Know How:PIX OSSEC Config

From OSSEC Wiki

How to configure PIX and OSSEC

by Dale Neufeld <canuck.eh ( at ) gmail.com> with some parts taken from http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config
This is a very basic setup and the PIX offers a lot more options for syslog configuration including using a different port.

1. Configuring syslog on the PIX

PIX 6.3 commands http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008051a0cc.html#wp1029066

logging on
no logging device-id
no logging timestamp
logging trap warning (see note 1.1 below for options)
logging host interface ipaddress

1.1 Logging Trap Options Level Number

Level Keyword
0 emergency
1 alert
2 critical
3 error
4 warning
5 notification
6 informational
7 debugging

2. Ensure your OSSEC host is seeing the PIX syslog messages

# tcpdump -i eth0 -A -s 0 udp port 514 and host <pix_ip>

3. Configure OSSEC to listen

Add the following to ossec.conf

<remote>
   <connection>syslog</connection>
   <allowed-ips>192.168.2.1</allowed-ips>  <!—ip addr of the device
   <port>514</port>
</remote>

4. Restart the ossec service to begin listening

 # ./var/ossec/bin/ossec-control restart

5. Other Helpful Information

Troubleshoot PIX and OSSEC: http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config
Cisco syslog info: http://www.ossec.net/wiki/index.php/Cisco_PIX

Retrieved from "http://ossec.net/wiki/index.php/Know_How:PIX_OSSEC_Config"

From OSSEC Wiki

How to configure PIX and OSSEC

Views

Personal tools

Navigation

Documentation

Search