Re: [ossec-list] Log firewall changes
On Tue, Feb 18, 2020 at 1:52 AM Schultheis Burkhard wrote: > > Hi, > > I want to get a message, when the ruleset of iptables gets modified. But > I see that iptables doesn't log its changes. Or am I wrong? > I'm not aware of a log, but I'm far from an expert. If you're running an OSSEC agent on the system, it should be easy to add a command to watch for changes. This is probably a naive command to run, but I'm not sure what a better one would be at the moment. This goes in the ossec.conf of the agent with the iptables configuration you want to monitor. full_command iptables_check iptables -nL 60 Every 60ish seconds the command "iptables -nL" is run. The contents of this command are sent to the OSSEC server. Then you create a rule to match this command in local_rules.xml. Something like this: >> But the OSSEC failed to start. What's wrong? How to get the desired > >> emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10. > >> > > What do you mean by "a port is opened or closed in the firewall?" Do > > you mean when a program is listening on a port, > > or the ruleset is modified to allow traffic through a particular port? > > > > What type of firewall? > > > > I don't think "log" is a valid value for . Just remove the line. > > You can look at the ossec.log on the server for more details as to why > > it's failing. > > > >> Thanks in advance! > >> > >> Regards > >> Burkhard > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send an > >> email to ossec-list+unsubscr...@googlegroups.com. > >> To view this discussion on the web visit > >> https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/54e1a186-73f1-aa03-afc0-8bc762b833b2%40gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrfwgfGs7n8EstEPH5VoWMYQVqS%3DyNuTuY%3Da3dEE%2Bzw4Q%40mail.gmail.com.
Re: [ossec-list] Log firewall changes
Hi, I want to get a message, when the ruleset of iptables gets modified. But I see that iptables doesn't log its changes. Or am I wrong? Thanks! Regards Burkhard Am 17.02.2020 um 16:20 schrieb dan (ddp): On Mon, Feb 17, 2020 at 9:25 AM Burkhard Schultheis wrote: Hi, I want to get an email from OSSEC when a port is opened or closed in the firewall. Therefore I changed "no_log" in firewall_rules.xml to "log". But the OSSEC failed to start. What's wrong? How to get the desired emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10. What do you mean by "a port is opened or closed in the firewall?" Do you mean when a program is listening on a port, or the ruleset is modified to allow traffic through a particular port? What type of firewall? I don't think "log" is a valid value for . Just remove the line. You can look at the ossec.log on the server for more details as to why it's failing. Thanks in advance! Regards Burkhard -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/54e1a186-73f1-aa03-afc0-8bc762b833b2%40gmail.com.
Re: [ossec-list] Log firewall changes
On Mon, Feb 17, 2020 at 9:25 AM Burkhard Schultheis wrote: > > Hi, > > I want to get an email from OSSEC when a port is opened or closed in the > firewall. Therefore I changed "no_log" in firewall_rules.xml to "log". > But the OSSEC failed to start. What's wrong? How to get the desired > emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10. > What do you mean by "a port is opened or closed in the firewall?" Do you mean when a program is listening on a port, or the ruleset is modified to allow traffic through a particular port? What type of firewall? I don't think "log" is a valid value for . Just remove the line. You can look at the ossec.log on the server for more details as to why it's failing. > Thanks in advance! > > Regards > Burkhard > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqY6pHX8yYqigUqkBjvTniGZ1v0uAfkXi95ONgwmSM3og%40mail.gmail.com.
[ossec-list] Log firewall changes
Hi, I want to get an email from OSSEC when a port is opened or closed in the firewall. Therefore I changed "no_log" in firewall_rules.xml to "log". But the OSSEC failed to start. What's wrong? How to get the desired emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10. Thanks in advance! Regards Burkhard -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de.