[ossec-list] ossec 1501 error

793 views
Skip to first unread message

Ko...@mnr.org

unread,
May 6, 2010, 9:54:35 AM5/6/10
to ossec...@googlegroups.com
Can anyone shed a little light on this error. Thank You
 
ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting
 
 
Christian L. Kovac
Sr Network Support Analyst
Information Technology & Project Management
Metro-North Railroad
Ko...@MNR.org
212-499-4642
 
THINK GREEN q Do you really need to print this e-mail?

dan (ddp)

unread,
May 6, 2010, 5:50:50 PM5/6/10
to ossec...@googlegroups.com
Do you have agents configured for that server?
Can you provide your ossec.conf?

Ko...@mnr.org

unread,
May 7, 2010, 8:43:13 AM5/7/10
to ossec...@googlegroups.com
Yes I do, thank you for your reply. I attached the ossec.conf file. I'm also trying to understand why my 550 local_rule is not running. Thanks again
 
 
<!-- OSSEC Win32 Agent Configuration.
  -  This file is compost of 3 main sections:
  -    - Client config - Settings to connect to the OSSEC server.
  -    - Localfile     - Files/Event logs to monitor.
  -    - syscheck      - System file/Registry entries to monitor.
  -->
 
<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
  -  try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
  -  to execute it.
  -
  -  First, add a server-ip entry with the real IP of your server.
  -  Second, and optionally, change the settings of the files you want
  -          to monitor. Look at our Manual and FAQ for more information.
  -  Third, start the Agent and enjoy.
  -
  -  Example of server-ip:
  -  <client> <server-ip>1.2.3.4</server-ip> </client>
  -->
 

<ossec_config>
 
   
 
  <!-- One entry for each file/Event log to monitor. -->
  <localfile>
    <location>Application</location>
    <log_format>eventlog</log_format>
  </localfile>
 
  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>
 
  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>
 

  <!-- Rootcheck - Policy monitor config -->
  <rootcheck>
    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  </rootcheck> 
 

   <!-- Syscheck - Integrity Checking config. -->
  <syscheck>
 
    <!-- Default frequency, every 20 hours. It doesn't need to be higher
      -  on most systems and one a day should be enough.
      -->
    <frequency>72000</frequency>   
    <alert_new_files>yes</alert_new_files>
    <auto_ignore>no</auto_ignore>
 
    <!-- By default it is disabled. In the Install you must choose
      -  to enable it.
      -->
    <disabled>no</disabled> 
 

    <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
    <directories check_all="yes">%WINDIR%/temp/</directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
    <directories check_all="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
 

    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
 

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
 
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
 
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
 
 
 
    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>
  </syscheck>   
 
  <active-response>
    <disabled>yes</disabled>
  </active-response>
 
  </ossec_config>
 
 
 

<!-- END of Default Configuration. -->
 

 <ossec_config>
   <client>
      <server-ip>172.27.1.12</server-ip>
   </client>
 </ossec_config>


>>> "dan (ddp)" <ddp...@gmail.com> 5/6/2010 5:50 PM >>>

dan (ddp)

unread,
May 7, 2010, 3:02:54 PM5/7/10
to ossec...@googlegroups.com
Was the error in your original message on the server or the client? If
it was on the server, could you send the server's ossec.conf?

Michael Starks

unread,
May 13, 2010, 9:35:35 PM5/13/10
to ossec...@googlegroups.com
Ko...@MNR.ORG wrote:
> Can anyone shed a little light on this error. Thank You
>
> ossec-remoted(1501): ERROR: No IP or network allowed in the access list
> for syslog. No reason for running it. Exiting

Hello Christian,

ossec-remoted will only run syslog if you have defined allowed-ips. For
example:

<remote>
<connection>syslog</connection>
<allowed-ips>172.16.0.1</allowed-ips>
<allowed-ips>10.0.0.0/16</allowed-ips>
</remote>

--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com

Ko...@mnr.org

unread,
May 14, 2010, 10:45:43 AM5/14/10
to ossec...@googlegroups.com
Thank You for the reply !

>>> Michael Starks <ossec...@michaelstarks.com> 5/13/2010 9:35 PM >>>
Reply all
Reply to author
Forward
0 new messages