Hi Derek, on your last suggestion I basically replaced syslogd on freebsd with
syslog-ng so as to more easily mimic your instructions:
You had suggested some syslog-ng config changes.
I put them verbatim right in the bottom of the cfg file without modifying
anything else. Seemed like the easiest route to take.
filter f_suricata { match('suricata:' value("MSGHDR")); };
destination d_suricata { tcp("192.168.5.10"); };
log { source(src); filter(f_suricata); destination(d_suricata); };
On the middle (destination) line, should that be UDP and not TCP? Syslog is
typically UDP 514. Otherwise it looks like the desired effect is happening.
A quick netstat shows:
root@suricata:/usr/ports/sysutils/syslog-ng # netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.5.249.25801 192.168.5.10.shell SYN_SENT
Thanks.
Chris Boley
-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Tuesday, October 13, 2015 10:53 AM
To: [email protected]
Subject: PacketFence-users Digest, Vol 90, Issue 36
Send PacketFence-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific than "Re:
Contents of PacketFence-users digest..."
Today's Topics:
1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath)
2. Re: pfdhcplistener (Derek Wuelfrath)
----------------------------------------------------------------------
Message: 1
Date: Tue, 13 Oct 2015 10:41:05 -0400
From: Derek Wuelfrath <[email protected]>
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
To: ML PF <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Hello Chris,
Are you running Suricata on a separate box (I assume). Are you running it
standalone or withing a security suite (SecurityOnion per example).
Let me know
Cheers!
dw.
?
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 9, 2015, at 5:05 PM, Boley, Chris <[email protected]> wrote:
>
> Does anyone happen to know where I can find info on sending suricata alert
> events over to Packet Fence?
>
>
> Chris Boley | Network Engineer | Cogentrix Energy Power Management,
> LLC
>
>
> ----------------------------------------------------------------------
> -------- _______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Tue, 13 Oct 2015 10:52:22 -0400
From: Derek Wuelfrath <[email protected]>
Subject: Re: [PacketFence-users] pfdhcplistener
To: ML PF <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Hello Chinmay,
I?m looking at it and I?ll get back to you.
Cheers!
dw.
?
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 13, 2015, at 2:17 AM, Chinmay Mahata <[email protected]>
> wrote:
>
> Dear Derek,
> Any thought on my issue.....
>
> Regards,
> --Chinmay
>
>
>
> From: "Chinmay Mahata" <[email protected]>
> Sent: Fri, 09 Oct 2015 18:13:36
> To: "[email protected]"
> <[email protected]>
> Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek,
> Thanks for your quick response. I think I could not describe my
> problem/query properly.
>
> DHCPD is running on only one interface (eth0) of my PF server, no issue with
> that.
>
> Actually at the WAN side (upstream) of my PF server there is another DHCP
> server is running (though PF server WAN has static IP). Since pfdhcplistener
> is running at eth1(WAN) also, in the node (web)page I can see many
> unregistered nodes of WAN network which I don't want.
>
> I want to see only those nodes in the webpage which are under PF server
> and who are getting IP addresses from DHCP server running in PF server (on
> eth0). Hope pfdhcplistener on eth0 only can catch those.
>
> So I want to run only one instance of pfdhcplistener on interface eth0
> (pfdhcplistener_eth0). Please let me know how can I do that.
>
> Thanks again Derek.
>
> Regards,
> --Chinmay
>
>
>
>
>
> From: Derek Wuelfrath <[email protected]>
> Sent: Thu, 08 Oct 2015 22:11:09
> To: ML PF <[email protected]>
> Subject: Re: [PacketFence-users] pfdhcplistener Chinmay,
>
>> The packetfence server is working as a DHCP server.
>> I see that two pfdhcplisteners are running: pfdhcplistener_eth0,
>> pfdhcplistener_eth1.
>>
>>
>> But I want to run only one pfdhcplistener viz. pfdhcplistener_eth0. Can it
>> be possible (or it may cause other problem)? Which config item do I need to
>> modify for that?
>
> ?pfdhcplistener?, as its name says, listen for dhcp packets.
> PacketFence starts a ?pfdhcplistener? daemon on each of the required network
> interfaces (in this case, management and inline).
>
> ?pfdhcplistener? is not acting as a DHCP server, dhcpd is. ?pfdhcplistener?
> is only listening to DHCP packet for MAC <-> IP association useful in
> PacketFence.
>
> If you do a
> ps uafx | grep dhcpd
> you should see the dhcpd daemon running with only eth0 as listening interface.
>
> Cheers!
> dw.
>
> ?
> Derek Wuelfrath
> [email protected] :: +1.514.447.491
> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=http://1.514.447.491
> &isImage=0&BlockImage=0&rediffng=0&rogue=ba42cf6a7cd18481ec5520d40f020
> 7840b977b09>8 (x110) :: +1.866.353.615
> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=http://1.866.353.615
> &isImage=0&BlockImage=0&rediffng=0&rogue=af879f62ee1a7599566197d6e2221
> d8167f40afc>3 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (www.packetfence.org
> <http://www.packetfence.org/>)
>
>> On Oct 8, 2015, at 10:42 AM, Chinmay Mahata <[email protected]>
>> wrote:
>>
>> Hi,
>> I have setup packetfence(5.4.0) with inline enforcement having below
>> interface details (LAN: eth0, WAN: eth1).
>>
>> [interface eth0]
>> enforcement=inlinel2
>> type=internal
>>
>> [interface eth1]
>> type=management
>>
>> The packetfence server is working as a DHCP server.
>> I see that two pfdhcplisteners are running: pfdhcplistener_eth0,
>> pfdhcplistener_eth1.
>>
>>
>> But I want to run only one pfdhcplistener viz. pfdhcplistener_eth0. Can it
>> be possible (or it may cause other problem)? Which config item do I need to
>> modify for that?
>>
>> Waiting for your help.
>>
>> Thanks in advance.
>> --Chinmay
>>
>>
>>
>> Get your own FREE website, FREE domain & FREE mobile app with Company email.
>> ?
>>
>> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.
>> com/signatureline.htm@Middle?>Know More >
>> <http://track.rediff.com/click?url=___http://businessemail.rediff.com
>> ?sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>--------
>> ---------------------------------------------------------------------
>> - _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=https%3A%2F%2Flists
>> .sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&isImage=0&Blo
>> ckImage=0&rediffng=0&rogue=fed20659922918f122f7abeaae6537fdd08a0e78>
>
> ----------------------------------------------------------------------
> -------- _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=https%3A%2F%2Flists.
> sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&isImage=0&Block
> Image=0&rediffng=0&rogue=fed20659922918f122f7abeaae6537fdd08a0e78>
>
>
> Get your own FREE website, FREE domain & FREE mobile app with Company email. ?
>
> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.c
> om/signatureline.htm@Middle?>Know More >
> <http://track.rediff.com/click?url=___http://businessemail.rediff.com?
> sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>
> ----------------------------------------------------------------------
> -------- _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.c
> om/signatureline.htm@Middle?> Get your own FREE website, FREE domain &
> FREE mobile app with Company email.
> Know More >
> <http://track.rediff.com/click?url=___http://businessemail.rediff.com?
> sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>----------
> --------------------------------------------------------------------
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
End of PacketFence-users Digest, Vol 90, Issue 36
*************************************************
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
