remote secure logging

[Kyriakos Stavridis]

Hello everyone,

Let's say I have a firewall that I want to configure to send it's logs to my OSSEC server.

I know that I can simply configure my firewall to send logs to my OSSEC server's IP and the ossec server like this:

<remote>
    <connection>syslog</connection>
    <allowed-ips>{FIREWALL_IP}</allowed-ips>

</remote>

The thing is that this is an insecure connection and the logs are being sent unencrypted.

In OSSEC's documentation it states that there is also the <connection>secure</connection> option that uses authentication and encryption for the logs and receives logs at port 1514.

I set my firewall to send remote logs to OSSEC server's IP:1514 but I am not seeing the logs at archives.logs (I check the traffic on 1514 port and I indeed receive traffic from the firewall, although it's not logged)

So I guess that the whole "secure" thing to work needs some kind of authentication as I stated before.

My question is how do I actually configure that? On the firewall, and on the OSSEC server?

Any answers or suggestions are appreciated!

[dan (ddp)]

The secure option is for agents only. syslog logging is only sent
unencrypted. If your firewall supports it, you could send it to a
syslog daemon using tls and read the resulting files with OSSEC.

>
> Any answers or suggestions are appreciated!
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/dad13c7a-7c0e-4444-ae04-46414f1ba62f%40googlegroups.com.