[ossec-list] Re: install ossec - bind to port 1514 fail | getaddrinfo: name or service not know
Hi Eduardo, It seems that the error from "getaddrinfo" does not show which process logs it, but both remoted and authd processes are logging errors. Could you share your configuration and the command that you use to run ossec-authd? It could be very useful for us to help you. Best regards. On Tuesday, March 21, 2017 at 7:46:37 AM UTC-7, Eduardo Reichert Figueiredo wrote: > > When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i > have a problem to ossec-remoted and ossec-auth, this services cant bind > ports 1514, log error below. > I generated my certificated with commands "openssl genrsa -out" and > "openssl req -new -x509 -key ". > > ##Log OSSEC.LOG > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'. > 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0' > 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'. > 2017/03/21 11:34:34 getaddrinfo: Name or service not known > 2017/03/21 11:34:34 getaddrinfo: Name or service not known > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port '1514' > 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port '514' > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ... > 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420). > 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server. > 2017/03/21 11:35:47 *getaddrinfo*: Name or service not known > 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514 > > in other cases for unable to bind port 1514, my error was my client.keys, > but now i have a new error "getaddrinfo". > > Can you help me? > > Kind regards > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Syslog Forward Configuration Resulting in a Failure
I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended configuration in the documentation is: 192.168.4.1 The SIEM recognizes json format on port 5500 so I've configured logs to that formatted and set the configuration as: 172.27.212.243 5500 json When I save this and try to start the services the following error is generated: Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)... OSSEC analysisd: Testing rules failed. Configuration error. Exiting. /var/ossec/bin/ossec-logtest returns the following: 2017/03/21 18:50:55 ossec-testrule(1230): ERROR: Invalid element in the configuration: 'syslog_output'. 2017/03/21 18:50:55 ossec-testrule(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. If I comment out the syslog configuration services start as expected. Any advice would be greatly appreciated. Thank you, Marc Baker -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC real-time monitoring with hidden files
Good morning, You seem to have posted this question twice, so I will just answer this one. I have this running on all my systems and it easily works without an issue. You have to make sure the right packages are installed for Realtime. Hidden files do not bother OSSEC - a hidden file is simply a file named with a leading "." dot, but that does not alter the fact that it has an inode and a directory entry. Make sure you have the "inotify" package installed. Also, you might want to post your config file. One other issue is that if the file did not exist prior to starting OSSEC and you do not have alerting on new files setup, then you may not see the alerts either. I use this feature for monitoring in realtime if users put SSH private keys on a public server, rather than their laptop. I have AR setup to remove any private keys immediately upon alert generation. Cheers Kat On Monday, March 20, 2017 at 10:47:15 PM UTC-5, jingxu...@bettercloud.com wrote: > > Recently, we are trying to use OSSEC to monitor files > ~/.ssh/authorized_key for real time, but it seems it can only detect for > syscheck, but not real time. I checked the /var/ossec/queue/diff folder, it > recorded all the changes, but because the .ssh folder is hidden. I can not > get real-time alerts from OSSEC manager, is there anyone know how to fix > this, or does OSSEC ever consider this function before? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Modify rules
One other bit of information - the "read only" error has nothing to do with OSSEC itself. It is simply a warning based on Linux saying that the file is marked without the "W" attribute. You can resolve this from "vi" by simply using a "w" upon exit. For example, after you edit the sshd_rules.xml, enter :wq! That will over-write the file. However, any changes to the built-in files will be overwritten next time you upgrade, so Victor's comment about using local_rules.xml is actually more correct. Kat On Monday, March 20, 2017 at 1:56:29 PM UTC-5, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > >> >> >> host-deny >> local >> 6 >> 600 >> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> >> 5700 >> ^Failed|^error: PAM: Authentication >> SSHD authentication failed. >> authentication_failed, > > > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Need information about Application installation via OSSEC
You could set the appropriate folders, assuming *nix system, such as /bin,/usr/bin,/sbin,/usr/sbin for realtime monitoring and new file alerts. Then if an installed package, regardless of YUM or dpkg/apt is installed, even by just copying it into place, you would still get an alert. Kat On Monday, March 20, 2017 at 7:04:18 AM UTC-5, Jayalaxmi K wrote: > > Hi Team, > > could you please let me know , if application installation can be > monitored using OSSEC?? > Please let me know the rule for the same. > > Thanks in advance > Jaya > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Agentless ssh monitoring fails to connect every time
Hi, Could you post the log entries? Also, an ssh -vvv output would help to see what is going on. It is clearly a connection problem, but hard to diagnose based on what you have posted. Kat On Friday, March 17, 2017 at 10:20:58 PM UTC-5, Marcin Gołębiowski wrote: > > I can't seem to make the agentless monitoring to work. I added two remote > boxes with /var/ossec/agentless/register_host.sh and configured > paswordless connection generating ssh keys for user ossec. However after > restarting ossec the connection to remote server fails every time. > Ossec.log shows: ossec-agentlessd: ERROR: ssh_integrity_check_linux: > us...@remote.server.pl : Public key authentication failed to > host: us...@remote.server.pl . I tried to connect wit a > password but this time I got timeout: ERROR: ssh_integrity_check_linux: > u...@remote.server.pl : Timeout while connecting to host: > us...@remote.server.pl . I checked .passlist file and > passwords are correct. What is more - I am able to ssh to remote server > using id_rsa generated for ossec user so theoretically ossec should connect > with NOPASS option. But it doesn't. I am in the dark. Server is Ubuntu > Server 16.04, OSSEC verson 2.8.3, expect installed, firewall disabled. Any > ideas? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Agentless ssh monitoring fails to connect every time
Trying to debug with expect I got: *expect -d agentless/ssh_integrity_check_linux u...@server.com /directory/to/check* *expect version 5.45* *argv[0] = expect argv[1] = -d argv[2] = agentless/ssh_integrity_check_linux argv[3] = u...@server.com argv[4] = /directory/to/check* *set argc 2* *set argv0 "agentless/ssh_integrity_check_linux"* *set argv "u...@server.com /directory/to/check"* *executing commands from command file agentless/ssh_integrity_check_linux* *spawn ssh u...@server.com* *parent: waiting for sync byte* *parent: telling child to go ahead* *parent: now unsynchronized from child* *spawn: returns {456}* *expect: does "" (spawn_id exp4) match glob pattern "WARNING: REMOTE HOST"? no* *"*sure you want to continue connecting*"? no* *"ssh: connect to host*"? no* *"no address associated with name"? no* *"*Connection refused*"? no* *"*Connection closed by remote host*"? no* *"* password:*"? no* *user@server ~ $* *expect: does "\u001b[01;31malk2\u001b[01;33m@\u001b[01;36malk2 \u001b[01;33m~ \u001b[01;35m$ \u001b[00m" (spawn_id exp4) match glob pattern "WARNING: REMOTE HOST"? no* *"*sure you want to continue connecting*"? no* *"ssh: connect to host*"? no* *"no address associated with name"? no* *"*Connection refused*"? no* *"*Connection closed by remote host*"? no* *"* password:*"? no* *expect: timed out* I don't have access to auth.log on remote server, it's shared hosting which is why I am trying to implement agentless monitoring there. I am able to manually log in with user ossec and keyfile to that server without problems. Regards On Tuesday, 21 March 2017 13:59:57 UTC+1, Kat wrote: > > Hi, > > Could you post the log entries? Also, an ssh -vvv output would help to see > what is going on. It is clearly a connection problem, but hard to diagnose > based on what you have posted. > > Kat > > On Friday, March 17, 2017 at 10:20:58 PM UTC-5, Marcin Gołębiowski wrote: >> >> I can't seem to make the agentless monitoring to work. I added two remote >> boxes with /var/ossec/agentless/register_host.sh and configured >> paswordless connection generating ssh keys for user ossec. However after >> restarting ossec the connection to remote server fails every time. >> Ossec.log shows: ossec-agentlessd: ERROR: ssh_integrity_check_linux: >> us...@remote.server.pl: Public key authentication failed to host: >> us...@remote.server.pl. I tried to connect wit a password but this time >> I got timeout: ERROR: ssh_integrity_check_linux: u...@remote.server.pl: >> Timeout while connecting to host: us...@remote.server.pl. I checked >> .passlist file and passwords are correct. What is more - I am able to ssh >> to remote server using id_rsa generated for ossec user so theoretically >> ossec should connect with NOPASS option. But it doesn't. I am in the dark. >> Server is Ubuntu Server 16.04, OSSEC verson 2.8.3, expect installed, >> firewall disabled. Any ideas? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know
When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i have a problem to ossec-remoted and ossec-auth, this services cant bind ports 1514, log error below. I generated my certificated with commands "openssl genrsa -out" and "openssl req -new -x509 -key ". ##Log OSSEC.LOG 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '0'. 2017/03/21 11:34:34 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0' 2017/03/21 11:34:34 ossec-remoted: DEBUG: Forking remoted: '1'. 2017/03/21 11:34:34 getaddrinfo: Name or service not known 2017/03/21 11:34:34 getaddrinfo: Name or service not known 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port '1514' 2017/03/21 11:34:34 ossec-remoted(1206): ERROR: Unable to Bind port '514' 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2017/03/21 11:34:41 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2017/03/21 11:35:47 ossec-authd: DEBUG: Starting ... 2017/03/21 11:35:47 ossec-authd: INFO: Started (pid: 24420). 2017/03/21 11:35:47 ossec-authd: DEBUG: Returning CTX for server. 2017/03/21 11:35:47 *getaddrinfo*: Name or service not known 2017/03/21 11:35:47 ossec-authd: Unable to bind to port 1514 in other cases for unable to bind port 1514, my error was my client.keys, but now i have a new error "getaddrinfo". Can you help me? Kind regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.