I've also tried putting the IP ranges in allowed-ips, in the form 192.168.0.0/16, with the same effect. It is definitely listening, as I've sent apache logs to it via syslog.
Thanks On Wednesday, October 24, 2012 1:42:48 PM UTC+1, dan (ddpbsd) wrote: > > On Wed, Oct 24, 2012 at 5:48 AM, Chris H <chris....@gmail.com<javascript:>> > wrote: > > Hi Dan. > > > > my ossec.conf allows remote connections from any: > > <remote> > > <connection>syslog</connection> > > <allowed-ips>any</allowed-ips> > > </remote> > > > > I didn't know that was valid... My only advice is making sure > ossec-remoted is listening to udp/514, and actually specifying the > firewall's IP in allowed-ips. > > > I've also tried with IP ranges (192.168.0.0/16). My firewall IP is > > 192.168.1.254, and this shows up in tpcdump: > > > > 10:46:44.234477 IP (tos 0x0, ttl 64, id 18591, offset 0, flags [none], > proto > > UDP (17), length 226) > > 192.168.1.254.syslog > 192.168.1.8.syslog: [udp sum ok] SYSLOG, > length: > > 198 > > Facility local0 (16), Severity info (6) > > Msg: Oct 24 09:46:44 pf: 10.10.10.2.55895 > 192.168.1.7.3306: > Flags > > [S], cksum 0x9be1 (correct), seq 565473896, win 14600, options [mss > > 1460,sackOK,TS val 405015003 ecr 0,nop,wscale 5], length 0 > > > > Thanks > > > > On Monday, October 22, 2012 4:01:54 PM UTC+1, dan (ddpbsd) wrote: > >> > >> On Sat, Oct 20, 2012 at 6:46 AM, Chris H <chris....@gmail.com> wrote: > >> > Hi. > >> > > >> > I've just deployed OSSEC for testing on a VM, and I'm looking to use > it > >> > for > >> > log retention, as well as alerting. I've enabled syslog and logall, > and > >> > successfully got it alerting and logging from apache logs sent by > >> > syslog. > >> > But I'm having issues with pfsense. > >> > > >> > I've enabled syslog in pfsense, pointing at my ossec installation, > but > >> > nothing is showing up in the archive logs. tcpdump shows the traffic > >> > coming > >> > though to the server, as it does with any other syslog traffic, but > the > >> > logs > >> > don't get stored in ossec. Any thoughts? > >> > > >> > I know of the OSSEC for pfsense module, but I'm installing this as a > >> > proof-of-concept and want to make sure that I can get syslog working > in > >> > case > >> > I have a similar issue elsewhere on something other than pfsense. > >> > > >> > Thanks. > >> > >> Did you set the correct PFSense IP in the allowed ips configuration? >
