[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] OSSEC with Pix

Hello,

 

I know how to configure my Pix & OSSEC so that my Ubuntu OSSEC Server receives the Syslog feed directly from my Pix. In the past I have been using Kiwi Syslog Manager (free version) and all is well.

 

Apart from the information I am seeing in the :/var/ossec/logs/firewall/firewall.log, when I go and type:

 

tail -n 25 firewall.log

 

I get:

 

2007 Apr 17 17:11:20 ubuntu->172.0.1.156 DROP TCP 60.241.175.181:1790->xxx.xxx.xxx.xxx:135

2007 Apr 17 17:12:01 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1949->xxx.xxx.xxx.xxx:20609

2007 Apr 17 17:12:02 ubuntu->172.0.1.156 DROP TCP 60.241.254.90:3997->xxx.xxx.xxx.xxx:445

2007 Apr 17 17:12:05 ubuntu->172.0.1.156 DROP TCP 60.241.254.90:3997->xxx.xxx.xxx.xxx:445

2007 Apr 17 17:12:06 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1951->xxx.xxx.xxx.xxx:20610

2007 Apr 17 17:12:19 ubuntu->172.0.1.156 DROP TCP 60.238.178.90:4135->xxx.xxx.xxx.xxx:135

2007 Apr 17 17:12:22 ubuntu->172.0.1.156 DROP TCP 60.238.178.90:4135->xxx.xxx.xxx.xxx:135

2007 Apr 17 17:12:26 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1956->xxx.xxx.xxx.xxx:20611

2007 Apr 17 17:12:34 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1944->xxx.xxx.xxx.xxx:20608

2007 Apr 17 17:12:57 ubuntu->172.0.1.156 DROP UDP 172.0.1.5:1995->255.255.255.255:3865

2007 Apr 17 17:12:58 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1992->xxx.xxx.xxx.xxx:20617

2007 Apr 17 17:13:05 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1980->xxx.xxx.xxx.xxx:20613

2007 Apr 17 17:13:14 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1987->xxx.xxx.xxx.xxx:20614

2007 Apr 17 17:13:16 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1988->xxx.xxx.xxx.xxx:20615

2007 Apr 17 17:13:44 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1960->xxx.xxx.xxx.xxx:20612

2007 Apr 17 17:13:55 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:1991->xxx.xxx.xxx.xxx:20616

2007 Apr 17 17:14:36 ubuntu->172.0.1.156 DROP TCP 60.238.178.90:4037->xxx.xxx.xxx.xxx:135

2007 Apr 17 17:14:39 ubuntu->172.0.1.156 DROP TCP 60.238.178.90:4037->xxx.xxx.xxx.xxx:135

2007 Apr 17 17:15:09 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:2006->xxx.xxx.xxx.xxx:20620

2007 Apr 17 17:15:15 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:2008->xxx.xxx.xxx.xxx:20621

2007 Apr 17 17:15:17 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:2009->xxx.xxx.xxx.xxx:20622

2007 Apr 17 17:15:20 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:2002->xxx.xxx.xxx.xxx:20618

2007 Apr 17 17:15:28 ubuntu->172.0.1.156 DROP TCP 85.65.213.176:4662->xxx.xxx.xxx.xxx:20618

2007 Apr 17 17:15:30 ubuntu->172.0.1.156 DROP TCP 84.229.126.50:6662->xxx.xxx.xxx.xxx:20621

2007 Apr 17 17:15:40 ubuntu->172.0.1.156 CLOSED TCP 172.0.1.5:2005->xxx.xxx.xxx.xxx:20619

 

xxx.xxx.xxx.xxx = my external IP of the Cisco Pix.

 

However my Kiwi Syslog Manager sees a LOT more detail (the detail I am after) – does anyone know why I am not seeing that detail? Or am I looking in the wrong place?

 

 

 

 Regards,

 

Jens C Harsem  I  Regional MIS Manager I MICROS-Fidelio Asia Pacific  I Suite 7, 13 Narabang Way  I  Belrose , NSW 2085  I  Australia
+612 9485 1005(  I  +612 9485 1099 3  I  JHarsem@xxxxxxxxxx  * I   www.micros.com

 

Confidentiality Notice This email is intended only for the individual/s to whom it is addressed and may contain information that is confidential or privileged. If you are not the intended recipient/s, or the employee or person responsible for delivering it to the intended recipient/s you are hereby notified that any dissemination, distribution, copying or use is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone and return the original email to the sender.

 

 

 

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.