OSSEC alerts on syslog
317 views
Skip to first unread message
eholl...@gmail.com
Mar 14, 2017, 10:57:52 AM3/14/17
to ossec-list
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working:
**Phase 2: Completed decoding.
decoder: 'Symantec'
**Phase 3: Completed filtering (rules).
Rule id: '100006'
Level: '7'
Description: 'Symantec: virus found'
**Alert to be generated.
Do I need to point OSSEC to monitor the incoming syslog so that it can alert on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC alert appears to be generated.
Thanks
dan (ddp)
Mar 14, 2017, 11:43:34 AM3/14/17
to ossec...@googlegroups.com
Figure out which syslog file they're saved in and make sure ossec has a localfile entey for that file.
Make sure you restarted your ossec processes after adding the decoder/rules
--Thanks
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jose Luis Ruiz
Mar 14, 2017, 11:44:36 AM3/14/17
to ossec...@googlegroups.com, eholl...@gmail.com, jo...@wazuh.com
Hello,
In order to permit Ossec recibe your Symantec syslogs messages, you need to enable this in the configuration:
Listen in port 514:
<ossec_config>
<remote>
<connection>syslog</connection>
<allowed-ips>Symantec AV ip</allowed-ips>
</remote>
</ossec_config>
then you need to restart ossec:
/var/ossec/bin/ossec-control restart
If after these changes you are still not receiving alerts, enable logall in ossec.conf <logall> yes </logall> and take a look in the file “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but not in your alerts, probably the decoders or rules have something wrong.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
eholl...@gmail.com
Mar 14, 2017, 12:44:07 PM3/14/17
to ossec-list, eholl...@gmail.com, jo...@wazuh.com
It's very strange...I have enabled already enabled syslog over 514 from our symantec server to the OSSEC server, and I see the logs coming into our ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC alerts files and do not see the log anywhere on the server... Where should these logs be written when being sent to the server? I've checked all gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ and /var/ossec/logs/alerts/
Jose Luis Ruiz
Mar 14, 2017, 1:48:17 PM3/14/17
to ossec-list, eholl...@gmail.com, jo...@wazuh.com
Hi, can you verify if the port it’s open?
[root@wazuh-manager /]# netstat -tuna | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
The symantec ip is allowed in ossec.conf right?
eholl...@gmail.com
Mar 14, 2017, 3:37:10 PM3/14/17
to ossec-list, eholl...@gmail.com, jo...@wazuh.com
Hello, yes:
root@xxxxxx:/var/log# netstat -tuna | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:514 0.0.0.0:*
<remote>
<connection>syslog</connection>
<allowed-ips>161.182.xxx.xxx</allowed-ips>
<allowed-ips>161.182.xxx.xxx</allowed-ips>
</remote>
dan (ddp)
Mar 15, 2017, 2:35:45 PM3/15/17
to ossec...@googlegroups.com
On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruiz <jo...@wazuh.com> wrote:
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need to
> enable this in the configuration:
>
Unless you're using a proper syslog daemon, which may already be
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need to
> enable this in the configuration:
>
listening on that port.
dan (ddp)
Mar 15, 2017, 2:41:58 PM3/15/17
to ossec...@googlegroups.com
On Tue, Mar 14, 2017 at 3:37 PM, <eholl...@gmail.com> wrote:
> Hello, yes:
>
> root@xxxxxx:/var/log# netstat -tuna | grep 514
> tcp 0 0 0.0.0.0:514 0.0.0.0:*
> udp 0 0 0.0.0.0:514 0.0.0.0:*
>
>
Adding -p to that could tell you the process using that port.
> Hello, yes:
>
> root@xxxxxx:/var/log# netstat -tuna | grep 514
> tcp 0 0 0.0.0.0:514 0.0.0.0:*
> udp 0 0 0.0.0.0:514 0.0.0.0:*
>
>
`netstat -ptuna | grep 514`
Is this securityonion? They may have syslog-ng already listening to the network.
> <remote>
> <connection>syslog</connection>
> <allowed-ips>161.182.xxx.xxx</allowed-ips>
> <allowed-ips>161.182.xxx.xxx</allowed-ips>
> </remote>
>
>
>
> On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>>
>> Hi, can you verify if the port it’s open?
>>
>> [root@wazuh-manager /]# netstat -tuna | grep 514
>> udp 0 0 0.0.0.0:514 0.0.0.0:*
>>
>> The symantec ip is allowed in ossec.conf right?
>>
>>
>>
>> Regards
>> -----------------------
>> Jose Luis Ruiz
>> Wazuh Inc.
>> jo...@wazuh.com
>>
>> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com (eholl...@gmail.com)
>> wrote:
>>
>> It's very strange...I have enabled already enabled syslog over 514 from
>> our symantec server to the OSSEC server, and I see the logs coming into our
>> ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC
>> alerts files and do not see the log anywhere on the server... Where should
>> these logs be written when being sent to the server? I've checked all
>> gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/
>> and /var/ossec/logs/alerts/
>>
enable the logall option in the ossec.conf.
I'm not sure if it records messages sent to the syslog remoted stuff.
I just haven't tested it.
eholl...@gmail.com
Mar 16, 2017, 11:33:20 AM3/16/17
to ossec-list
Here is the output:
dan (ddp)
Mar 16, 2017, 3:30:46 PM3/16/17
to ossec...@googlegroups.com
On Thu, Mar 16, 2017 at 11:33 AM, <eholl...@gmail.com> wrote:
> Here is the output:
>
> udp 0 0 0.0.0.0:514 0.0.0.0:*
> 21090/syslog-ng
>
So syslog-ng is listening for incoming messages.
> Here is the output:
>
> udp 0 0 0.0.0.0:514 0.0.0.0:*
> 21090/syslog-ng
>
You'll have to figure out what syslog-ng is doing with the log messages.
eholl...@gmail.com
Mar 27, 2017, 11:25:46 AM3/27/17
to ossec-list
Hi All,
So I am currently still troubleshooting, but noticed that the syslog-ng process was listening on 514 TCP, but also had an entry for 514 UDP, which is the protocol I've set within my ossec.conf. Could this be part of the issue? My guess is that I only want 514 udp listening.
So I am currently still troubleshooting, but noticed that the syslog-ng process was listening on 514 TCP, but also had an entry for 514 UDP, which is the protocol I've set within my ossec.conf. Could this be part of the issue? My guess is that I only want 514 udp listening.
dan (ddp)
Mar 27, 2017, 9:58:26 PM3/27/17
to ossec...@googlegroups.com
On Mon, Mar 27, 2017 at 11:25 AM, <eholl...@gmail.com> wrote:
> Hi All,
>
> So I am currently still troubleshooting, but noticed that the syslog-ng
> process was listening on 514 TCP, but also had an entry for 514 UDP, which
> is the protocol I've set within my ossec.conf. Could this be part of the
> issue? My guess is that I only want 514 udp listening.
>
Yes, if syslog-ng is utilizing the port, ossec-remoted will not be
> Hi All,
>
> So I am currently still troubleshooting, but noticed that the syslog-ng
> process was listening on 514 TCP, but also had an entry for 514 UDP, which
> is the protocol I've set within my ossec.conf. Could this be part of the
> issue? My guess is that I only want 514 udp listening.
>
able to use it.
Reply all
Reply to author
Forward
0 new messages