Re: [ossec-list] OSSEC 3.3.0 Install CentOS 8

[dan (ddp)]

Just a heads up, but that's a very old version. And it's not one I
imagine a lot of people want to support at this point.

On Mon, Dec 2, 2019 at 4:35 PM Natassia S  wrote:
>
> Yeah, I got rid of the copy that I made.
>
> I was able to install 2.8.3 on my new CentOS 8 machine.  :)
>
> Natassia
>
>
> On Mon, Dec 2, 2019 at 1:27 PM dan (ddp)  wrote:
>>
>>
>>
>> On Mon, Dec 2, 2019 at 3:56 PM Natassia S  wrote:
>>>
>>> Everything came out of 3.3.0.tar.gz
>>>
>>> I compared the contents and the same directory for 2.8.3 also has no pcre2 
>>> but it has a Makefile.  On a whim I put a copy of the 2.8.3 Makefile in the 
>>> 3.3.0 folder and got the same error.
>>
>>
>> The 2.8.3 Makefile would probably add more issues.
>>
>>>
>>> Natassia
>>>
>>> On Mon, Dec 2, 2019 at 12:33 PM dan (ddp)  wrote:



 On Mon, Dec 2, 2019 at 3:07 PM Natassia M Stelmaszek  wrote:
>
> Bad Installation Package???
>
> I'm trying to build a new machine that includes OSSEC 3.3.0.  When I run 
> the install.sh, use default responses for a local installation, it gives 
> me the following error.
>
> sudo ./install.sh
>
>
>
> - Running the Makefile
>
> cc  -DMAX_AGENTS=2048 -DOSSECHIDS -DDEFAULTDIR=\"/var/ossec\" 
> -DUSER=\"ossec\" -DREMUSER=\"ossecr\" -DGROUPGLOBAL=\"ossec\" 
> -DMAILUSER=\"ossecm\" -DLinux -DINOTIFY_ENABLED -DZLIB_SYSTEM 
> -I./external/pcre2-10.32//install/include/ -DPCRE2_STATIC -DUSE_PCRE2_JIT 
> -DLIBOPENSSL_ENABLED -DLOCAL -Wall -Wextra -I./ -I./headers/ -c 
> external/cJSON/cJSON.c -o external/cJSON/cJSON.o
>
> ar -crs libcJSON.a external/cJSON/cJSON.o
>
> ranlib libcJSON.a
>
> cd external/pcre2-10.32/ && \
>
> ./configure \
>
> 
> --prefix=/home/stelmn/ossec-hids-3.3.0/src/external/pcre2-10.32//install \
>
> --enable-jit \
>
> --disable-shared \
>
> --enable-static && \
>
> make install-libLTLIBRARIES install-nodist_includeHEADERS
>
> /bin/sh: line 0: cd: external/pcre2-10.32/: No such file or directory
>
> make: *** [Makefile:770: external/pcre2-10.32//install/lib/libpcre2-8.a] 
> Error 1
>
>


 With that version of ossec you need to untar the pcre2 source in the above 
 directory. Or you can install the devel package and set PCRE2_SYSTEM=y


>  Error 0x5.
>
>  Building error. Unable to finish the installation.
>
>
>
> I've verified that kernel-headers are installed, tried two different 
> machines and even tried updating an OSSEC installation on a CentOS 7 
> machine but I keep getting the same failure.  It appears that the script 
> is looking for pcre2 in the src directory but it doesn't exist.
>
>
> $ pwd
> /home/stelmn/Downloads/ossec-hids-3.3.0/src/external
> $ ls
> cJSON  lua  lua-5.2.3  zlib-1.2.11
>
> Is something missing from the download file or am I overlooking something?
>
> Natassia
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/07cf4c14-2480-48a7-b19f-b698d9c66fd2%40googlegroups.com.

 --

 ---
 You received this message because you are subscribed to the Google Groups 
 "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+unsubscr...@googlegroups.com.

 To view this discussion on the web visit 
 https://groups.google.com/d/msgid/ossec-list/CAMyQvMrX0oCpx%2BAJ7v5rLpV_YgrChWHBKqidrWqOjksoi3Zk4g%40mail.gmail.com.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups 
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ossec-list/CAFN5h2KGsUxC8Qp0JdmiyYRBNb9Xu%3DnPkaYYS-Nnug5_%3DTEmMw%40mail.gmail.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMp9u3bmCK-Z-YNcNsrpbSeGyJLYxhVqGuDa6uedBuBbjA%40mail.gmail.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to 

Re: [ossec-list] remote secure logging

[dan (ddp)]

On Thu, Dec 5, 2019 at 6:05 AM Kyriakos Stavridis
 wrote:
>
> Hello everyone,
>
> Let's say I have a firewall that I want to configure to send it's logs to my 
> OSSEC server.
>
> I know that I can simply configure my firewall to send logs to my OSSEC 
> server's IP and the ossec server like this:
>
> 
> syslog
> {FIREWALL_IP}
> 
>
> The thing is that this is an insecure connection and the logs are being sent 
> unencrypted.
>
> In OSSEC's documentation it states that there is also the 
> secure option that uses authentication and 
> encryption for the logs and receives logs at port 1514.
>
> I set my firewall to send remote logs to OSSEC server's IP:1514 but I am not 
> seeing the logs at archives.logs (I check the traffic on 1514 port and I 
> indeed receive traffic from the firewall, although it's not logged)
>
> So I guess that the whole "secure" thing to work needs some kind of 
> authentication as I stated before.
>
> My question is how do I actually configure that? On the firewall, and on the 
> OSSEC server?
>
>

The secure option is for agents only. syslog logging is only sent
unencrypted. If your firewall supports it, you could send it to a
syslog daemon using tls and read the resulting files with OSSEC.

>
> Any answers or suggestions are appreciated!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/dad13c7a-7c0e--ae04-46414f1ba62f%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMqnV-43FyF7un8Ch9u%3Da08W-Gmf0h9CC6YO-4sVVuE4cw%40mail.gmail.com.