How to Set up a Sonicwall in OSSEC
634 views
Skip to first unread message
Michael Scott
Mar 20, 2012, 5:44:19 PM3/20/12
to ossec...@googlegroups.com
Greetings!
I'm having some difficulty trying to set up a Sonicwall to be monitored by OSSEC. Here's what I've done so far:
1. Set the Sonicwall to send syslog messages to the OSSEC server on port 514.
2. Confirmed with tcpdump that the OSSEC server is in fact receiving the syslog messages.
3. Added the following entry in ossec.conf
<remote>
<connection>syslog</connection>
<allowed-ips>sonicwall ip address</allowed-ips>
</remote>
4. restarted the ossec server.
I found a really old email about setting up a syslog entry, but I wasn't sure if that's still applicable.
http://www.mail-archive.com/ossec...@googlegroups.com/msg02566.html
I've also read this "Why is OSSEC not seeing PIX syslog messages?" link suggested to others.
http://www.ossec.net/wiki/Know_How:Syslog_Config
Looking in the alerts.log, I don't see any mention of the sonicwall at all.
Any help is appreciated.
Thanks,
Mike Scott
I'm having some difficulty trying to set up a Sonicwall to be monitored by OSSEC. Here's what I've done so far:
1. Set the Sonicwall to send syslog messages to the OSSEC server on port 514.
2. Confirmed with tcpdump that the OSSEC server is in fact receiving the syslog messages.
3. Added the following entry in ossec.conf
<remote>
<connection>syslog</connection>
<allowed-ips>sonicwall ip address</allowed-ips>
</remote>
4. restarted the ossec server.
I found a really old email about setting up a syslog entry, but I wasn't sure if that's still applicable.
http://www.mail-archive.com/ossec...@googlegroups.com/msg02566.html
I've also read this "Why is OSSEC not seeing PIX syslog messages?" link suggested to others.
http://www.ossec.net/wiki/Know_How:Syslog_Config
Looking in the alerts.log, I don't see any mention of the sonicwall at all.
Any help is appreciated.
Thanks,
Mike Scott
dan (ddp)
Mar 21, 2012, 8:47:38 AM3/21/12
to ossec...@googlegroups.com
Turn on the log all option and see if the messages are being accepted.
Is ossec-remoted listening on 514? Is a firewall blocking the packets?
Michael Scott
Mar 21, 2012, 1:45:57 PM3/21/12
to ossec...@googlegroups.com
Thanks for the reply Dan!
I turned on the logall option, and I don't see any messages from the sonicwall in the /ossec/logs/archives/archives.log file. Looking at netstat, I see that ossec-remoted is listening on port 514.
A firewall doesn't appear to be blocking the packets because if I run tcpdump on the server, I see the messages from the sonicwall.
When I was looking through ossec.conf I noticed that all of the agents are listed in the whitelist section, so I added the sonicwall's IP address there as well.
I'm going to leave it running with logall set and I'll see if I get any messages.
Any other suggestions?
Thanks,
Mike Scott
I turned on the logall option, and I don't see any messages from the sonicwall in the /ossec/logs/archives/archives.log file. Looking at netstat, I see that ossec-remoted is listening on port 514.
A firewall doesn't appear to be blocking the packets because if I run tcpdump on the server, I see the messages from the sonicwall.
When I was looking through ossec.conf I noticed that all of the agents are listed in the whitelist section, so I added the sonicwall's IP address there as well.
I'm going to leave it running with logall set and I'll see if I get any messages.
Any other suggestions?
Thanks,
Mike Scott
dan (ddp)
Mar 21, 2012, 2:18:11 PM3/21/12
to ossec...@googlegroups.com
I can't think of anything else off hand. Of course check the ossec.log
to see if there's anything in there.
to see if there's anything in there.
* The Sonicwall's IP is in the allowed list
* The OSSEC server is configured to accept syslog messages (and the
processes restarted)
* ossec-remoted is listening to the correct port (514/udp)
* The Sonicwall is sending to the correct port (514/udp)
* No firewall in the way
On Wed, Mar 21, 2012 at 1:45 PM, Michael Scott
Michael Scott
Mar 21, 2012, 3:26:30 PM3/21/12
to ossec...@googlegroups.com
Thanks again for the help and reply Dan.
Just for fun, I disabled the firewall, and it started working. I ended up removing the exception, applying changes, and then recreating it and applying changes. After that, it ended up working.
Sorry for the false alarm, and thanks!
- Mike Scott
Just for fun, I disabled the firewall, and it started working. I ended up removing the exception, applying changes, and then recreating it and applying changes. After that, it ended up working.
Sorry for the false alarm, and thanks!
- Mike Scott
Kat
Mar 22, 2012, 9:29:58 AM3/22/12
to ossec...@googlegroups.com
FYI - running TCPDUMP is not a good test to verify the firewall block or not, since tcpdump puts the NIC in promiscuous AND intercepts the packets BEFORE the firewall sees them. So even if you are seeing the packets, you don't know they are being blocked or not without reviewing your firewall settings, turning it off/on, etc. (Which is what you did)
Michael Scott
Mar 22, 2012, 1:58:03 PM3/22/12
to ossec...@googlegroups.com
Thanks Kat! I was thinking of firewalls between the OSSEC server and the sonicwall, it wasn't until after Dan emailed that I figured I better double check the firewall on the OSSEC server itself. Next time I'll have to check that a little earlier :-)
Mike Scott
Mike Scott
Reply all
Reply to author
Forward
0 new messages