[ossec-list] Re: Configuring OSSEC for PIX

[Erick Kinnee <ekinnee@xxxxxxxxxxxx>]

What does OSSEC do with the syslog traffic at this point? If you're  
achieving HIDS functionality and Central Logging this way does OSSEC  
store the log on disk for archival purposes?


On Sep 7, 2006, at 2:15 PM, Daniel Cid wrote:

> Hi Marty,
>
> Our wiki has some information on how to configure the PIX:
>
> http://www.ossec.net/wiki/index.php/Cisco_PIX
>
> To configure ossec, you just need to enable remote syslog and allow
> the IP of the PIX to send messages to it. The example bellow
> enables remote syslog and allows ip 192.168.2.2 to send messages
> to ossec.
>
>  <remote>
>    <connection>syslog</connection>
>    <allowed-ips>192.168.2.2</allowed-ips>
>  </remote>
>
> *Don't forget to restart ossec after changing the config.
>
> *If you already have an entry with "syslog", you just need to
> allow the ip of the PIX.
>
> Hope it helps,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/7/06, Marty E. Hillman <mehillman@xxxxxxxxxxxx> wrote:
> > Would there happen to be a guide somewhere with an overview of
> > configuring OSSEC to receive the PIX syslog messages?  It might  
> > make it
> > easier than my current practice of using Kiwi Syslog Viewer.
> >
> > This electronic mail (including any attachments) may contain  
> > information that
> > is privileged, confidential, and/or otherwise protected from  
> > disclosure to
> > anyone other than its intended recipient(s). Any dissemination or  
> > use of this
> > electronic email or its contents (including any attachments) by  
> > persons other
> > than the intended recipient(s) is strictly prohibited. If you have  
> > received
> > this message in error, please notify us immediately by reply email  
> > so that we
> > may correct our internal records. Please then delete the original  
> > message
> > (including any attachments) in its entirety. Thank you.