Shorewall log problem
89 views
Skip to first unread message
gagan....@gmail.com
May 30, 2008, 1:21:49 AM5/30/08
to ossec-list
Dear Mailing List
I am trying to connect the shorewall logs with the Ossec HIDS server.
The Shorewall is installed on the redhat 9 box with ossec 1.5 agent.
It is monitoring the default log files
/var/log/messages
/var/log/secure
The shorewall logs are generated in the file /var/log/messages.
After connection with server it is sending the normal OS logs (session
opened , session closed etc) generated in /var/log/messages to HIDS
server but not the firewall logs.
The ossec.conf file states
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
I had tried to change the config as
<localfile>
<log_format>iptables-shorewall</log_format>
<location>/var/log/messages</location>
</localfile>
But after doing such change the agent doesn't start & returns the
config error.
Can anyone suggest were I am going wrong or what is method for
attaching shorewall logs.
Any help would be highly appreciated.
Regards
Gagan
I am trying to connect the shorewall logs with the Ossec HIDS server.
The Shorewall is installed on the redhat 9 box with ossec 1.5 agent.
It is monitoring the default log files
/var/log/messages
/var/log/secure
The shorewall logs are generated in the file /var/log/messages.
After connection with server it is sending the normal OS logs (session
opened , session closed etc) generated in /var/log/messages to HIDS
server but not the firewall logs.
The ossec.conf file states
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
I had tried to change the config as
<localfile>
<log_format>iptables-shorewall</log_format>
<location>/var/log/messages</location>
</localfile>
But after doing such change the agent doesn't start & returns the
config error.
Can anyone suggest were I am going wrong or what is method for
attaching shorewall logs.
Any help would be highly appreciated.
Regards
Gagan
gagan....@gmail.com
May 30, 2008, 11:32:48 AM5/30/08
to ossec-list
The Shorewall Logs are also attached for ready reference
May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35411
DF P
ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35413
DF P
ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:10 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35414
DF P
ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0
OUT=eth1 SR
C=x.x.68.95 DST=x.x.6.14 LEN=75 TOS=0x00 PREC=0x00 TTL=127 ID=59079
PROTO=U
DP SPT=1025 DPT=53 LEN=55
May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35415
DF P
ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35417
DF P
ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35418
DF P
ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:14 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32085
DF PRO
TO=TCP SPT=1750 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:16 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.200 DST=x.x.7.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42965
DF PRO
TO=TCP SPT=3864 DPT=50000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:20 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32119
DF PRO
TO=TCP SPT=1751 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0
Thanks & Regards
Gagan
May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35411
DF P
ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:09 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35413
DF P
ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:10 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35414
DF P
ROTO=TCP SPT=3983 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:DROP:IN=eth0
OUT=eth1 SR
C=x.x.68.95 DST=x.x.6.14 LEN=75 TOS=0x00 PREC=0x00 TTL=127 ID=59079
PROTO=U
DP SPT=1025 DPT=53 LEN=55
May 30 16:06:11 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35415
DF P
ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35417
DF P
ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:12 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.114 DST=x.x.23.101 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35418
DF P
ROTO=TCP SPT=3984 DPT=10000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:14 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32085
DF PRO
TO=TCP SPT=1750 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:16 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.200 DST=x.x.7.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42965
DF PRO
TO=TCP SPT=3864 DPT=50000 WINDOW=65535 RES=0x00 SYN URGP=0
May 30 16:06:20 ABCFirewall kernel: Shorewall:loc2net:ACCEPT:IN=eth0
OUT=eth1 SR
C=x.x.68.159 DST=x.x.6.41 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32119
DF PRO
TO=TCP SPT=1751 DPT=4040 WINDOW=65535 RES=0x00 SYN URGP=0
Thanks & Regards
Gagan
Daniel Cid
Jun 2, 2008, 10:59:47 AM6/2/08
to ossec...@googlegroups.com
Hi Gagan,
Shorewall logs are in the syslog format, so in the localfile config
just leave it as syslog. Also, by default
we will not alert on every success of denied attempt, so that's
probably why you are not seeing them.
However, they will be all logged to:
/var/ossec/logs/firewall/firewall.log
If you want an alert for every deny, just overwrite the 4101 (on
local_rules.xml) to something like:
<rule id="4101" level="5" overwrite="yes">
<if_sid>4100</if_sid>
<action>DROP</action>
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
gagan....@gmail.com
Jun 3, 2008, 11:40:46 AM6/3/08
to ossec-list
Hi Daniel
U Rock!!!
Thanks for the solution
Regards
Gagan
> >> Gagan- Hide quoted text -
>
> - Show quoted text -
U Rock!!!
Thanks for the solution
Regards
Gagan
>
> - Show quoted text -
Reply all
Reply to author
Forward
0 new messages