[ossec-list] Re: Configuring OSSEC for PIX

["Marty E. Hillman" <mehillman@xxxxxxxxxxxx>]

I understand this as you asking me specifically how I am configured, so
I will answer with that understanding.

I currently do not have the syslog traffic pointed at the OSSEC HIDS.
It is pointed at a syslog server and is saved in TXT files which are
closed out every night.  They are retained for future need.  Everything
is Windows here except for the OSSEC box that I set up for testing a
couple of weeks ago.

OSSEC is now monitoring traffic from all DC and business critical
servers so that I can monitor file access to specific files and illegal
access attempts such as invalid login attempts and account lockouts.  It
is also monitoring all IIS logs so that I can see any potential
intrusion attempt.  It has even come in handy with the departure of an
employee in the past week who tried accessing the system using accounts
of other users.  I was notified immediately of the account used and the
originating IP information so that I could immediately go after the guy.
Though still a reactive solution, it has cut my reaction time to
virtually nothing.

Ideally, OSSEC will aggregate all of my log information so that I can
have one repository (preferably SQL based) where all event logs for all
servers and all syslog traffic will be stored.  Right now, I have
syslogd on one box and OSSEC on another.  With all of the information
aggregated, I can have one source for forensics or any legal action that
we might need to take against intruders.  It is just so much easier with
everything in one place than with it spread out over hell's half acre.

Now charting of login activity and user activity based on database
queries.  *sigh*  That would be a beautiful thing.

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx]
On Behalf Of Erick Kinnee
Sent: Thursday, September 07, 2006 2:20 PM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Configuring OSSEC for PIX


What does OSSEC do with the syslog traffic at this point? If you're
achieving HIDS functionality and Central Logging this way does OSSEC
store the log on disk for archival purposes?


On Sep 7, 2006, at 2:15 PM, Daniel Cid wrote:

>
> Hi Marty,
>
> Our wiki has some information on how to configure the PIX:
>
> http://www.ossec.net/wiki/index.php/Cisco_PIX
>
> To configure ossec, you just need to enable remote syslog and allow 
> the IP of the PIX to send messages to it. The example bellow enables 
> remote syslog and allows ip 192.168.2.2 to send messages to ossec.
>
>  <remote>
>    <connection>syslog</connection>
>    <allowed-ips>192.168.2.2</allowed-ips>
>  </remote>
>
> *Don't forget to restart ossec after changing the config.
>
> *If you already have an entry with "syslog", you just need to allow 
> the ip of the PIX.
>
> Hope it helps,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/7/06, Marty E. Hillman <mehillman@xxxxxxxxxxxx> wrote:
>>
>> Would there happen to be a guide somewhere with an overview of 
>> configuring OSSEC to receive the PIX syslog messages?  It might make 
>> it easier than my current practice of using Kiwi Syslog Viewer.
>>
>> This electronic mail (including any attachments) may contain 
>> information that is privileged, confidential, and/or otherwise 
>> protected from disclosure to anyone other than its intended 
>> recipient(s). Any dissemination or use of this electronic email or 
>> its contents (including any attachments) by persons other than the 
>> intended recipient(s) is strictly prohibited. If you have received 
>> this message in error, please notify us immediately by reply email so

>> that we may correct our internal records. Please then delete the 
>> original message (including any attachments) in its entirety. Thank 
>> you.
>>
>>
>>