OSSEC receiving syslog alerts from ASA but not processing them

Nate

unread,

Oct 14, 2019, 3:03:13 PM10/14/19

to ossec-list

Hi,

I've never seen this before but I setup our ASA 5516 to send syslog events to our OSSEC server to detect SHUN events.

ossec.conf

<connection>syslog</connection>

<allowed-ips>10.10.2.2</allowed-ips>

</remote>

<log_alert_level>0</log_alert_level>

<email_alert_level>9</email_alert_level>

</alerts>

local_rules.xml

<if_sid>4100</if_sid>

<description>ASA Shun event</description>

</rule>

</group>

but reviewing the alerts, archives,database no events from our 10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received by the server:

14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags [none], proto UDP (17), length 140)

10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112

Facility local0 (16), Severity warning (4)

Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a

14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags [none], proto UDP (17), length 140)

10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112

Facility local0 (16), Severity warning (4)

Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a

If I copy out the Msg and paste it into ossec-logtest it does process it to my rule:

[USER@ossec~]# /var/ossec/bin/ossec-logtest

2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder file.

2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400).

ossec-testrule: Type one log per line.

Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a

**Phase 1: Completed pre-decoding.

full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a'

hostname: 'EDT'

program_name: '(null)'

log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a'

**Phase 2: Completed decoding.

decoder: 'ASA-lanattk'

**Phase 3: Completed filtering (rules).

Rule id: '100260'

Level: '9'

Description: 'ASA Shun event'

**Alert to be generated.

I see that UDP port 514 is running:

[root@secserv ~]# netstat -anp | grep 514

tcp 0 0 127.0.0.1:3306 127.0.0.1:37514 ESTABLISHED 5542/mysqld

tcp 0 0 127.0.0.1:37514 127.0.0.1:3306 ESTABLISHED 29340/ossec-dbd

udp 0 0 :::1514 :::* 29373/ossec-remoted

udp 0 0 :::514 :::* 29372/ossec-remoted

What obvious thing am I missing to setup an ASA to OSSEC? Our HP switches and Palo Alto firewall are sending syslogs just fine.

dan (ddp)

unread,

Oct 15, 2019, 7:19:23 AM10/15/19

to ossec...@googlegroups.com

After adding the system to allowed-ips, did you restart the OSSEC
processes on the OSSEC server?
Is there a host firewall (iptables) on the OSSEC server? Is 514UDP
open to 10.10.2.2?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com.

Nate

unread,

Oct 15, 2019, 8:34:52 AM10/15/19

to ossec-list

Hi Dan,

Yes I restarted the OSSEC service with a: service OSSEC restart

Right now the iptables are wide open due to this issue:

# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

My full remote connections list is the following:

<connection>syslog</connection>

<allowed-ips>10.10.10.0/23</allowed-ips>

<allowed-ips>10.10.2.2</allowed-ips>

<allowed-ips>10.10.39.2</allowed-ips>

<allowed-ips>10.10.6.2</allowed-ips>

<allowed-ips>10.10.9.1</allowed-ips>

<allowed-ips>192.168.2.0/24</allowed-ips>

</remote>

I will move up the 10.10.2.2 up above the /23 in case this is causing it but I know we are getting syslog events from all other sources.

Maybe it's the Cisco packet?

> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

Nate

unread,

Oct 15, 2019, 8:59:08 AM10/15/19

to ossec-list

Looking at the syslog packets I see the Cisco ASA only uses local facility codes but my Palo Alto uses User facility codes:

08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP (17), length 329)

10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301

Facility user (1), Severity info (6)

Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap cfg DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, initiated by: 10.10.10.152",1204131,0x0,0,0,0,0,,fw2

08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], proto UDP (17), length 190)

10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162

Facility local4 (20), Severity warning (4)

Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group "outside_access_in" [0x0, 0x0]\0x0a

I can't change the ASA to be anything other than local facility.

dan (ddp)

unread,

Oct 22, 2019, 9:33:39 AM10/22/19

to ossec...@googlegroups.com

On Tue, Oct 15, 2019 at 8:59 AM Nate <nbent...@gmail.com> wrote:
>
> Looking at the syslog packets I see the Cisco ASA only uses local facility codes but my Palo Alto uses User facility codes:
>
> 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP (17), length 329)
> 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301
> Facility user (1), Severity info (6)
> Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap cfg DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389, initiated by: 10.10.10.152",1204131,0x0,0,0,0,0,,fw2
> 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none], proto UDP (17), length 190)
> 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162
> Facility local4 (20), Severity warning (4)
> Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group "outside_access_in" [0x0, 0x0]\0x0a
>
> I can't change the ASA to be anything other than local facility.
>

I don't see anything in the remoted code that cares about the facility.
If the IP isn't allowed, there should be a log message.

If you don't have the <logall> option set to "yes," it might be worth
turning it on to see if the messages make it to the archives.log file.

> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com.

Nate

unread,

Oct 29, 2019, 9:11:08 AM10/29/19

to ossec-list

The ASA firewall's IP that sent data to OSSEC was listed in the ossec.conf's <allowed-ips>. I setup <logall> to yes as well and tailed and grepped the log to find the events by the word ASA or source IP but nothing showed up despite tcpdump showing they hit the OSSEC server NIC.

I ended up standing up rsyslogd to accept remote syslogs, whitelisted the IPs from the ossec.conf, shutdown the ossec syslog service and had OSSEC monitor the rsyslog.log. I was able to get those ASA events (and all others) into OSSEC.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com.

Reply all

Reply to author

Forward