Hello, In order to permit Ossec recibe your Symantec syslogs messages, you need to enable this in the configuration:
Listen in port 514: <ossec_config> <remote> <connection>syslog</connection> <allowed-ips>Symantec AV ip</allowed-ips> </remote> </ossec_config> then you need to restart ossec: /var/ossec/bin/ossec-control restart If after these changes you are still not receiving alerts, enable logall in ossec.conf <logall> yes </logall> and take a look in the file “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but not in your alerts, probably the decoders or rules have something wrong. Regards ----------------------- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 14, 2017 at 10:57:55 AM, ehollis3...@gmail.com ( ehollis3...@gmail.com) wrote: Hello All, I have pointed my Symantec AV logs to our OSSEC server via syslog over port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have created a custom decoder and parser, and can confirm that it is working: **Phase 2: Completed decoding. decoder: 'Symantec' **Phase 3: Completed filtering (rules). Rule id: '100006' Level: '7' Description: 'Symantec: virus found' **Alert to be generated. Do I need to point OSSEC to monitor the incoming syslog so that it can alert on it? Again, I am seeing the straight syslog coming into ELSA, but no OSSEC alert appears to be generated. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.