Hi Adriel Gotcha, sorry didn't phrase the question right, but you answered it right.
Have you been able to turn on debug mode to see if you can see anything there? Anything that would help understand the failed comm attempts?
Thanks
Adriel Desautels <mailto:ad_li...@netragard.com> August 16, 2012 6:43 PMSo, the server (10.5.4.1) is a pfsense firewall. It is sending all of its syslog data to the OSSEC server on UDP 514. Every time the OSSEC server receives a syslog message it generates the error "2012/08/16 21:41:03 ossec-remoted(1213): WARN: Message from 10.5.4.1 not allowed."So, yes pfsense is sending on UDP 514 and is being received by UDP 514 on the OSSEC box. So based on the error I don't think its a network issue, but an OSSEC issue.Help? On 8/16/12 9:30 PM, Tony Perez, PMP wrote: Tony Perez, PMP <mailto:t...@perezbox.com> August 16, 2012 6:30 PM Hi AdrielYou have the same port set on both the Agent and Server? Which server does this ossec.conf belong to?Thanks Tony Adriel Desautels <mailto:ad_li...@netragard.com> August 16, 2012 6:25 PM I have the following in ossec.conf: . . . <remote> <connection>syslog</connection> <allowed-ips>10.5.4.1</allowed-ips> <port>514</port> </remote> <remote> <connection>secure</connection> </remote> . . . And yet when 10.5.4.1 sends a message to the OSSEC server I get this: WARN: Message from 10.5.4.1 not allowed. Am I missing something? And yes... I've restarted the server.
<<inline: compose-unknown-contact.jpg>>
<<inline: postbox-contact.jpg>>
