Hello. I guess it is worked properly and I don't know why rsyslog can't write data to file :(. I pate the result to you :
iptables -L -n : Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:514 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:514 Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination tcpdump udp 'port 514' -v : [root@syslog joker]# tcpdump udp 'port 514' -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:43:54.558544 IP (tos 0x0, ttl 128, id 3462, offset 0, flags [none], proto UDP (17), length 403) 172.30.10.19.sweetware-apps > 172.30.10.20.syslog: SYSLOG, length: 375 Facility syslog (5), Severity critical (2) Msg: Aug 20 12:44:47 xp-client.hamshahri.ir MSWinEventLog[0]:Security\0x0969\0x09Wed Aug 20 12:44:47 2014\0x09592\0x09Security\0x09jokar\0x09User\0x09Success Audit\0x09XP-CLIENT\0x09Detailed Tracking\0x09\0x09A new process has been created: New Process ID: 1088 Image File Name: C:\WINDOWS\system32\cmd.exe Creator Process ID: 428 User Name: jokar Domain: HAMSHAHRY Logon ID: (0x0,0x9218) \0x0952\0x0a 12:44:15.205879 IP (tos 0x0, ttl 128, id 3474, offset 0, flags [none], proto UDP (17), length 361) 172.30.10.19.sweetware-apps > 172.30.10.20.syslog: SYSLOG, length: 333 Facility syslog (5), Severity critical (2) Msg: Aug 20 12:45:07 xp-client.hamshahri.ir MSWinEventLog[0]:Security\0x0970\0x09Wed Aug 20 12:45:07 2014\0x09593\0x09Security\0x09jokar\0x09User\0x09Success Audit\0x09XP-CLIENT\0x09Detailed Tracking\0x09\0x09A process has exited: Process ID: 1088 Image File Name: C:\WINDOWS\system32\cmd.exe User Name: jokar Domain: HAMSHAHRY Logon ID: (0x0,0x9218) \0x0953\0x0a 12:44:45.324456 IP (tos 0x0, ttl 128, id 3488, offset 0, flags [none], proto UDP (17), length 425) 172.30.10.19.sweetware-apps > 172.30.10.20.syslog: SYSLOG, length: 397 Facility syslog (5), Severity critical (2) Msg: Aug 20 12:45:38 xp-client.hamshahri.ir MSWinEventLog[0]:Security\0x0971\0x09Wed Aug 20 12:45:38 2014\0x09592\0x09Security\0x09jokar\0x09User\0x09Success Audit\0x09XP-CLIENT\0x09Detailed Tracking\0x09\0x09A new process has been created: New Process ID: 448 Image File Name: C:\Program Files\Windows Media Player\wmplayer.exe Creator Process ID: 428 User Name: jokar Domain: HAMSHAHRY Logon ID: (0x0,0x9218) \0x0954\0x0a 12:44:50.664063 IP (tos 0x0, ttl 128, id 3489, offset 0, flags [none], proto UDP (17), length 426) 172.30.10.19.sweetware-apps > 172.30.10.20.syslog: SYSLOG, length: 398 Facility syslog (5), Severity critical (2) Msg: Aug 20 12:45:43 xp-client.hamshahri.ir MSWinEventLog[0]:Security\0x0972\0x09Wed Aug 20 12:45:38 2014\0x09592\0x09Security\0x09jokar\0x09User\0x09Success Audit\0x09XP-CLIENT\0x09Detailed Tracking\0x09\0x09A new process has been created: New Process ID: 1580 Image File Name: C:\Program Files\Windows Media Player\setup_wm.exe Creator Process ID: 448 User Name: jokar Domain: HAMSHAHRY Logon ID: (0x0,0x9218) \0x0955\0x0a 12:44:50.664544 IP (tos 0x0, ttl 128, id 3490, offset 0, flags [none], proto UDP (17), length 383) 172.30.10.19.sweetware-apps > 172.30.10.20.syslog: SYSLOG, length: 355 Facility syslog (5), Severity critical (2) Msg: Aug 20 12:45:43 xp-client.hamshahri.ir MSWinEventLog[0]:Security\0x0973\0x09Wed Aug 20 12:45:38 2014\0x09593\0x09Security\0x09jokar\0x09User\0x09Success Audit\0x09XP-CLIENT\0x09Detailed Tracking\0x09\0x09A process has exited: Process ID: 448 Image File Name: C:\Program Files\Windows Media Player\wmplayer.exe User Name: jokar Domain: HAMSHAHRY Logon ID: (0x0,0x9218) \0x0956\0x0a 12:44:50.664878 IP (tos 0x0, ttl 128, id 3491, offset 0, flags [none], proto UDP (17), length 384) 172.30.10.19.sweetware-apps > 172.30.10.20.syslog: SYSLOG, length: 356 Facility syslog (5), Severity critical (2) Msg: Aug 20 12:45:43 xp-client.hamshahri.ir MSWinEventLog[0]:Security\0x0974\0x09Wed Aug 20 12:45:43 2014\0x09593\0x09Security\0x09jokar\0x09User\0x09Success Audit\0x09XP-CLIENT\0x09Detailed Tracking\0x09\0x09A process has exited: Process ID: 1580 Image File Name: C:\Program Files\Windows Media Player\setup_wm.exe User Name: jokar Domain: HAMSHAHRY Logon ID: (0x0,0x9218) \0x0957\0x0a ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel in your opinion, What is the problem? On Tuesday, August 19, 2014 9:27 PM, James Lay <[email protected]> wrote: On 2014-08-19 10:11, Jason Long wrote: > Yes. > I used : netstat -lpn | grep 514 > > tcp 0 0 0.0.0.0:514 0.0.0.0:* > LISTEN 3808/rsyslogd > tcp 0 0 :::514 :::* > LISTEN 3808/rsyslogd > udp 0 0 0.0.0.0:514 0.0.0.0:* > 3808/rsyslogd > udp 0 0 :::514 :::* > 3808/rsyslogd > > Excuse me my Snare agent on Windows is free version and just support > UDP. > > > > On Tuesday, August 19, 2014 8:31 PM, James Lay > <[email protected]> wrote: > > > > On 2014-08-19 09:39, Jason Long wrote: >> I enabled both but not worked :( >> >> >> On Tuesday, August 19, 2014 7:56 PM, James Lay >> <[email protected]> wrote: >> >> >> >> On 2014-08-19 08:36, Jason Long wrote: >> >>> Hello all. >>> I want to collect Windows log via Snare and forward them to my >>> Rsyslog linux server but i have some problem : >>> >>> Windows generate log properly and I test it via Event log and >>> Snare. >>> I installed Snare on Windows and in "Network configuration" I set >>> my >>> linux syslog server IP and change port to 514. >>> >>> on linux box, I turn of "iptables" service and add following rules >>> to >>> /etc/sysconfig/iptables : >>> >>> -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT >>> -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT >>> >>> I also add this entry to "rsyslog.conf" : >>> >>> local5.* /var/log/winlog/win.log >>> >>> SYSLOGD_OPTIONS = "-r -m 0" >>> >>> $AllowedSender UDP, <my client IP> >>> >>> Can you tell me what is wrong? >>> _______________________________________________ >> >> You'll need to load the modules in rsyslog.conf: >> >> # provides UDP syslog reception >> $ModLoad imudp >> $UDPServerRun 514 >> >> # provides TCP syslog reception >> $ModLoad imtcp >> $InputTCPServerRun 514 >> >> >> James > > On the rsyslog linux box do: > > sudo netstat -lpn > > Look for 514..see it? > > > James Hrmm....next step would be to sniff on the wire: sudo tcpdump -n -s 0 -i <your_listening_interface> -X udp port 514 and host <your_windows_host_IP> What do you see? James _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
