FYI - running TCPDUMP is not a good test to verify the firewall block or
not, since tcpdump puts the NIC in promiscuous AND intercepts the packets
BEFORE the firewall sees them. So even if you are seeing the packets, you
don't know they are being blocked or not without reviewing your firewall
Thanks Kat! I was thinking of firewalls between the OSSEC server and the
sonicwall, it wasn't until after Dan emailed that I figured I better double
check the firewall on the OSSEC server itself. Next time I'll have to check
that a little earlier :-)
Mike Scott
On Thu, Mar 22, 2012 at 7:29 AM,
On Tue, Mar 20, 2012 at 5:44 PM, Michael Scott
ms.thenetwor...@gmail.com wrote:
Greetings!
I'm having some difficulty trying to set up a Sonicwall to be monitored by
OSSEC. Here's what I've done so far:
1. Set the Sonicwall to send syslog messages to the OSSEC server on port
514.
2.
Thanks for the reply Dan!
I turned on the logall option, and I don't see any messages from the
sonicwall in the /ossec/logs/archives/archives.log file. Looking at
netstat, I see that ossec-remoted is listening on port 514.
A firewall doesn't appear to be blocking the packets because if I run
I can't think of anything else off hand. Of course check the ossec.log
to see if there's anything in there.
* The Sonicwall's IP is in the allowed list
* The OSSEC server is configured to accept syslog messages (and the
processes restarted)
* ossec-remoted is listening to the correct port
Thanks again for the help and reply Dan.
Just for fun, I disabled the firewall, and it started working. I ended up
removing the exception, applying changes, and then recreating it and
applying changes. After that, it ended up working.
Sorry for the false alarm, and thanks!
- Mike Scott
On Wed,
Greetings!
I'm having some difficulty trying to set up a Sonicwall to be monitored by
OSSEC. Here's what I've done so far:
1. Set the Sonicwall to send syslog messages to the OSSEC server on port
514.
2. Confirmed with tcpdump that the OSSEC server is in fact receiving the
syslog messages.
3.