Receiving Syslog from device but OSSEC not logging it
33 views
Skip to first unread message
Mike
Nov 8, 2019, 4:40:09 AM11/8/19
to ossec-list
Hello,
I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox appliance and everything seemed to run nicely out of the box except...
I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't see any references to those syslog entries. I have done the following:
- On the firewall, told it to send syslog files to the static IP of the OSSEC server
- On the OSSEC server's ossec.conf added a <remote> section with a <connection>syslog</connection> and specified the allowed_ip
- Also in the ossec.conf, set logall to yes
- Tested incoming connection using tcpdump -A port 514 and I can see syslog-like entries coming in
- Because the format is not quite standard syslog, I created a custom decoder and tested it using ossec-logtest.
Despite all of these steps (and restarting the service using "ossec-control restart" multiple times) I still do not see any of the remote syslog entries in the archive.log.
Am I missing something obvious to make this work?
Mike
Nov 8, 2019, 2:47:23 PM11/8/19
to ossec-list
I believe I have found the issues using strace to find out what ossec-remoted was doing. I found:
1. Not sure why, but on the Virtual Appliance the "ossec" group did not have write permissions to /var/ossec/logs so ossec-remoted (which runs under user "ossecr") could not write anything
2. After getting error logged to ossec.log, I found that I had simply entered the "allowed IP" incorrectly and so it was being blocked.
So as long as Ossec's own logging works, it's relatively simple to figure out the problem.
Mike
Nov 12, 2019, 7:56:26 PM11/12/19
to ossec-list
Related to this, do you accept Pull Requests to add additional timestamp formats to your pre-decoding? I forked and added a simple change to cleanevent.c which has made my parsing much easier for a non-standard syslog time format.
dan (ddp)
Nov 13, 2019, 6:54:16 AM11/13/19
to ossec...@googlegroups.com
On Fri, Nov 8, 2019 at 2:47 PM Mike <mike....@gmail.com> wrote:
>
> I believe I have found the issues using strace to find out what ossec-remoted was doing. I found:
>
> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have write permissions to /var/ossec/logs so ossec-remoted (which runs under user "ossecr") could not write anything
> 2. After getting error logged to ossec.log, I found that I had simply entered the "allowed IP" incorrectly and so it was being blocked.
>
>
> So as long as Ossec's own logging works, it's relatively simple to figure out the problem.
>
Nice catch. The virtual appliance isn't really maintained, and I doubt
>
> I believe I have found the issues using strace to find out what ossec-remoted was doing. I found:
>
> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have write permissions to /var/ossec/logs so ossec-remoted (which runs under user "ossecr") could not write anything
> 2. After getting error logged to ossec.log, I found that I had simply entered the "allowed IP" incorrectly and so it was being blocked.
>
>
> So as long as Ossec's own logging works, it's relatively simple to figure out the problem.
>
we'll see any updates going forward.
>
> On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote:
>>
>> Hello,
>>
>> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox appliance and everything seemed to run nicely out of the box except...
>> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't see any references to those syslog entries. I have done the following:
>>
>> On the firewall, told it to send syslog files to the static IP of the OSSEC server
>> On the OSSEC server's ossec.conf added a <remote> section with a <connection>syslog</connection> and specified the allowed_ip
>> Also in the ossec.conf, set logall to yes
>> Tested incoming connection using tcpdump -A port 514 and I can see syslog-like entries coming in
>> Because the format is not quite standard syslog, I created a custom decoder and tested it using ossec-logtest.
>>
>>
>> Despite all of these steps (and restarting the service using "ossec-control restart" multiple times) I still do not see any of the remote syslog entries in the archive.log.
>>
>> Am I missing something obvious to make this work?
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/eac2b4f9-fc73-4e9c-8f36-7cfb680694b9%40googlegroups.com.
dan (ddp)
Nov 13, 2019, 6:55:07 AM11/13/19
to ossec...@googlegroups.com
On Tue, Nov 12, 2019 at 7:56 PM Mike <mike....@gmail.com> wrote:
>
> Related to this, do you accept Pull Requests to add additional timestamp formats to your pre-decoding? I forked and added a simple change to cleanevent.c which has made my parsing much easier for a non-standard syslog time format.
>
Yes, we do! Feel free to submit a pull request, and I'll get to it as
>
> Related to this, do you accept Pull Requests to add additional timestamp formats to your pre-decoding? I forked and added a simple change to cleanevent.c which has made my parsing much easier for a non-standard syslog time format.
>
quickly as my schedule allows.
>
>
> On Friday, 8 November 2019 11:47:23 UTC-8, Mike wrote:
>>
>> I believe I have found the issues using strace to find out what ossec-remoted was doing. I found:
>>
>> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have write permissions to /var/ossec/logs so ossec-remoted (which runs under user "ossecr") could not write anything
>> 2. After getting error logged to ossec.log, I found that I had simply entered the "allowed IP" incorrectly and so it was being blocked.
>>
>>
>> So as long as Ossec's own logging works, it's relatively simple to figure out the problem.
>>
>>
>> On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote:
>>>
>>> Hello,
>>>
>>> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox appliance and everything seemed to run nicely out of the box except...
>>> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't see any references to those syslog entries. I have done the following:
>>>
>>> On the firewall, told it to send syslog files to the static IP of the OSSEC server
>>> On the OSSEC server's ossec.conf added a <remote> section with a <connection>syslog</connection> and specified the allowed_ip
>>> Also in the ossec.conf, set logall to yes
>>> Tested incoming connection using tcpdump -A port 514 and I can see syslog-like entries coming in
>>> Because the format is not quite standard syslog, I created a custom decoder and tested it using ossec-logtest.
>>>
>>>
>>> Despite all of these steps (and restarting the service using "ossec-control restart" multiple times) I still do not see any of the remote syslog entries in the archive.log.
>>>
>>> Am I missing something obvious to make this work?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b5781be6-a9b3-4e1d-8a27-cc2a56776ed3%40googlegroups.com.
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages