Hi,
First thing, I’m new with OSSEC and didn’t find any clue in archives.
I would like an OSSEC server to receive logs from a Juniper firewall, in order to analyse them. Note there is nothing else than OSSEC on the server.
Here is the issue:
Here is what I tried, to make it works, but still fails :
Now, I’m wondering what I’m missing.
Can OSSEC receive logs from device with syslog ? I read many articles answering yes, but can’t make it works.
If you have any idea…
Thanks,
JOn Mon, Jul 18, 2011 at 10:22 AM, Jérémie Belmudes
<jeremie....@gmail.com> wrote:
> Hi,
>
> First thing, I’m new with OSSEC and didn’t find any clue in archives.
>
>
>
> I would like an OSSEC server to receive logs from a Juniper firewall, in
> order to analyse them. Note there is nothing else than OSSEC on the server.
>
If you are not planning on adding some real clients, you should
probably use a local installation.
>
>
> Here is the issue:
>
> Firewall side: everything is fine, logs are received on OSSEC server on
> default port 514(checked via tcpdump).
> OSSEC side:
>
> remote syslog was enabled during setup
> I change ossec.conf file :
>
> <remote>
> <connection>syslog</connection>
> <allowed-ips>firewall IP</allowed-ips>
> </remote>
>
> OSSEC was restarted
> I get error “2011/07/18 15:06:56 ossec-remoted(1402): ERROR: Authentication
> key file '/etc/client.keys' not found. 2011/07/18 15:06:56
Either setup a local install or add an agent (even a fake agent should be ok).
> ossec-remoted(1750): ERROR: No remote connection configured. Exiting.”
>
You can check to see if an ossec-remoted is still alive listening on
514/UDP with "netstat -pan | grep 514" (I'm assuming your manager is
Linux).
> Here is what I tried, to make it works, but still fails :
>
> I added firewall IP via manage agents ; restart ; configuring logs on
> firewall to be sent on port 1514 ; getting error for each log received from
> the firewall “2011/07/18 14:47:44 ossec-remoted(1403): ERROR: Incorrectly
> formated message from 'IP adress'.”
1514 is for OSSEC's secure messaging, not syslog. The error is correct.
> Tried to receive logs on another port, assigning in ossec.conf file
> <port>port_number</port> in <remote>…</remote> ; OSSEC restarted ; no error,
> but can’t find firewall logs in any log file (/var/log/* &
> /var/ossec/logs/*)
>
You won't find the firewall logs in any of these files, unless an
alert is triggered.
OSSEC does not log to /var/log at all, so nothing should go from it to
any file there.
/var/ossec/logs/alerts/alerts.log will contain the alerts.
By default OSSEC does not log all log messages, but you can force it
to do so by adding <logall>yes</logall> to the <global> section.
After restarting OSSEC you can find all logs received by OSSEC in
/var/ossec/logs/archives/archive.log. I think this is really helpful
to figure out what is happening on an OSSEC system, and I generally
turn it on. If you have a few copies of various logs you can even use
ossec-logtest to see how they are being decoded.
> Now, I’m wondering what I’m missing.
>
> Can OSSEC receive logs from device with syslog ? I read many articles
> answering yes, but can’t make it works.
>
Yes, it can. I do it, as do many others daily. :)
This is just a header that's added to the entries. You should remove
it before pushing it through ossec-logtest. ossec-analysisd does not
see this header when trying to decode the messages.
> prefix from decoder.xml = Jan 1 10:02:11 xx
>
> First thing, I don't know where that prefix regex can be updated, surely not
> in decoder.xml.
It may not have to be. Send a few example logs so I can see what's going on.
> At first I thought the remote syslog would be automatically analyzed. If
> it's not the case I would like to retrieve them in a specific file. I think
> that archives.log file shouldn't be analyzed (<localfile> in ossec.conf).
The log messages coming in via syslog are being looked at. They may
not be triggering anything, or they may not be decoded properly. It's
tough to tell without a log sample.
On Thu, Jul 21, 2011 at 5:10 AM, Jérémie Belmudes