Here is the output: udp 0 0 0.0.0.0:514 0.0.0.0:* 21090/syslog-ng
This is the only instance... On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Mar 14, 2017 at 3:37 PM, <eholl...@gmail.com <javascript:>> > wrote: > > Hello, yes: > > > > root@xxxxxx:/var/log# netstat -tuna | grep 514 > > tcp 0 0 0.0.0.0:514 0.0.0.0:* > > udp 0 0 0.0.0.0:514 0.0.0.0:* > > > > > > Adding -p to that could tell you the process using that port. > `netstat -ptuna | grep 514` > > Is this securityonion? They may have syslog-ng already listening to the > network. > > > <remote> > > <connection>syslog</connection> > > <allowed-ips>161.182.xxx.xxx</allowed-ips> > > <allowed-ips>161.182.xxx.xxx</allowed-ips> > > </remote> > > > > > > > > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > >> > >> Hi, can you verify if the port it’s open? > >> > >> [root@wazuh-manager /]# netstat -tuna | grep 514 > >> udp 0 0 0.0.0.0:514 0.0.0.0:* > >> > >> The symantec ip is allowed in ossec.conf right? > >> > >> > >> > >> Regards > >> ----------------------- > >> Jose Luis Ruiz > >> Wazuh Inc. > >> jo...@wazuh.com > >> > >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com ( > eholl...@gmail.com) > >> wrote: > >> > >> It's very strange...I have enabled already enabled syslog over 514 from > >> our symantec server to the OSSEC server, and I see the logs coming into > our > >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and > OSSEC > >> alerts files and do not see the log anywhere on the server... Where > should > >> these logs be written when being sent to the server? I've checked all > >> gzipped files in /var/log/ as well as all files in > /var/ossec/logs/archive/ > >> and /var/ossec/logs/alerts/ > >> > > `/var/ossec/logs/archives/archives.log` only contains entries if you > enable the logall option in the ossec.conf. > I'm not sure if it records messages sent to the syslog remoted stuff. > I just haven't tested it. > > >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: > >>> > >>> Hello, > >>> > >>> In order to permit Ossec recibe your Symantec syslogs messages, you > need > >>> to enable this in the configuration: > >>> > >>> Listen in port 514: > >>> > >>> <ossec_config> > >>> <remote> > >>> <connection>syslog</connection> > >>> <allowed-ips>Symantec AV ip</allowed-ips> > >>> </remote> > >>> </ossec_config> > >>> > >>> then you need to restart ossec: > >>> > >>> /var/ossec/bin/ossec-control restart > >>> > >>> If after these changes you are still not receiving alerts, enable > logall > >>> in ossec.conf <logall> yes </logall> and take a look in the file > >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, > but > >>> not in your alerts, probably the decoders or rules have something > wrong. > >>> > >>> > >>> > >>> Regards > >>> ----------------------- > >>> Jose Luis Ruiz > >>> Wazuh Inc. > >>> jo...@wazuh.com > >>> > >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com ( > eholl...@gmail.com) > >>> wrote: > >>> > >>> Hello All, > >>> > >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over > >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC > alerts. I > >>> have created a custom decoder and parser, and can confirm that it is > >>> working: > >>> > >>> **Phase 2: Completed decoding. > >>> decoder: 'Symantec' > >>> > >>> **Phase 3: Completed filtering (rules). > >>> Rule id: '100006' > >>> Level: '7' > >>> Description: 'Symantec: virus found' > >>> **Alert to be generated. > >>> > >>> Do I need to point OSSEC to monitor the incoming syslog so that it can > >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, > but no > >>> OSSEC alert appears to be generated. > >>> > >>> Thanks > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.