I cannot monitor my ASA 5520 by using OSSEC

[Network Infrastructure]

I have configured OSSEC to monitor my ASA 5520 but I cannot see anything 

In ASA 5520, I enable syslog server to send syslog to my OSSEC

In OSSEC, the /var/ossec/etc/ossec.conf, I configed:

<ossec_config>

<remote> 

  <connection>syslog</connection> 

  <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips> 

</remote>

<global>

  <logall>yes</logall>

</global>

</ossec_config>

Then I restart ossec services but I cannot see anything.

Help me please ...

[Craig Lawson]

Does this help? I seem to remember going through this guide before.

http://www.kelvinism.com/2008/11/integrating-ossec-with-cisco-ios_7061.html

C

[dan (ddp)]

On Thu, Feb 5, 2015 at 9:11 PM, Network Infrastructure
<panhat...@gmail.com> wrote:
> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>
> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>
>
> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>
> <ossec_config>
>
> <remote>
> <connection>syslog</connection>
> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>

I hope you put the actual IP address here instead of IP_OF_CISCO_DEVICE.

> </remote>
> <global>
> <logall>yes</logall>

Since you have the logall option enabled, check
/var/ossec/logs/archives/archives.log for log messages from the cisco
device. If not, that's where we need to start looking. You can also
use tcpdump to ensure that the cisco device is sending logs to OSSEC.

> </global>
>
> </ossec_config>
>
> Then I restart ossec services but I cannot see anything.
>

Based on previous messages it sounds like you're expecting to see all
of the log messages in the web gui. You're not going to see all of the
log messages in the web gui. The web gui displays the alerts generated
by OSSEC. If the log messages you are sending to OSSEC are not
generating alerts, there is nothing to see. To make sure there are
alerts that you should be seeing, you can check
/var/ossec/logs/alerts/alerts.log.


So, what are your expectations?
What do you expect to see?


>
> Help me please ...
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Network Infrastructure]

I the folder:

/var/ossec/logs/archives/archives.log
/var/ossec/logs/alerts/alerts.log. 

I cannot see any changed. So what 's wrong?

[dan (ddp)]

On Fri, Feb 6, 2015 at 11:28 AM, Network Infrastructure
<panhat...@gmail.com> wrote:
> I the folder:
> /var/ossec/logs/archives/archives.log
> /var/ossec/logs/alerts/alerts.log.
>
> I cannot see any changed. So what 's wrong?
>

I have to assume this means you are not seeing log messages from the
cisco device in /var/ossec/logs/archives/archives.log. If that's the
case:
Use tcpdump to make sure the logs are being sent from the cisco device:
`tcpdump -i NETWORK_INTERFACE_NAME -nn port 514 and host IP_OF_CISCO_DEVICE`
You should see traffic from the cisco device to the OSSEC manager. If
not, you'll have to look at the settings on your Cisco device to
determine why it isn't sending logs.

If you do see traffic, make sure ossec-remoted is running.
Make sure it's listening on port 514.

> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>
>> </remote>
>> <global>
>> <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[Brent Morris]

It'd also help to see the commands you sent to the ASA for syslogging.

sh run log

or sh run | inc log

[Network Infrastructure]

This is the message when I use the command:

but it doesn't work

ASA5520# sh run log

logging enable

logging asdm informational

logging host inside 192.168.10.11

ASA5520# sh run | inc log

 service-object tcp eq klogin

 service-object tcp eq login

 service-object udp eq syslog

 service-object udp eq syslog

 service-object udp eq syslog

logging enable

logging asdm informational

logging host inside 192.168.10.11

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[Network Infrastructure]

When I use the command you tell me,It show message like these:

#tcpdump -i inside -nn 514 192.168.10.1

.................

..................

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[Eero Volotinen]

You need to enable logging to syslog server first. command is like logging trap <syslog-level>

example:

conf t

logging trap notifications
wr

br,
Eero

--

--

[dan (ddp)]

On Wed, Feb 11, 2015 at 2:00 AM, Network Infrastructure
<panhat...@gmail.com> wrote:
> When I use the command you tell me,It show message like these:
>
> #tcpdump -i inside -nn 514 192.168.10.1

That's not the command I gave you.
`tcpdump -i inside -nn port 514 and host 192.168.10.1`

You should be running this on the OSSEC manager.

> .................
> ..................
>
> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>
>> </remote>
>> <global>
>> <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[Brent Morris]

Bingo!  Your ASA is not configured properly for logging.

ssh to the device and login

enable

(enter password)

config t

logging trap debugging

exit

write mem

exit

if debugging is too much info, you can lower it to notifications as in Eero's example.  

But you're never going to see your ASA logging if you don't configure it to send to an external server.

Documentation from Cisco.

Using ASDM - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113053-asa82-syslog-config-00.html#loggsyslogserv

Using CLI

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#wp1552182

[Network Infrastructure]

When I checked in ossec.log I see message that:

Remote syslog allowed from: 192.168.10.1
.....................

.....................

ERROR: Unable to bind port 514

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[Network Infrastructure]

When I open ossec.log I saw that:

Remote syslog allowed from: '192.168.10.1'

Error: Unable to bind port '514'

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[Eero Volotinen]

2015-02-12 6:06 GMT+02:00 Network Infrastructure <panhat...@gmail.com>:

When I open ossec.log I saw that:

Remote syslog allowed from: '192.168.10.1'

Error: Unable to bind port '514'

is syslog already using that port?

--

Eero 

[Network Infrastructure]

I don't know about this problem 

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[Eero Volotinen]

2015-02-12 10:18 GMT+02:00 Network Infrastructure <panhat...@gmail.com>:

I don't know about this problem 

You cannot run two services (daemons) on same port. You need to reconfigure syslog or/and disable and stop it.

--

Eero 

[Network Infrastructure]

can you guide me to config it?

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[Eero Volotinen]

2015-02-12 10:47 GMT+02:00 Network Infrastructure <panhat...@gmail.com>:

can you guide me to config it?

No, you need to use google to find instructions to do that.

--

Eero 

[dan (ddp)]

On Wed, Feb 11, 2015 at 11:06 PM, Network Infrastructure
<panhat...@gmail.com> wrote:
> When I open ossec.log I saw that:
>
> Remote syslog allowed from: '192.168.10.1'
> Error: Unable to bind port '514'
>

It looks like your syslogd is currently bound to that port. You can
either make it stop doing this, or configure OSSEC to use another
port.

To make OSSEC use another port:

<remote>
<connection>syslog</connection>
<port2514</port>
<allowed-ips>192.168.10.1</allowed-ips>
<local_ip>IP_ADDRESS_OF_THE_OSSEC_MANAGER</local_ip>
</remote>

After changing the syslog remote section to match the above (CHANGING
THE IP_ADDRESS_OF_THE_OSSEC_MANAGET to the actual IP address of the
OSSEC manager), restart the OSSEC processes on the manager.

I don't know if you need to delete the logging hsot from the cisco asa
device, but adding it should be something like:
logging host inside 192.168.10.11 udp/2514

> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>
>> </remote>
>> <global>
>> <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[Network Infrastructure]

<remote>

  <connection>syslog</connection>

  <port>2514</port>

  <allowed-ips>192.168.11.1<allowed-ips>

  <local_ip>192.168.11.11</local_ip>

</remote>

After config it It restart ossec but it doesn't show anything

i look it at(/var/ossec/logs/archives/archives.log)

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[dan (ddp)]

On Thu, Feb 12, 2015 at 11:48 AM, Network Infrastructure
<panhat...@gmail.com> wrote:
> <remote>
> <connection>syslog</connection>
> <port>2514</port>
> <allowed-ips>192.168.11.1<allowed-ips>
> <local_ip>192.168.11.11</local_ip>
> </remote>
>
> After config it It restart ossec but it doesn't show anything
> i look it at(/var/ossec/logs/archives/archives.log)
>

Did you change the settings on the Cisco device to use the new port?
If not, do that.

>
> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>
>> </remote>
>> <global>
>> <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[Network Infrastructure]

yes, I change syslog server to use port 2514 too

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[dan (ddp)]

On Thu, Feb 12, 2015 at 11:59 AM, Network Infrastructure
<panhat...@gmail.com> wrote:
> yes, I change syslog server to use port 2514 too
>

I don't know what you mean.

If you changed the destination for the logs from the cisco asa run
this on the ossec manager:
`tcpdump -i ETHERNET_INTERFACE -Xxnnnevvvs 0 port 2514 and host 192.168.11.1`
Obviously change the ETHERNET_INTERFACE to the name of the active
ethernet interface on the OSSEC manager.

If you see traffic, you successfully changed the setting on the cisco
asa device. If you do not see traffic you either have no logs or have
not succeeded in changing that setting.

[Network Infrastructure]

when I type in ossec manager: tcpdump -i inside -Xxnnnevvvs 0 port 2514 192.168.11.1 and I also type: tcpdump -i inside -Xxnnnevvvs 0 2514 192.168.11.1

and it show message that:

tcpdump: inside: No such device exists

(SIOGIFHWADDR: No such device)

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[Network Infrastructure]

When I checked it in /var/ossec/logs/ossec.log I see that:

remote syslog allowed from: '192.168.10.1'

So, I think we have problem with decoder file.

On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:

[dan (ddp)]

This is starting to border on the absurd. Do you have any linux experience?

On Feb 12, 2015 8:50 PM, "Network Infrastructure" <panhat...@gmail.com> wrote:
>
> when I type in ossec manager: tcpdump -i inside -Xxnnnevvvs 0 port 2514 192.168.11.1 and I also type: tcpdump -i inside -Xxnnnevvvs 0 2514 192.168.11.1
>

You took out the "host" i had provided for you.

> and it show message that:
>
> tcpdump: inside: No such device exists
> (SIOGIFHWADDR: No such device)
>

You used the wrong interface name. Please give me the output of:
`ifconfig -a`

OSSEC is not a turnkey solution, it will require maintenence. So far your technical prowess does not instill confidence.

> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything 
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote> 
>>   <connection>syslog</connection> 
>>   <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips> 
>> </remote>
>> <global>
>>   <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[dan (ddp)]

On Feb 12, 2015 8:50 PM, "Network Infrastructure" <panhat...@gmail.com> wrote:
>

> When I checked it in /var/ossec/logs/ossec.log I see that:
>
>
> remote syslog allowed from: '192.168.10.1'
>

That was the ip you gave it in the ossec.conf. i believe that should be the ip of your asa device. If it is not, please give me the ip of your asa device so i can give you the configuration you should use.

> So, I think we have problem with decoder file.
>

No, that's absurd. The decoder.xml has nothing tk do with this. Are you trolling?

> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything 
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote> 
>>   <connection>syslog</connection> 
>>   <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips> 
>> </remote>
>> <global>
>>   <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[Network Infrastructure]

IP 192.168.10.1 is the ip of my asa

[dan (ddp)]

On Thu, Feb 12, 2015 at 9:24 PM, Network Infrastructure
<panhat...@gmail.com> wrote:
> IP 192.168.10.1 is the ip of my asa
>

Removing all of the context for your responses is kinda rude.
Did you run the ifconfig command on the OSSEC manager? If it isn't present, try:
`ip addr`

[Network Infrastructure]

When I run ifconfig it show my ossec manager IP address eth0 and loopback.


help me!
I really need it.

[dan (ddp)]

On Fri, Feb 13, 2015 at 10:06 AM, Network Infrastructure
<panhat...@gmail.com> wrote:
> When I run ifconfig it show my ossec manager IP address eth0 and loopback.
>

eth0 it is.

So run:
`tcpdump -i eth0 -nnXxevvvs 0 port 2514 and host 192.168.10.1`
on the OSSEC manager. This should show you syslog packets from the ASA
device. If it does not, you don't have your ASA device properly
configured.

>
> help me!
> I really need it.
>
> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>
>> </remote>
>> <global>
>> <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[Network Infrastructure]

I am sorry, if i make a mistake because i don't know much about English.

[Network Infrastructure]

I don't see anything but I think I config my ASA working properly.
Sir, can you show me how to config my ASA to send syslog to Ossec manager and also show me how to configure access list (ACL)

[Eero Volotinen]

2015-02-13 17:43 GMT+02:00 Network Infrastructure <panhat...@gmail.com>:

I don't see anything but I think I config my ASA working properly.

Well, well.

http://www.killyourdarlingsjournal.com/wp/wp-content/uploads/2014/06/5881861191_90de8b5bc9.jpg

--

Eero

[dan (ddp)]

On Fri, Feb 13, 2015 at 10:43 AM, Network Infrastructure
<panhat...@gmail.com> wrote:
> I don't see anything but I think I config my ASA working properly.

Did you verify that there were log messages created while running
tcpdump? Maybe try running the tcpdump command on the manager and
login to the ASA.

> Sir, can you show me how to config my ASA to send syslog to Ossec manager
> and also show me how to configure access list (ACL)
>

Any configuration help I give you would be gathered from google. There
was already some help provided earlier in the thread. I don't think I
have anything further to add.

> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>
>> </remote>
>> <global>
>> <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

[Network Infrastructure]

When I re-install new ossec manager and I run `tcpdump -i eth0 -nnXxevvvs 0 port 2514 and host 192.168.10.1`

It show message that: 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture site 65535 byte.

so what does it mean?

[Craig Lawson]

Seriously...  Google is your friend,  not your enemy... :-)

But it means tcpdump is in a state where it is capturing traffic,  if you don't see anything on screen after that and logs are DEFINATELY  being generated on your asa then the asa isn't sending syslog messages to the ip of the OSSEC manager.

I think you need to start considering hiring someone with more experience in this,  or looking at providers who you can pay for this kind of service because once (if) you get it all going the amount of logs generated will blow your mind.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/BEGKABvtmhA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Sat, Feb 14, 2015 at 5:18 AM, Network Infrastructure
<panhat...@gmail.com> wrote:
> When I re-install new ossec manager and I run `tcpdump -i eth0 -nnXxevvvs 0
> port 2514 and host 192.168.10.1`
>
> It show message that:
>
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture site 65535
> byte.
>
> so what does it mean?
>

It means that tcpdump is listening to the network, waiting for packets
from or to 192.168.10.1 on port 2514.

> On Friday, February 6, 2015 at 9:11:33 AM UTC+7, Network Infrastructure
> wrote:
>>
>> I have configured OSSEC to monitor my ASA 5520 but I cannot see anything
>>
>> In ASA 5520, I enable syslog server to send syslog to my OSSEC
>>
>>
>> In OSSEC, the /var/ossec/etc/ossec.conf, I configed:
>>
>> <ossec_config>
>>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>IP_OF_CISCO_DEVICE</allowed-ips>
>> </remote>
>> <global>
>> <logall>yes</logall>
>> </global>
>>
>> </ossec_config>
>>
>> Then I restart ossec services but I cannot see anything.
>>
>>
>> Help me please ...
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an