Trouble configuring syslog for log collection on server side
1,698 views
Skip to first unread message
LulzSecurity
Dec 16, 2013, 8:39:22 AM12/16/13
to ossec...@googlegroups.com
hi guys,
i have 2 VMs with Internal Network set with these IPs : 192.168.1.100 (Server) | 192.168.1.101 (Windows Client)
the server is a ubuntu 13.10 , and the client is windows 8.1 enterprise , both are fully functional.
my agent is installed and works properly when i get the status of my agent :
$ ./agent_control -lOSSEC HIDS agent_control. List of available agents:
ID: 000, Name: XXX (server), IP: 127.0.0.1, Active/Local
ID: 004, Name: Windows8.1, IP: 192.168.1.101, Active
now i want to configure my windows client to send all it's data to server for collection, parsing and then sending it to ellasticsearch for easy access and search.
the problem is that i configure the windows and i is probably sending everything but on my server it says :
2013/12/15 16:42:23 ossec-csyslogd: DEBUG: Starting ...
2013/12/15 16:42:23 ossec-csyslogd: INFO: Remote syslog server not configured. Clean exit.
i dont know what it means or what should i do...
the windows logs are below :
2013/12/15 04:17:47 ossec-agent: INFO: Real time file monitoring started.
2013/12/15 04:17:47 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed).
2013/12/15 04:17:57 ossec-agent: INFO: Ending syscheck scan (forwarding database).
2013/12/15 04:18:17 ossec-agent: INFO: Starting rootcheck scan.
2013/12/15 04:18:22 ossec-agent: INFO: Ending rootcheck scan.
2013/12/15 04:25:30 ossec-agent Sending keep alive message....
2013/12/15 04:34:13 ossec-agent Sending keep alive message....
2013/12/15 04:38:35 ossec-agent More than 600 seconds without server response...sending win32info
2013/12/15 04:38:35 ossec-agent Sending keep alive message....
2013/12/15 04:38:36 ossec-agent Sending keep alive message....
2013/12/15 04:47:20 ossec-agent Sending keep alive message....
2013/12/15 04:56:04 ossec-agent Sending keep alive message....
2013/12/15 05:04:47 ossec-agent Sending keep alive message....
2013/12/15 05:09:09 ossec-agent More than 600 seconds without server response...sending win32info
2013/12/15 05:09:09 ossec-agent Sending keep alive message....
2013/12/15 05:09:10 ossec-agent Sending keep alive message....
2013/12/15 05:17:55 ossec-agent Sending keep alive message....
2013/12/15 05:26:39 ossec-agent Sending keep alive message....
it seems that it's working properly...i then restarted the agent and now it's the rest:
2013/12/15 05:33:23 ossec-agent: INFO: Started (pid: 11376).
2013/12/15 05:33:24 ossec-agent(4102): INFO: Connected to the server (192.168.1.100:1514).
2013/12/15 05:33:24 ossec-agent Sending keep alive message....
2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
2013/12/15 05:33:24 ossec-agent(1951): INFO: Analyzing event log: 'System'.
2013/12/15 05:33:24 ossec-agent: INFO: Started (pid: 11376).
this is how i configed it to connect to the server for LOGS:
<ossec_config>
<syslog_output>
<server>192.168.1.100</server>
<port>514</port>
<format>cef</format>
</syslog_output>
</ossec_config>
and this is the config log on my server which i'm almost sure is wrong but i really dont know what i have to do anymore :
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
</remote>
</ossec_config>
i don't understand the concept here, whether i should use Local or Server settings for the collector server.
my ossec status is :
$ ./ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
ossec-csyslogd not running...
which shows that my logging program is not working which is why i'm here if u need any mnore information let me know, i'm really desperate..i would appreciate if u share ur thoughts.
tnx
dan (ddp)
Dec 16, 2013, 8:59:04 AM12/16/13
to ossec...@googlegroups.com
On Mon, Dec 16, 2013 at 8:39 AM, LulzSecurity
<aria.shi...@gmail.com> wrote:
> hi guys,
> i have 2 VMs with Internal Network set with these IPs : 192.168.1.100
> (Server) | 192.168.1.101 (Windows Client)
> the server is a ubuntu 13.10 , and the client is windows 8.1 enterprise ,
> both are fully functional.
> my agent is installed and works properly when i get the status of my agent :
>>
>> $ ./agent_control -l
>>
>> OSSEC HIDS agent_control. List of available agents:
>> ID: 000, Name: XXX (server), IP: 127.0.0.1, Active/Local
>> ID: 004, Name: Windows8.1, IP: 192.168.1.101, Active
>
> now i want to configure my windows client to send all it's data to server
> for collection, parsing and then sending it to ellasticsearch for easy
> access and search.
> the problem is that i configure the windows and i is probably sending
> everything but on my server it says :
>
>> 2013/12/15 16:42:23 ossec-csyslogd: DEBUG: Starting ...
>> 2013/12/15 16:42:23 ossec-csyslogd: INFO: Remote syslog server not
>> configured. Clean exit.
>
ossec-csyslogd shouldn't be used on an agent. It's for sending alerts,
<aria.shi...@gmail.com> wrote:
> hi guys,
> i have 2 VMs with Internal Network set with these IPs : 192.168.1.100
> (Server) | 192.168.1.101 (Windows Client)
> the server is a ubuntu 13.10 , and the client is windows 8.1 enterprise ,
> both are fully functional.
> my agent is installed and works properly when i get the status of my agent :
>>
>> $ ./agent_control -l
>>
>> OSSEC HIDS agent_control. List of available agents:
>> ID: 000, Name: XXX (server), IP: 127.0.0.1, Active/Local
>> ID: 004, Name: Windows8.1, IP: 192.168.1.101, Active
>
> now i want to configure my windows client to send all it's data to server
> for collection, parsing and then sending it to ellasticsearch for easy
> access and search.
> the problem is that i configure the windows and i is probably sending
> everything but on my server it says :
>
>> 2013/12/15 16:42:23 ossec-csyslogd: DEBUG: Starting ...
>> 2013/12/15 16:42:23 ossec-csyslogd: INFO: Remote syslog server not
>> configured. Clean exit.
>
not logs, to a syslog daemon.
If you want to send all of the agent's logs to elasticsearch, you will
have to use another application to do that. The OSSEC agent only sends
the data to the OSSEC server.
agent system. If you want to use syslog instead of OSSEC's secure log
transport, install a syslog daemon on the agent.
>
> and this is the config log on my server which i'm almost sure is wrong but i
> really dont know what i have to do anymore :
>
>>
>> <ossec_config>
>> <remote>
>> <connection>syslog</connection>
>> <port>514</port>
>> <protocol>udp</protocol>
>> </remote>
>> </ossec_config>
>
> i don't understand the concept here, whether i should use Local or Server
> settings for the collector server.
>
> my ossec status is :
>>
>> $ ./ossec-control status
>> ossec-monitord is running...
>> ossec-logcollector is running...
>> ossec-remoted is running...
>> ossec-syscheckd is running...
>> ossec-analysisd is running...
>> ossec-maild not running...
>> ossec-execd is running...
>> ossec-csyslogd not running...
>
>
>
> which shows that my logging program is not working which is why i'm here if
> u need any mnore information let me know, i'm really desperate..i would
> appreciate if u share ur thoughts.
> tnx
>
1. Agent <> server communication - Is the OSSEC server receiving the
logs from the agent? Is it alerting properly?
2. ??? -> elastic search - What do you want going to EL? What do you
need to accomplish this?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Aria Shishegaran
Dec 17, 2013, 6:24:31 AM12/17/13
to ossec...@googlegroups.com
1 - i don't understand your point when u say ossec-csyslogd should be run on an agent.
2 - if i want to send the data to my ossec server (ubuntu 13.10) what should it do?
3 - i dont' understand the concept u r refering when u make a difference between an agent an a client, i mean we should install agents on clients, isn't that right?
4 - by saying install a syslog daemon u mean installing syslog-ng application and similar?
5 - where u mentioned that this is my ossec-remoted configuration, i believe it was totally wrong for a server
ANSWER TO UR Qs:
1 - well i donno exactly what u mean, but if u mean here, yeah it's working : var/ossec/logs/alerts/alerts.log
here's 2 of many alerts generated :
** Alert 1387145814.0: - windows,authentication_success,
2013 Dec 16 01:46:54 (Windows8.1) 192.168.1.101->WinEvtLog
Rule: 18107 (level 3) -> 'Windows Logon Success.'
User: (no user)
WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing$
** Alert 1387145893.1440: - windows,system_error,
2013 Dec 16 01:48:13 (Windows8.1) 192.168.1.101->WinEvtLog
Rule: 18103 (level 5) -> 'Windows error event.'
User: (no user)
WinEvtLog: System: ERROR(36): volsnap: (no user): no domain: Test: The shadow$
2 - elastic search? i'm involved in a Security Operations Center project, i'm collection logs and making them as readable and understandable as possible beside correlation, i need it to be parsed, indexed and searchable, while accessible from browser and WUI and i need diagrams and charts a SIEM solution like splunk but not splunk :D. do you have a better solution? i would be glad to hear about it.
***i have a big problem understanding the mechanism used in ossec and the documentation lacks useful solutions and examples. I appreciate ur time Dan. what i'm mainly looking for is a powerful and smart log collector, powerful with collecting correlating and sending and smart with where to look for logs, i know ossec is a very good option but i have problem a problem with collecting them as i mentioned above , u said that i could use a log collection daemon and send all data to a log server, but where to parse them? where to index them? i have a lack of bigger picture for my design, i need help to better understand this.
dan (ddp)
Dec 17, 2013, 9:52:07 AM12/17/13
to ossec...@googlegroups.com
On Tue, Dec 17, 2013 at 6:24 AM, Aria Shishegaran
<aria.shi...@gmail.com> wrote:
> 1 - i don't understand your point when u say ossec-csyslogd should be run on
> an agent.
That is not what I said (meant?). ossec-csyslogd should NOT be run on
<aria.shi...@gmail.com> wrote:
> 1 - i don't understand your point when u say ossec-csyslogd should be run on
> an agent.
an agent. ossec-csyslogd sends OSSEC alerts to a listening syslog
daemon. OSSEC agents are unaware of OSSEC alerts (they do not produce
or process OSSEC alerts), so ossec-csyslogd is useless on an agent.
> 2 - if i want to send the data to my ossec server (ubuntu 13.10) what should
> it do?
assist you in this goal.
ossec-agentd can send the data (using the "secure" protocol), or you
can configure a syslog daemon on the system to send the logs to the
OSSEC server via syslog.
> 3 - i dont' understand the concept u r refering when u make a difference
> between an agent an a client, i mean we should install agents on clients,
> isn't that right?
ossec-csyslogd. The "c" in csyslogd stands for client, it is a "client
syslog daemon." I refer to the system running OSSEC, reporting to an
OSSEC server, as an agent.
> 4 - by saying install a syslog daemon u mean installing syslog-ng
> application and similar?
> 5 - where u mentioned that this is my ossec-remoted configuration, i believe
> it was totally wrong for a server
was a <remote> configuration. <remote> belongs on the server only. It
has no meaning on an agent, since agents do not run ossec-remoted.
> ANSWER TO UR Qs:
> 1 - well i donno exactly what u mean, but if u mean here, yeah it's working
> : var/ossec/logs/alerts/alerts.log
> here's 2 of many alerts generated :
> ** Alert 1387145814.0: - windows,authentication_success,
> 2013 Dec 16 01:46:54 (Windows8.1) 192.168.1.101->WinEvtLog
> Rule: 18107 (level 3) -> 'Windows Logon Success.'
> User: (no user)
> WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing$
>
> ** Alert 1387145893.1440: - windows,system_error,
> 2013 Dec 16 01:48:13 (Windows8.1) 192.168.1.101->WinEvtLog
> Rule: 18103 (level 5) -> 'Windows error event.'
> User: (no user)
> WinEvtLog: System: ERROR(36): volsnap: (no user): no domain: Test: The
> shadow$
>
email is very confusing without context.
> 2 - elastic search? i'm involved in a Security Operations Center project,
> i'm collection logs and making them as readable and understandable as
> possible beside correlation, i need it to be parsed, indexed and searchable,
> while accessible from browser and WUI and i need diagrams and charts a SIEM
> solution like splunk but not splunk :D. do you have a better solution? i
> would be glad to hear about it.
>
> ***i have a big problem understanding the mechanism used in ossec and the
> documentation lacks useful solutions and examples. I appreciate ur time Dan.
are interested.
> what i'm mainly looking for is a powerful and smart log collector, powerful
> with collecting correlating and sending and smart with where to look for
> logs, i know ossec is a very good option but i have problem a problem with
> collecting them as i mentioned above , u said that i could use a log
> collection daemon and send all data to a log server, but where to parse
> them? where to index them? i have a lack of bigger picture for my design, i
> need help to better understand this.
>
the logs and compare them to rules looking for suspicious behavior.
Using it to transport all of your logs from various systems to a
centralized system to an indexer is not really a goal of OSSEC. Using
those logs to create alerts, and forwarding the alerts on to an
indexer is simple. Beyond that, you're probably beyond the scope of
OSSEC.
Reply all
Reply to author
Forward
0 new messages