Here is the output:
udp 0 0 0.0.0.0:514 0.0.0.0:*
21090/syslog-ng
This is the only instance...
On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Mar 14, 2017 at 3:37 PM, <eholl...@gmail.com <javascript:>>
> wrote:
> > Hello, yes:
> >
> > root@xxxxxx:/var/log# netstat -tuna | grep 514
> > tcp 0 0 0.0.0.0:514 0.0.0.0:*
> > udp 0 0 0.0.0.0:514 0.0.0.0:*
> >
> >
>
> Adding -p to that could tell you the process using that port.
> `netstat -ptuna | grep 514`
>
> Is this securityonion? They may have syslog-ng already listening to the
> network.
>
> > <remote>
> > <connection>syslog</connection>
> > <allowed-ips>161.182.xxx.xxx</allowed-ips>
> > <allowed-ips>161.182.xxx.xxx</allowed-ips>
> > </remote>
> >
> >
> >
> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
> >>
> >> Hi, can you verify if the port it’s open?
> >>
> >> [root@wazuh-manager /]# netstat -tuna | grep 514
> >> udp 0 0 0.0.0.0:514 0.0.0.0:*
> >>
> >> The symantec ip is allowed in ossec.conf right?
> >>
> >>
> >>
> >> Regards
> >> -----------------------
> >> Jose Luis Ruiz
> >> Wazuh Inc.
> >> jo...@wazuh.com
> >>
> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com (
> eholl...@gmail.com)
> >> wrote:
> >>
> >> It's very strange...I have enabled already enabled syslog over 514 from
> >> our symantec server to the OSSEC server, and I see the logs coming into
> our
> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and
> OSSEC
> >> alerts files and do not see the log anywhere on the server... Where
> should
> >> these logs be written when being sent to the server? I've checked all
> >> gzipped files in /var/log/ as well as all files in
> /var/ossec/logs/archive/
> >> and /var/ossec/logs/alerts/
> >>
>
> `/var/ossec/logs/archives/archives.log` only contains entries if you
> enable the logall option in the ossec.conf.
> I'm not sure if it records messages sent to the syslog remoted stuff.
> I just haven't tested it.
>
> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
> >>>
> >>> Hello,
> >>>
> >>> In order to permit Ossec recibe your Symantec syslogs messages, you
> need
> >>> to enable this in the configuration:
> >>>
> >>> Listen in port 514:
> >>>
> >>> <ossec_config>
> >>> <remote>
> >>> <connection>syslog</connection>
> >>> <allowed-ips>Symantec AV ip</allowed-ips>
> >>> </remote>
> >>> </ossec_config>
> >>>
> >>> then you need to restart ossec:
> >>>
> >>> /var/ossec/bin/ossec-control restart
> >>>
> >>> If after these changes you are still not receiving alerts, enable
> logall
> >>> in ossec.conf <logall> yes </logall> and take a look in the file
> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file,
> but
> >>> not in your alerts, probably the decoders or rules have something
> wrong.
> >>>
> >>>
> >>>
> >>> Regards
> >>> -----------------------
> >>> Jose Luis Ruiz
> >>> Wazuh Inc.
> >>> jo...@wazuh.com
> >>>
> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (
> eholl...@gmail.com)
> >>> wrote:
> >>>
> >>> Hello All,
> >>>
> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over
> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC
> alerts. I
> >>> have created a custom decoder and parser, and can confirm that it is
> >>> working:
> >>>
> >>> **Phase 2: Completed decoding.
> >>> decoder: 'Symantec'
> >>>
> >>> **Phase 3: Completed filtering (rules).
> >>> Rule id: '100006'
> >>> Level: '7'
> >>> Description: 'Symantec: virus found'
> >>> **Alert to be generated.
> >>>
> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can
> >>> alert on it? Again, I am seeing the straight syslog coming into ELSA,
> but no
> >>> OSSEC alert appears to be generated.
> >>>
> >>> Thanks
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to ossec-list+...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
