[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] OSSEC receiving syslog alerts from ASA but not processing them
From: Nate <nbentzinger () gmail ! com>
Date: 2019-10-29 13:11:07
Message-ID: 75e3f0dd-6789-425b-a1fc-78af9c2dbe71 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The ASA firewall's IP that sent data to OSSEC was listed in the
ossec.conf's <allowed-ips>. I setup <logall> to yes as well and tailed and
grepped the log to find the events by the word ASA or source IP but nothing
showed up despite tcpdump showing they hit the OSSEC server NIC.
I ended up standing up rsyslogd to accept remote syslogs, whitelisted the
IPs from the ossec.conf, shutdown the ossec syslog service and had OSSEC
monitor the rsyslog.log. I was able to get those ASA events (and all
others) into OSSEC.
On Tuesday, October 22, 2019 at 9:33:39 AM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Oct 15, 2019 at 8:59 AM Nate <nbent...@gmail.com <javascript:>>
> wrote:
> >
> > Looking at the syslog packets I see the Cisco ASA only uses local
> facility codes but my Palo Alto uses User facility codes:
> >
> > 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto
> UDP (17), length 329)
> > 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, length: 301
> > Facility user (1), Severity info (6)
> > Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15
> 08:55:50,012001010622,SYSTEM,userid,0,2019/10/15
> 08:55:50,,connect-ldap-sever,10.10.10.10,0,0,general,informational,"ldap
> cfg DOMAIN GMapping FW-Admins connected to server 10.10.10.10:389,
> initiated by: 10.10.10.152",1204131,0x0,0,0,0,0,,fw2
> > 08:55:50.726480 IP (tos 0x0, ttl 254, id 65458, offset 0, flags [none],
> proto UDP (17), length 190)
> > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162
> > Facility local4 (20), Severity warning (4)
> > Msg: Oct 15 08:55:50 EDT fw1 : %ASA-4-106023: Deny udp src
> outside:10.10.201.105/137 dst outside:10.10.201.255/137 by access-group
> "outside_access_in" [0x0, 0x0]\0x0a
> >
> > I can't change the ASA to be anything other than local facility.
> >
>
> I don't see anything in the remoted code that cares about the facility.
> If the IP isn't allowed, there should be a log message.
>
> If you don't have the <logall> option set to "yes," it might be worth
> turning it on to see if the messages make it to the archives.log file.
>
> > On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote:
> > >
> > > Hi Dan,
> > >
> > > Yes I restarted the OSSEC service with a: service OSSEC restart
> > >
> > > Right now the iptables are wide open due to this issue:
> > >
> > > # iptables -L
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > # iptables -S
> > > -P INPUT ACCEPT
> > > -P FORWARD ACCEPT
> > > -P OUTPUT ACCEPT
> > >
> > > My full remote connections list is the following:
> > >
> > > <remote>
> > > <connection>syslog</connection>
> > > <allowed-ips>10.10.10.0/23</allowed-ips>
> > > <allowed-ips>10.10.2.2</allowed-ips>
> > > <allowed-ips>10.10.39.2</allowed-ips>
> > > <allowed-ips>10.10.6.2</allowed-ips>
> > > <allowed-ips>10.10.9.1</allowed-ips>
> > > <allowed-ips>192.168.2.0/24</allowed-ips>
> > > <port>514</port>
> > > </remote>
> > >
> > > I will move up the 10.10.2.2 up above the /23 in case this is causing
> it but I know we are getting syslog events from all other sources.
> > >
> > > Maybe it's the Cisco packet?
> > >
> > > On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote:
> > > >
> > > > On Mon, Oct 14, 2019 at 3:03 PM Nate <nbent...@gmail.com> wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > I've never seen this before but I setup our ASA 5516 to send syslog
> events to our OSSEC server to detect SHUN events.
> > > > >
> > > > > ossec.conf
> > > > > <remote>
> > > > > <connection>syslog</connection>
> > > > > <allowed-ips>10.10.2.2</allowed-ips>
> > > > > <port>514</port>
> > > > > </remote>
> > > > >
> > > > > <alerts>
> > > > > <log_alert_level>0</log_alert_level>
> > > > > <email_alert_level>9</email_alert_level>
> > > > > </alerts>
> > > > >
> > > > >
> > > > > local_rules.xml
> > > > >
> > > > > <group name="ASA,LANAttack">
> > > > > <rule id="100260" level="9">
> > > > > <!-- <decoded_as>ASA-lanattk</decoded_as> -->
> > > > > <if_sid>4100</if_sid>
> > > > > <regex>ASA-4-73310\d|ASA-4-40100\d</regex>
> > > > > <description>ASA Shun event</description>
> > > > > </rule>
> > > > > </group>
> > > > >
> > > > >
> > > > > but reviewing the alerts, archives,database no events from our
> 10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received
> by the server:
> > > > >
> > > > > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags
> [none], proto UDP (17), length 140)
> > > > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
> > > > > Facility local0 (16), Severity warning (4)
> > > > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned
> packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
> > > > > 14:53:41.614335 IP (tos 0x0, ttl 254, id 46962, offset 0, flags
> [none], proto UDP (17), length 140)
> > > > > 10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112
> > > > > Facility local0 (16), Severity warning (4)
> > > > > Msg: Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned
> packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a
> > > > >
> > > > > If I copy out the Msg and paste it into ossec-logtest it does
> process it to my rule:
> > > > >
> > > > > [USER@ossec~]# /var/ossec/bin/ossec-logtest
> > > > > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder
> file.
> > > > > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: 29400).
> > > > > ossec-testrule: Type one log per line.
> > > > >
> > > > > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37
> ==> 87.106.71.108 on interface inside\0x0a
> > > > >
> > > > >
> > > > > **Phase 1: Completed pre-decoding.
> > > > > full event: 'Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned
> packet: 10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a'
> > > > > hostname: 'EDT'
> > > > > program_name: '(null)'
> > > > > log: 'fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==>
> 87.106.71.108 on interface inside\0x0a'
> > > > >
> > > > > **Phase 2: Completed decoding.
> > > > > decoder: 'ASA-lanattk'
> > > > >
> > > > > **Phase 3: Completed filtering (rules).
> > > > > Rule id: '100260'
> > > > > Level: '9'
> > > > > Description: 'ASA Shun event'
> > > > > **Alert to be generated.
> > > > >
> > > > > I see that UDP port 514 is running:
> > > > >
> > > > > [root@secserv ~]# netstat -anp | grep 514
> > > > > tcp 0 0 127.0.0.1:3306 127.0.0.1:37514
> ESTABLISHED 5542/mysqld
> > > > > tcp 0 0 127.0.0.1:37514 127.0.0.1:3306
> ESTABLISHED 29340/ossec-dbd
> > > > > udp 0 0 :::1514 :::*
> 29373/ossec-remoted
> > > > > udp 0 0 :::514 :::*
> 29372/ossec-remoted
> > > > >
> > > > >
> > > > > What obvious thing am I missing to setup an ASA to OSSEC? Our HP
> switches and Palo Alto firewall are sending syslogs just fine.
> > > > >
> > > >
> > > > After adding the system to allowed-ips, did you restart the OSSEC
> > > > processes on the OSSEC server?
> > > > Is there a host firewall (iptables) on the OSSEC server? Is 514UDP
> > > > open to 10.10.2.2?
> > > >
> > > > > --
> > > > >
> > > > > ---
> > > > > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > > > > To unsubscribe from this group and stop receiving emails from it,
> send an email to ossec...@googlegroups.com.
> > > > > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com. \
>
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec...@googlegroups.com <javascript:>.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com. \
>
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. To view this discussion on \
the web visit https://groups.google.com/d/msgid/ossec-list/75e3f0dd-6789-425b-a1fc-78af9c2dbe71%40googlegroups.com.
[Attachment #5 (text/html)]
<div dir="ltr"><div>The ASA firewall's IP that sent data to OSSEC was listed in \
the ossec.conf's <allowed-ips>. I setup <logall> to yes as well and \
tailed and grepped the log to find the events by the word ASA or source IP but \
nothing showed up despite tcpdump showing they hit the OSSEC server \
NIC.</div><div><br></div><div>I ended up standing up rsyslogd to accept remote \
syslogs, whitelisted the IPs from the ossec.conf, shutdown the ossec syslog service \
and had OSSEC monitor the rsyslog.log. I was able to get those ASA events (and all \
others) into OSSEC.</div><div><br></div><br>On Tuesday, October 22, 2019 at 9:33:39 \
AM UTC-4, dan (ddpbsd) wrote:<blockquote class="gmail_quote" style="margin: \
0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">On Tue, Oct 15, \
2019 at 8:59 AM Nate <<a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="gk4605beBgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">nbent...@gmail.com</a>> \
wrote: <br>>
<br>> Looking at the syslog packets I see the Cisco ASA only uses local facility \
codes but my Palo Alto uses User facility codes: <br>>
<br>> 08:55:50.340558 IP (tos 0x0, ttl 64, id 917, offset 0, flags [DF], proto UDP \
(17), length 329) <br>> 10.10.10.151.44375 > 10.10.10.17.syslog: SYSLOG, \
length: 301 <br>> Facility user (1), Severity info (6)
<br>> Msg: Oct 15 08:55:50 10.10.10.151 1,2019/10/15 \
08:55:50,012001010622,SYSTEM,<wbr>userid,0,2019/10/15 \
08:55:50,,connect-ldap-sever,<wbr>10.10.10.10,0,0,general,<wbr>informational,"ldap \
cfg DOMAIN GMapping FW-Admins connected to server <a href="http://10.10.10.10:389" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F10.10.10.10%3A \
389\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGAT3Ee7h4XSUBq8ppja5XpGS12vw';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F10.10.10.10 \
%3A389\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGAT3Ee7h4XSUBq8ppja5XpGS12vw';return \
true;">10.10.10.10:389</a>, initiated by: \
10.10.10.152",1204131,0x0,0,0,<wbr>0,0,,fw2 <br>> 08:55:50.726480 IP (tos \
0x0, ttl 254, id 65458, offset 0, flags [none], proto UDP (17), length 190) <br>> \
10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 162 <br>> \
Facility local4 (20), Severity warning (4) <br>> Msg: Oct 15 08:55:50 \
EDT fw1 : %ASA-4-106023: Deny udp src outside:<a href="http://10.10.201.105/137" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F10.10.201.105% \
2F137\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEk277aAtRX0DbZi6CHW5cKsZolyg';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F10.10.201.1 \
05%2F137\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEk277aAtRX0DbZi6CHW5cKsZolyg';return \
true;">10.10.201.105/137</a> dst outside:<a href="http://10.10.201.255/137" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F10.10.201.255% \
2F137\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFtKMHAryK7VyuuQcEj4oCAUSdoOQ';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F10.10.201.2 \
55%2F137\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFtKMHAryK7VyuuQcEj4oCAUSdoOQ';return \
true;">10.10.201.255/137</a> by access-group "outside_access_in" [0x0, \
0x0]\0x0a <br>>
<br>> I can't change the ASA to be anything other than local facility.
<br>>
<br>
<br>I don't see anything in the remoted code that cares about the facility.
<br>If the IP isn't allowed, there should be a log message.
<br>
<br>If you don't have the <logall> option set to "yes," it might \
be worth <br>turning it on to see if the messages make it to the archives.log file.
<br>
<br>> On Tuesday, October 15, 2019 at 8:34:52 AM UTC-4, Nate wrote:
<br>>>
<br>>> Hi Dan,
<br>>>
<br>>> Yes I restarted the OSSEC service with a: service OSSEC restart
<br>>>
<br>>> Right now the iptables are wide open due to this issue:
<br>>>
<br>>> # iptables -L
<br>>> Chain INPUT (policy ACCEPT)
<br>>> target prot opt source destination
<br>>>
<br>>> Chain FORWARD (policy ACCEPT)
<br>>> target prot opt source destination
<br>>>
<br>>> Chain OUTPUT (policy ACCEPT)
<br>>> target prot opt source destination
<br>>> # iptables -S
<br>>> -P INPUT ACCEPT
<br>>> -P FORWARD ACCEPT
<br>>> -P OUTPUT ACCEPT
<br>>>
<br>>> My full remote connections list is the following:
<br>>>
<br>>> <remote>
<br>>> <connection>syslog</<wbr>connection>
<br>>> <allowed-ips><a href="http://10.10.10.0/23" target="_blank" \
rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2 \
F10.10.10.0%2F23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE6sGOs16VyRcFXhOCAqFjQa-LfFQ';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F10.10.10.0% \
2F23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE6sGOs16VyRcFXhOCAqFjQa-LfFQ';return \
true;">10.10.10.0/23</a></<wbr>allowed-ips> <br>>> \
<allowed-ips>10.10.2.2</<wbr>allowed-ips> <br>>> \
<allowed-ips>10.10.39.2</<wbr>allowed-ips> <br>>> \
<allowed-ips>10.10.6.2</<wbr>allowed-ips> <br>>> \
<allowed-ips>10.10.9.1</<wbr>allowed-ips> <br>>> \
<allowed-ips><a href="http://192.168.2.0/24" target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F192.168.2.0%2F \
24\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEThAQjghI5Wk_yMoQ4hG70jO063A';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F192.168.2.0 \
%2F24\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEThAQjghI5Wk_yMoQ4hG70jO063A';return \
true;">192.168.2.0/24</a></<wbr>allowed-ips> <br>>> \
<port>514</port> <br>>> </remote>
<br>>>
<br>>> I will move up the 10.10.2.2 up above the /23 in case this is causing it \
but I know we are getting syslog events from all other sources. <br>>>
<br>>> Maybe it's the Cisco packet?
<br>>>
<br>>> On Tuesday, October 15, 2019 at 7:19:23 AM UTC-4, dan (ddpbsd) wrote:
<br>>>>
<br>>>> On Mon, Oct 14, 2019 at 3:03 PM Nate \
<<a>nbent...@gmail.com</a>> wrote: <br>>>> >
<br>>>> > Hi,
<br>>>> >
<br>>>> > I've never seen this before but I setup our ASA 5516 to \
send syslog events to our OSSEC server to detect SHUN events. <br>>>> >
<br>>>> > ossec.conf
<br>>>> > <remote>
<br>>>> > <connection>syslog</<wbr>connection>
<br>>>> > <allowed-ips>10.10.2.2</<wbr>allowed-ips>
<br>>>> > <port>514</port>
<br>>>> > </remote>
<br>>>> >
<br>>>> > <alerts>
<br>>>> > <log_alert_level>0</log_alert_<wbr>level>
<br>>>> > <email_alert_level>9</email_<wbr>alert_level>
<br>>>> > </alerts>
<br>>>> >
<br>>>> >
<br>>>> > local_rules.xml
<br>>>> >
<br>>>> > <group name="ASA,LANAttack">
<br>>>> > <rule id="100260" level="9">
<br>>>> > <!-- \
<decoded_as>ASA-lanattk</<wbr>decoded_as> --> <br>>>> > \
<if_sid>4100</if_sid> <br>>>> > \
<regex>ASA-4-73310\d|ASA-4-<wbr>40100\d</regex> <br>>>> > \
<description>ASA Shun event</description> <br>>>> > \
</rule> <br>>>> > </group>
<br>>>> >
<br>>>> >
<br>>>> > but reviewing the alerts, archives,database no events from our \
10.10.2.2 or ASA show up. Running tcpdump on ossec shows they are received by the \
server: <br>>>> >
<br>>>> > 14:53:41.611883 IP (tos 0x0, ttl 254, id 54586, offset 0, flags \
[none], proto UDP (17), length 140) <br>>>> > 10.10.2.2.syslog > \
10.10.10.17.syslog: SYSLOG, length: 112 <br>>>> > Facility \
local0 (16), Severity warning (4) <br>>>> > Msg: Oct 14 \
14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on \
interface inside\0x0a <br>>>> > 14:53:41.614335 IP (tos 0x0, ttl 254, id \
46962, offset 0, flags [none], proto UDP (17), length 140) <br>>>> > \
10.10.2.2.syslog > 10.10.10.17.syslog: SYSLOG, length: 112 <br>>>> > \
Facility local0 (16), Severity warning (4) <br>>>> > Msg: Oct \
14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 \
on interface inside\0x0a <br>>>> >
<br>>>> > If I copy out the Msg and paste it into ossec-logtest it does \
process it to my rule: <br>>>> >
<br>>>> > [USER@ossec~]# /var/ossec/bin/ossec-logtest
<br>>>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Reading local decoder \
file. <br>>>> > 2019/10/14 14:58:37 ossec-testrule: INFO: Started (pid: \
29400). <br>>>> > ossec-testrule: Type one log per line.
<br>>>> >
<br>>>> > Oct 14 14:53:41 EDT fw1 : %ASA-4-401004: Shunned packet: \
10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a <br>>>> >
<br>>>> >
<br>>>> > **Phase 1: Completed pre-decoding.
<br>>>> > full event: 'Oct 14 14:53:41 EDT fw1 : \
%ASA-4-401004: Shunned packet: 10.10.35.37 ==> 87.106.71.108 on interface \
inside\0x0a' <br>>>> > hostname: 'EDT'
<br>>>> > program_name: '(null)'
<br>>>> > log: 'fw1 : %ASA-4-401004: Shunned packet: \
10.10.35.37 ==> 87.106.71.108 on interface inside\0x0a' <br>>>> >
<br>>>> > **Phase 2: Completed decoding.
<br>>>> > decoder: 'ASA-lanattk'
<br>>>> >
<br>>>> > **Phase 3: Completed filtering (rules).
<br>>>> > Rule id: '100260'
<br>>>> > Level: '9'
<br>>>> > Description: 'ASA Shun event'
<br>>>> > **Alert to be generated.
<br>>>> >
<br>>>> > I see that UDP port 514 is running:
<br>>>> >
<br>>>> > [root@secserv ~]# netstat -anp | grep 514
<br>>>> > tcp 0 0 <a href="http://127.0.0.1:3306" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F127.0.0.1%3A33 \
06\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGefpcF-gtwRFrbd2h1vXdGs4hQ7g';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F127.0.0.1%3 \
A3306\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGefpcF-gtwRFrbd2h1vXdGs4hQ7g';return \
true;">127.0.0.1:3306</a> <a href="http://127.0.0.1:37514" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F127.0.0.1%3A37 \
514\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGChZbfcCjkhhS6V74SogsCIV0TrQ';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F127.0.0.1%3 \
A37514\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGChZbfcCjkhhS6V74SogsCIV0TrQ';return \
true;">127.0.0.1:37514</a> ESTABLISHED 5542/mysqld <br>>>> \
> tcp 0 0 <a href="http://127.0.0.1:37514" target="_blank" \
rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2 \
F127.0.0.1%3A37514\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGChZbfcCjkhhS6V74SogsCIV0TrQ';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F127.0.0.1%3 \
A37514\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGChZbfcCjkhhS6V74SogsCIV0TrQ';return \
true;">127.0.0.1:37514</a> <a href="http://127.0.0.1:3306" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F127.0.0.1%3A33 \
06\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGefpcF-gtwRFrbd2h1vXdGs4hQ7g';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F127.0.0.1%3 \
A3306\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGefpcF-gtwRFrbd2h1vXdGs4hQ7g';return \
true;">127.0.0.1:3306</a> ESTABLISHED 29340/ossec-dbd \
<br>>>> > udp 0 0 :::1514 \
:::* 29373/ossec-remoted \
<br>>>> > udp 0 0 :::514 \
:::* 29372/ossec-remoted \
<br>>>> > <br>>>> >
<br>>>> > What obvious thing am I missing to setup an ASA to OSSEC? Our \
HP switches and Palo Alto firewall are sending syslogs just fine. <br>>>> \
> <br>>>>
<br>>>> After adding the system to allowed-ips, did you restart the OSSEC
<br>>>> processes on the OSSEC server?
<br>>>> Is there a host firewall (iptables) on the OSSEC server? Is 514UDP
<br>>>> open to 10.10.2.2?
<br>>>>
<br>>>> > --
<br>>>> >
<br>>>> > ---
<br>>>> > You received this message because you are subscribed to the \
Google Groups "ossec-list" group. <br>>>> > To unsubscribe from \
this group and stop receiving emails from it, send an email to \
<a>ossec...@googlegroups.com</a>. <br>>>> > To view this discussion on \
the web visit <a href="https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com';return \
true;" onclick="this.href='https://groups.google.com/d/msgid/ossec-list/b1faa727-7071-49a0-91da-9fe4b680a724%40googlegroups.com';return \
true;">https://groups.google.com/d/<wbr>msgid/ossec-list/b1faa727-<wbr>7071-49a0-91da-9fe4b680a724%<wbr>40googlegroups.com</a>.
<br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups \
"ossec-list" group. <br>> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="gk4605beBgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec...@<wbr>googlegroups.com</a>. <br>> To view this discussion on the \
web visit <a href="https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com" \
target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com';return \
true;" onclick="this.href='https://groups.google.com/d/msgid/ossec-list/e847005b-0106-4853-abef-512ff3a4a11f%40googlegroups.com';return \
true;">https://groups.google.com/d/<wbr>msgid/ossec-list/e847005b-<wbr>0106-4853-abef-512ff3a4a11f%<wbr>40googlegroups.com</a>.
<br></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/75e3f0dd-6789-425b-a1fc-78af9c2dbe7 \
1%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/ossec-list/75e3f0dd-6789-425b-a1fc-78af9c2dbe71%40googlegroups.com</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic