%2BajbpWPSHO-O4UWjKppj1%3DQ%40mail.gmail.com.
