Hello,
In order to permit Ossec recibe your Symantec syslogs messages, you need to
enable this in the configuration:
Listen in port 514:
<ossec_config>
<remote>
<connection>syslog</connection>
<allowed-ips>Symantec AV ip</allowed-ips>
</remote>
</ossec_config>
then you need to restart ossec:
/var/ossec/bin/ossec-control restart
If after these changes you are still not receiving alerts, enable logall in
ossec.conf <logall> yes </logall> and take a look in the file
“/var/ossec/logs/archives/archives.log”, if the logs are in this file, but
not in your alerts, probably the decoders or rules have something wrong.
Regards
-----------------------
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com
On March 14, 2017 at 10:57:55 AM, ehollis3...@gmail.com (
ehollis3...@gmail.com) wrote:
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:
**Phase 2: Completed decoding.
decoder: 'Symantec'
**Phase 3: Completed filtering (rules).
Rule id: '100006'
Level: '7'
Description: 'Symantec: virus found'
**Alert to be generated.
Do I need to point OSSEC to monitor the incoming syslog so that it can
alert on it? Again, I am seeing the straight syslog coming into ELSA, but
no OSSEC alert appears to be generated.
Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
