[ossec-list] OSSEC into Splunk - Amazon EC2
Hello, I have three OSSEC servers running on three seperate machines (one for each individual network). I was wondering how I can point those servers to my Splunk server. The Splunk app appers to have the functionality to select by Server Name. This would then give me the ability to manage all of the servers from within the Splunk app. Has anyone done this? Side question - Is it possible to run three seperate policy profiles on one OSSEC server? I'm using 3 - Amazon Micro Servers, and then the Splunk server is installed on a Amazon Small Server (ubuntu). It would be nice to consolidate those three micro servers into one Small or Medium server, but I need the ability to report and tune for each network. They have different security requirements, etc. Thanks, Patrick
Re: [ossec-list] Incorrectly formated message errors.
On 08/17/2012 15:32, dan (ddp) wrote: On Fri, Aug 17, 2012 at 2:52 AM, bw bw.mail.li...@gmail.com wrote: Does it work if you don't have it listening to 2 different networks? No. And when I say no, I mean I stopped everything and started only the master and the 192.168. agent and I got the same result. I didn't reinstall everything, the other two agents were still configured, just not started, master was still listening on all IPs, as it does by default. So you didn't try? I guess you could try to reinstall, maybe with the latest source instead of 2.6. Deleted everything (rm -rf /var/ossec /etc/ossec-init.conf /etc/init.d/ossec), got 7987046f6bb1 from JBCheng's repo, that should be latest at this time, installed it on server with only one agent, the least busy one, no virtualization involved, first restart of the server I got the warning again.
Re: [ossec-list] socketerr messages after restarting ossec, errors occur after the starting the rootcheck scan
On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis shaka.le...@gmail.com wrote: I get the below errors after restarting ossec. This is version 2.6 running on a Linux machine 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending message to queue. 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). These types of errors usually means something was changed incorrectly. Did you make any changes before restarting? What log messages are there before the first socketerr? What OSSEC processes are running when this happens?
Re: [ossec-list] Re: socketerr messages after restarting ossec, errors occur after the starting the rootcheck scan
I ran the ls command and the file does exist. I just started recently having problems. The system runs usaully about 30 minutes to an hour then analysisd dies. On Sun, Aug 19, 2012 at 7:49 PM, JB jjoob...@gmail.com wrote: Looks like the Unix sockets do not work at all. Was OSSEC running OK before you restarted it? Were you running as 'root'? Do 'ls -l /var/ossec/queue/ossec/queue' to see if the file exist. On Friday, August 17, 2012 2:29:19 PM UTC-7, Shaka Lewis wrote: I get the below errors after restarting ossec. This is version 2.6 running on a Linux machine 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending message to queue. 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available).
Re: [ossec-list] socketerr messages after restarting ossec, errors occur after the starting the rootcheck scan
This is the error log in the ossec.log file when i restarted this morning ossec-logcollector(1950): INFO: Analyzing file: '/var/ossec/logs/alerts/alerts.log'. 2012/08/20 09:29:30 ossec-logcollector: INFO: Started (pid: 10978). 2012/08/20 09:29:50 ossec-logcollector: socketerr (not available). 2012/08/20 09:29:50 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/20 09:29:53 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 09:29:53 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/20 09:30:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/08/20 09:30:31 ossec-syscheckd: socketerr (not available). 2012/08/20 09:30:31 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2012/08/20 09:30:34 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 09:30:34 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. This was in /var/log/messages kernel: ossec-analysisd[10974]: segfault at 0 ip (null) sp 7fffe5ada2b8 error 14 in ossec-analysisd[40+62000] On Mon, Aug 20, 2012 at 7:54 AM, dan (ddp) ddp...@gmail.com wrote: On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis shaka.le...@gmail.com wrote: I get the below errors after restarting ossec. This is version 2.6 running on a Linux machine 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending message to queue. 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). These types of errors usually means something was changed incorrectly. Did you make any changes before restarting? What log messages are there before the first socketerr? What OSSEC processes are running when this happens?
Re: [ossec-list] socketerr messages after restarting ossec, errors occur after the starting the rootcheck scan
On Mon, Aug 20, 2012 at 9:38 AM, Shaka Lewis shaka.le...@gmail.com wrote: This is the error log in the ossec.log file when i restarted this morning ossec-logcollector(1950): INFO: Analyzing file: '/var/ossec/logs/alerts/alerts.log'. 2012/08/20 09:29:30 ossec-logcollector: INFO: Started (pid: 10978). 2012/08/20 09:29:50 ossec-logcollector: socketerr (not available). 2012/08/20 09:29:50 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/20 09:29:53 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 09:29:53 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/20 09:30:31 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/08/20 09:30:31 ossec-syscheckd: socketerr (not available). 2012/08/20 09:30:31 ossec-syscheckd(1224): ERROR: Error sending message to queue. 2012/08/20 09:30:34 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/20 09:30:34 ossec-syscheckd(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. This was in /var/log/messages kernel: ossec-analysisd[10974]: segfault at 0 ip (null) sp 7fffe5ada2b8 error 14 in ossec-analysisd[40+62000] Try running ossec-analysisd in gdb to see if you can get more information from the crash. gdb ossec-analysisd set follow-fork-mode child run -d CRASH bt For a start On Mon, Aug 20, 2012 at 7:54 AM, dan (ddp) ddp...@gmail.com wrote: On Fri, Aug 17, 2012 at 5:29 PM, Shaka Lewis shaka.le...@gmail.com wrote: I get the below errors after restarting ossec. This is version 2.6 running on a Linux machine 2012/08/17 16:55:21 ossec-logcollector: socketerr (not available). 2012/08/17 16:55:21 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/08/17 16:55:24 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 16:55:24 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:09:21 ossec-syscheckd: socketerr (not available). 2012/08/17 17:09:21 ossec-rootcheck(1224): ERROR: Error sending message to queue. 2012/08/17 17:09:24 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/08/17 17:09:24 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2012/08/17 17:10:41 ossec-monitord: socketerr (not available). 2012/08/17 17:10:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:16:41 ossec-monitord: socketerr (not available). 2012/08/17 17:16:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). 2012/08/17 17:18:41 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/08/17 17:18:41 ossec-monitord: socketerr (not available). These types of errors usually means something was changed incorrectly. Did you make any changes before restarting? What log messages are there before the first socketerr? What OSSEC processes are running when this happens?
[ossec-list] ossec service stops immediately after start
Windows 2003 Faulting application ossec-agent.exe, version 0.0.0.0, faulting module ossec-agent.exe, version 0.0.0.0, fault address 0x00030b6f. ossec.log 2012/08/20 09:25:30 ossec-agent(1905): INFO: No file configured to monitor. 2012/08/20 09:25:30 ossec-execd(1350): INFO: Active response disabled. Exiting. 2012/08/20 09:25:30 ossec-agent(1410): INFO: Reading authentication keys file. fresh install anyone have any ideas what do check? same config files works on hundreds of other systems Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Re: [ossec-list] ossec service stops immediately after start
Check that your config file is existent and that it is readable, also if yit exists paste it here. On Mon, Aug 20, 2012 at 4:27 PM, Michael Barrett michael_barr...@mgic.comwrote: Windows 2003 Faulting application ossec-agent.exe, version 0.0.0.0, faulting module ossec-agent.exe, version 0.0.0.0, fault address 0x00030b6f. ossec.log 2012/08/20 09:25:30 ossec-agent(1905): INFO: No file configured to monitor. 2012/08/20 09:25:30 ossec-execd(1350): INFO: Active response disabled. Exiting. 2012/08/20 09:25:30 ossec-agent(1410): INFO: Reading authentication keys file. fresh install anyone have any ideas what do check? same config files works on hundreds of other systems ** *Michael Barrett* x.xx...@mgic.com* *| *Information Security Analyst - Lead* | *Mortgage Guaranty Insurance Corporation*http://www.mgic.com/ 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4
Re: [ossec-list] ossec service stops immediately after start
!-- OSSEC Win32 Agent Configuration. - This file is compost of 3 main sections: -- Client config - Settings to connect to the OSSEC server. -- Localfile - Files/Event logs to monitor. -- syscheck - System file/Registry entries to monitor. -- !-- READ ME FIRST. If you are configuring OSSEC for the first time, - try to use the Manage_Agent tool. Go to control panel-OSSEC Agent - to execute it. - - First, add a server-ip entry with the real IP of your server. - Second, and optionally, change the settings of the files you want - to monitor. Look at our Manual and FAQ for more information. - Third, start the Agent and enjoy. - - Example of server-ip: - client server-ip1.2.3.4/server-ip /client -- ossec_config !-- One entry for each file/Event log to monitor. -- !-- localfile locationApplication/location log_formateventlog/log_format /localfile localfile locationSecurity/location log_formateventlog/log_format /localfile localfile locationSystem/location log_formateventlog/log_format /localfile -- !-- Rootcheck - Policy monitor config -- rootcheck windows_audit./shared/win_audit_rcl.txt/windows_audit windows_apps./shared/win_applications_rcl.txt/windows_apps windows_malware./shared/win_malware_rcl.txt/windows_malware /rootcheck !-- Syscheck - Integrity Checking config. -- syscheck !-- Default frequency, every 18 hours. It doesn't need to be higher - on most systems and one a day should be enough. -- frequency64800/frequency !-- By default it is disabled. In the Install you must choose - to enable it. -- disabledno/disabled !-- Default files to be monitored - system32 only. -- directories check_all=yes%WINDIR%/system32/directories !-- Default files to be ignored. -- ignore%WINDIR%/System32/LogFiles/ignore ignore%WINDIR%/system32/wbem/Logs/ignore ignore%WINDIR%/system32/config/ignore ignore%WINDIR%/system32/CatRoot/ignore ignore%WINDIR%/system32/wbem/Repository/ignore ignore%WINDIR%/system32/dllcache/ignore ignore%WINDIR%/system32/inetsrv/History/ignore ignore%WINDIR%/system32/winevt/Logs/ignore ignore%WINDIR%/system32/spool/ignore ignore%WINDIR%/system32/Tasks/ignore ignore type=sregex.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$/ignore !-- Windows registry entries to monitor. -- windows_registryHKEY_LOCAL_MACHINE\Software\Policies/windows_registry windows_registryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion/windows_registry windows_registryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/windows_registry windows_registryHKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer/windows_registry windows_registryHKEY_LOCAL_MACHINE\Software\Classes/windows_registry windows_registryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control/windows_registry windows_registryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services/windows_registry windows_registryHKEY_LOCAL_MACHINE\Security/windows_registry !-- Windows registry entries to ignore. -- registry_ignoreHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Classes\Interface/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Classes\TypeLib/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Classes\MIME/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Classes\Software/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Software\Classes\CLSID/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Security\Policy\Secrets/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories/registry_ignore registry_ignoreHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows/registry_ignore
Re: [ossec-list] ossec service stops immediately after start
looks like i fixed it. apparently there was no rids directory once I created it agent starts Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: Frank Stefan Sundberg Solli frankste...@gmail.com To: ossec-list@googlegroups.com Date: 08/20/2012 09:44 AM Subject: Re: [ossec-list] ossec service stops immediately after start Sent by: ossec-list@googlegroups.com Check that your config file is existent and that it is readable, also if yit exists paste it here. On Mon, Aug 20, 2012 at 4:27 PM, Michael Barrett michael_barr...@mgic.com wrote: Windows 2003 Faulting application ossec-agent.exe, version 0.0.0.0, faulting module ossec-agent.exe, version 0.0.0.0, fault address 0x00030b6f. ossec.log 2012/08/20 09:25:30 ossec-agent(1905): INFO: No file configured to monitor. 2012/08/20 09:25:30 ossec-execd(1350): INFO: Active response disabled. Exiting. 2012/08/20 09:25:30 ossec-agent(1410): INFO: Reading authentication keys file. fresh install anyone have any ideas what do check? same config files works on hundreds of other systems Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. -- MVH/With regards Frank -- Name: Frank Stefan Sundberg Solli E-mail: frankste...@gmail.com Web:http://0x41.me GPG:684119F4