So, I just reinstalled my ossec server... Issue still not resolved.
This is version OSSEC HIDS v2.6. Help? On 8/16/12 9:51 PM, Tony Perez, PMP wrote: > Hi Adriel > > Gotcha, sorry didn't phrase the question right, but you answered it right. > > Have you been able to turn on debug mode to see if you can see > anything there? Anything that would help understand the failed comm > attempts? > > Thanks > >> Adriel Desautels <mailto:ad_li...@netragard.com> >> August 16, 2012 6:43 PM >> So, the server (10.5.4.1) is a pfsense firewall. It is sending all >> of its syslog data to the OSSEC server on UDP 514. Every time the >> OSSEC server receives a syslog message it generates the error >> "2012/08/16 21:41:03 ossec-remoted(1213): WARN: Message from 10.5.4.1 >> not allowed." >> >> So, yes pfsense is sending on UDP 514 and is being received by UDP >> 514 on the OSSEC box. So based on the error I don't think its a >> network issue, but an OSSEC issue. >> >> Help? >> >> >> >> On 8/16/12 9:30 PM, Tony Perez, PMP wrote: >> >> Tony Perez, PMP <mailto:t...@perezbox.com> >> August 16, 2012 6:30 PM >> Hi Adriel >> >> You have the same port set on both the Agent and Server? Which server >> does this ossec.conf belong to? >> >> Thanks >> >> Tony >> >> Adriel Desautels <mailto:ad_li...@netragard.com> >> August 16, 2012 6:25 PM >> I have the following in ossec.conf: >> >> . >> . >> . >> <remote> >> <connection>syslog</connection> >> <allowed-ips>10.5.4.1</allowed-ips> >> <port>514</port> >> </remote> >> >> <remote> >> <connection>secure</connection> >> </remote> >> . >> . >> . >> >> And yet when 10.5.4.1 sends a message to the OSSEC server I get this: >> >> WARN: Message from 10.5.4.1 not allowed. >> >> >> Am I missing something? >> >> And yes... I've restarted the server.
<<inline: compose-unknown-contact.jpg>>
<<inline: postbox-contact.jpg>>