On Fri, Aug 17, 2012 at 5:49 PM, JB jjoob...@gmail.com wrote:
The allowed value for remoteconnection is either 'secure' or 'syslog'
according to http://www.ossec.net/doc/syntax/head_ossec_config.remote.html
It seems strange that you have both values in your ossec.conf.
Try get rid of the
On Thu, Aug 16, 2012 at 10:47 PM, Adriel Desautels
ad_li...@netragard.comwrote:
One last thing...
% /var/ossec/bin/ossec-control restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing
On Thu, Aug 16, 2012 at 9:25 PM, Adriel Desautels
ad_li...@netragard.com wrote:
I have the following in ossec.conf:
.
.
.
remote
connectionsyslog/connection
allowed-ips10.5.4.1/allowed-ips
port514/port
/remote
remote
connectionsecure/connection
/remote
On Thu, Aug 16, 2012 at 10:13 PM, Adriel Desautels
ad_li...@netragard.comwrote:
Something I should mention...
It is installed in a custom path. /opt/ossec instead of /var/ossec
Could that be part of the issue?
No.
On 8/16/12 9:51 PM, Tony Perez, PMP wrote:
Hi Adriel
Gotcha, sorry
Here it is:
root@bos-ossec01:/var/ossec/etc# cat ossec.conf
ossec_config
global
email_notificationyes/email_notification
email_tox...@xxx.xxx/email_to
smtp_serverxx.xx.xx.xx/smtp_server
email_fromm...@xxx.xxx/email_from
/global
rules
includerules_config.xml/include
On Fri, Aug 17, 2012 at 10:12 AM, Adriel Desautels
ad_li...@netragard.com wrote:
Here it is:
root@bos-ossec01:/var/ossec/etc# cat ossec.conf
ossec_config
global
email_notificationyes/email_notification
email_tox...@xxx.xxx/email_to
smtp_serverxx.xx.xx.xx/smtp_server
Dan,
Not only have I stopped and restarted but I even reinstalled OSSEC.
What specifically do you want to know about the machine / server?
On 8/17/12 11:24 AM, dan (ddp) wrote:
On Fri, Aug 17, 2012 at 10:12 AM, Adriel Desautels
ad_li...@netragard.com wrote:
Here it is:
On Fri, Aug 17, 2012 at 1:20 PM, Adriel Desautels
ad_li...@netragard.com wrote:
Dan,
Not only have I stopped and restarted but I even reinstalled OSSEC.
Try removing the secure remote option.
What specifically do you want to know about the machine / server?
Seriously? You couldn't just
Comments embedded below:
On 8/17/12 1:27 PM, dan (ddp) wrote:
On Fri, Aug 17, 2012 at 1:20 PM, Adriel Desautels
ad_li...@netragard.com wrote:
Dan,
Not only have I stopped and restarted but I even reinstalled OSSEC.
Try removing the secure remote option.
I've tried that, the error goes away
On Fri, Aug 17, 2012 at 2:08 PM, Adriel Desautels
ad_li...@netragard.com wrote:
Comments embedded below:
On 8/17/12 1:27 PM, dan (ddp) wrote:
On Fri, Aug 17, 2012 at 1:20 PM, Adriel Desautels
ad_li...@netragard.com wrote:
Dan,
Not only have I stopped and restarted but I even reinstalled
Comments embedded below:
On 8/17/12 2:17 PM, dan (ddp) wrote:
On Fri, Aug 17, 2012 at 2:08 PM, Adriel Desautels
ad_li...@netragard.com wrote:
Comments embedded below:
On 8/17/12 1:27 PM, dan (ddp) wrote:
On Fri, Aug 17, 2012 at 1:20 PM, Adriel Desautels
ad_li...@netragard.com wrote:
Dan,
On 8/17/2012 1:17 PM, dan (ddp) wrote:
Since you've installed OSSEC somewhere silly, [...]
totally off-topic, but I always wondered why the default installation is
in /var and not /opt ?
Maybe it's just me (I started out with SunOS/Solaris and then
transitioned to Linux later), but I prefer
On Fri, Aug 17, 2012 at 3:09 PM, Ryan Schulze r...@dopefish.de wrote:
On 8/17/2012 1:17 PM, dan (ddp) wrote:
Since you've installed OSSEC somewhere silly, [...]
totally off-topic, but I always wondered why the default installation is in
/var and not /opt ?
Maybe it's just me (I started out
I have the following in ossec.conf:
.
.
.
remote
connectionsyslog/connection
allowed-ips10.5.4.1/allowed-ips
port514/port
/remote
remote
connectionsecure/connection
/remote
.
.
.
And yet when 10.5.4.1 sends a message to the OSSEC server I get this:
WARN: Message
Hi Adriel
You have the same port set on both the Agent and Server? Which server
does this ossec.conf belong to?
Thanks
Tony
Adriel Desautels mailto:ad_li...@netragard.com
August 16, 2012 6:25 PM
I have the following in ossec.conf:
.
.
.
remote
connectionsyslog/connection
So, the server (10.5.4.1) is a pfsense firewall. It is sending all of
its syslog data to the OSSEC server on UDP 514. Every time the OSSEC
server receives a syslog message it generates the error 2012/08/16
21:41:03 ossec-remoted(1213): WARN: Message from 10.5.4.1 not allowed.
So, yes pfsense
Hi Adriel
Gotcha, sorry didn't phrase the question right, but you answered it right.
Have you been able to turn on debug mode to see if you can see anything
there? Anything that would help understand the failed comm attempts?
Thanks
Adriel Desautels mailto:ad_li...@netragard.com
August 16,
Yes I have and no additional information what so ever.
My syntax is correct, correct?
The IP address of the OSSEC server is 10.5.4.9 so its on the same host...
Why would OSSEC ignore the directives in the config and not allow 10.5.4.1?
I am CONFUSED!!!
remote
And, it is listening too...
[root@bos-ossec01][/opt/ossec/queue]
% lsof -i | grep 514
ossec-rem 10942 ossecr4u IPv4 19815488 0t0 UDP *:1514
[root@bos-ossec01][/opt/ossec/queue]
% lsof -i | grep syslog
ossec-rem 10941 ossecr4u IPv4 19815490 0t0 UDP *:syslog
... /me pulls
So, I just reinstalled my ossec server...
Issue still not resolved.
This is version OSSEC HIDS v2.6.
Help?
On 8/16/12 9:51 PM, Tony Perez, PMP wrote:
Hi Adriel
Gotcha, sorry didn't phrase the question right, but you answered it right.
Have you been able to turn on debug mode to see if
20 matches
Mail list logo