Re: [ossec-list] Re: Receiving Syslog from device but OSSEC not logging it
On Tue, Nov 12, 2019 at 7:56 PM Mike wrote: > > Related to this, do you accept Pull Requests to add additional timestamp > formats to your pre-decoding? I forked and added a simple change to > cleanevent.c which has made my parsing much easier for a non-standard syslog > time format. > Yes, we do! Feel free to submit a pull request, and I'll get to it as quickly as my schedule allows. > > > On Friday, 8 November 2019 11:47:23 UTC-8, Mike wrote: >> >> I believe I have found the issues using strace to find out what >> ossec-remoted was doing. I found: >> >> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have >> write permissions to /var/ossec/logs so ossec-remoted (which runs under user >> "ossecr") could not write anything >> 2. After getting error logged to ossec.log, I found that I had simply >> entered the "allowed IP" incorrectly and so it was being blocked. >> >> >> So as long as Ossec's own logging works, it's relatively simple to figure >> out the problem. >> >> >> On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >>> >>> Hello, >>> >>> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox >>> appliance and everything seemed to run nicely out of the box except... >>> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't >>> see any references to those syslog entries. I have done the following: >>> >>> On the firewall, told it to send syslog files to the static IP of the OSSEC >>> server >>> On the OSSEC server's ossec.conf added a section with a >>> syslog and specified the allowed_ip >>> Also in the ossec.conf, set logall to yes >>> Tested incoming connection using tcpdump -A port 514 and I can see >>> syslog-like entries coming in >>> Because the format is not quite standard syslog, I created a custom decoder >>> and tested it using ossec-logtest. >>> >>> >>> Despite all of these steps (and restarting the service using "ossec-control >>> restart" multiple times) I still do not see any of the remote syslog >>> entries in the archive.log. >>> >>> Am I missing something obvious to make this work? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b5781be6-a9b3-4e1d-8a27-cc2a56776ed3%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrz2Ln%2BueyjevxYWSQaGH8%2BajbpWPSHO-O4UWjKppj1%3DQ%40mail.gmail.com.
Re: [ossec-list] Re: Receiving Syslog from device but OSSEC not logging it
On Fri, Nov 8, 2019 at 2:47 PM Mike wrote: > > I believe I have found the issues using strace to find out what ossec-remoted > was doing. I found: > > 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have > write permissions to /var/ossec/logs so ossec-remoted (which runs under user > "ossecr") could not write anything > 2. After getting error logged to ossec.log, I found that I had simply entered > the "allowed IP" incorrectly and so it was being blocked. > > > So as long as Ossec's own logging works, it's relatively simple to figure out > the problem. > Nice catch. The virtual appliance isn't really maintained, and I doubt we'll see any updates going forward. > > On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >> >> Hello, >> >> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox >> appliance and everything seemed to run nicely out of the box except... >> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't >> see any references to those syslog entries. I have done the following: >> >> On the firewall, told it to send syslog files to the static IP of the OSSEC >> server >> On the OSSEC server's ossec.conf added a section with a >> syslog and specified the allowed_ip >> Also in the ossec.conf, set logall to yes >> Tested incoming connection using tcpdump -A port 514 and I can see >> syslog-like entries coming in >> Because the format is not quite standard syslog, I created a custom decoder >> and tested it using ossec-logtest. >> >> >> Despite all of these steps (and restarting the service using "ossec-control >> restart" multiple times) I still do not see any of the remote syslog entries >> in the archive.log. >> >> Am I missing something obvious to make this work? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/eac2b4f9-fc73-4e9c-8f36-7cfb680694b9%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMoHMQeY%3DRvnn6tfe_a_rYD%3Dnf2f479V_RbnY%2BL%3DLo818A%40mail.gmail.com.
[ossec-list] Re: Receiving Syslog from device but OSSEC not logging it
Related to this, do you accept Pull Requests to add additional timestamp formats to your pre-decoding? I forked and added a simple change to cleanevent.c which has made my parsing much easier for a non-standard syslog time format. On Friday, 8 November 2019 11:47:23 UTC-8, Mike wrote: > > I believe I have found the issues using strace to find out what > ossec-remoted was doing. I found: > > 1. Not sure why, but on the Virtual Appliance the "ossec" group did not > have write permissions to /var/ossec/logs so ossec-remoted (which runs > under user "ossecr") could not write anything > 2. After getting error logged to ossec.log, I found that I had simply > entered the "allowed IP" incorrectly and so it was being blocked. > > > So as long as Ossec's own logging works, it's relatively simple to figure > out the problem. > > > On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >> >> Hello, >> >> I am new to OSSEC so bare with me. I have setup OSSEC using the >> VirtualBox appliance and everything seemed to run nicely out of the box >> except... >> I am trying to setup OSSEC to monitor a Syslog from a firewall but I >> don't see any references to those syslog entries. I have done the following: >> >> >>1. On the firewall, told it to send syslog files to the static IP of >>the OSSEC server >>2. On the OSSEC server's ossec.conf added a section with a >>syslog and specified the allowed_ip >>3. Also in the ossec.conf, set logall to yes >>4. Tested incoming connection using tcpdump -A port 514 and I can >>see syslog-like entries coming in >>5. Because the format is not quite standard syslog, I created a >>custom decoder and tested it using ossec-logtest. >> >> >> Despite all of these steps (and restarting the service using >> "ossec-control restart" multiple times) I still do not see any of the >> remote syslog entries in the archive.log. >> >> Am I missing something obvious to make this work? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b5781be6-a9b3-4e1d-8a27-cc2a56776ed3%40googlegroups.com.
[ossec-list] Re: Receiving Syslog from device but OSSEC not logging it
I believe I have found the issues using strace to find out what ossec-remoted was doing. I found: 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have write permissions to /var/ossec/logs so ossec-remoted (which runs under user "ossecr") could not write anything 2. After getting error logged to ossec.log, I found that I had simply entered the "allowed IP" incorrectly and so it was being blocked. So as long as Ossec's own logging works, it's relatively simple to figure out the problem. On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: > > Hello, > > I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox > appliance and everything seemed to run nicely out of the box except... > I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't > see any references to those syslog entries. I have done the following: > > >1. On the firewall, told it to send syslog files to the static IP of >the OSSEC server >2. On the OSSEC server's ossec.conf added a section with a >syslog and specified the allowed_ip >3. Also in the ossec.conf, set logall to yes >4. Tested incoming connection using tcpdump -A port 514 and I can see >syslog-like entries coming in >5. Because the format is not quite standard syslog, I created a custom >decoder and tested it using ossec-logtest. > > > Despite all of these steps (and restarting the service using > "ossec-control restart" multiple times) I still do not see any of the > remote syslog entries in the archive.log. > > Am I missing something obvious to make this work? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/eac2b4f9-fc73-4e9c-8f36-7cfb680694b9%40googlegroups.com.