date:20160418

Re: [ossec-list] Re: reportd not sending any email

2016-04-18 Thread Daniel Cid

Try this patch from here:

https://bitbucket.org/dcid/ossec-hids/commits/eb98bdae15cec6ccf04190d0badbd3b0de6f84b7

As it may fix the problem.

thanks,

On Mon, Apr 18, 2016 at 7:16 PM, theresa mic-snare
 wrote:
> will need to take a proper look at what's causing those segfaults
> tomorrow...
>
>
> Am Dienstag, 19. April 2016 00:11:45 UTC+2 schrieb theresa mic-snare:
>>
>> oh no!!
>> OSSEC segfaulted
>>
>> 2016-04-19T00:01:58.311800+02:
>> 00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5
>> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]
>>
>> since this was 1 Minute after midnight I suspect reportd causes this
>>
>> this is what the OSSEC log has to say:
>>
>> 2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for
>> 'OSSEC: Authentication Report'
>> 2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication
>> Report' completed. Creating output...
>> 2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for
>> 'Daily report: File changes'
>> 2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File
>> changes' completed. Creating output...
>>
>> a few seconds later another segfault
>>
>> 2016-04-19T00:02:18.278790+02:
>> 00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5
>> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]
>>
>> Hmm... :(
>>
>> Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd):
>>>
>>> On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare
>>>  wrote:
>>> > Awesome, thanks for the tip Dan!
>>> > I will look for it tonight, if it actually works and does send a
>>> > report,
>>> > then I will send a PR with a disclaimer on the documentation page,
>>> > because
>>> > it isn't mentioned there yet.
>>> >
>>>
>>> Much appreciated!
>>>
>>> > I have also looked at the code to see if I could find any indicator
>>> > when the
>>> > email would be sent...but alas, I haven't found anything there either.
>>> >
>>>
>>> My bad memory is telling me monitord is the place to look.
>>>
>>> >
>>> > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare:
>>> >>
>>> >> Hi all,
>>> >>
>>> >> I've configured reportd to send reports on syscheck and successful
>>> >> authentication
>>> >>
>>> >> 
>>> >>authentication_success
>>> >>OSSEC: Authentication Report
>>> >>1...@456.com
>>> >>yes
>>> >>   
>>> >>
>>> >>   
>>> >>  syscheck
>>> >>  Daily report: File changes
>>> >>  1...@456.com
>>> >>
>>> >>
>>> >>
>>> >> However, I can run those reports fine in the terminal, but it doesn't
>>> >> send
>>> >> any reports through email.
>>> >>
>>> >> Yes: I have checked that ossec-maild is running it is, I swear!
>>> >> Yes: I have checked the spam/junk folder in my inbox as well I
>>> >> swear!
>>> >>
>>> >> When I run reportd manually it displays the report just fineand
>>> >> even
>>> >> in the logs it says
>>> >>
>>> >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating
>>> >> output...
>>> >>
>>> >> I'd expect it at least to say this after I restart OSSEC as well?
>>> >>
>>> >> When does ossec-reportd run or does it have to be started through a
>>> >> cronjob?
>>> >> Does the mailing of reports work for you?
>>> >>
>>> >> best,
>>> >> theresa
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: reportd not sending any email

2016-04-18 Thread theresa mic-snare

will need to take a proper look at what's causing those segfaults 
tomorrow...

Am Dienstag, 19. April 2016 00:11:45 UTC+2 schrieb theresa mic-snare:
>
> oh no!!
> OSSEC segfaulted
>
> 2016-04-19T00:01:58.311800+02:
> 00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5 
> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]
>
> since this was 1 Minute after midnight I suspect reportd causes this
>
> this is what the OSSEC log has to say:
>
> 2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for 
> 'OSSEC: 
> Authentication Report'
> 2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication 
> Report' completed. Creating output...
> 2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for 'Daily 
> report: File changes'
> 2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File 
> changes' completed. Creating output...
>
> a few seconds later another segfault
>
> 2016-04-19T00:02:18.278790+02:
> 00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5 
> sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]
>
> Hmm... :(
>
> Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd):
>>
>> On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare 
>>  wrote: 
>> > Awesome, thanks for the tip Dan! 
>> > I will look for it tonight, if it actually works and does send a 
>> report, 
>> > then I will send a PR with a disclaimer on the documentation page, 
>> because 
>> > it isn't mentioned there yet. 
>> > 
>>
>> Much appreciated! 
>>
>> > I have also looked at the code to see if I could find any indicator 
>> when the 
>> > email would be sent...but alas, I haven't found anything there either. 
>> > 
>>
>> My bad memory is telling me monitord is the place to look. 
>>
>> > 
>> > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare: 
>> >> 
>> >> Hi all, 
>> >> 
>> >> I've configured reportd to send reports on syscheck and successful 
>> >> authentication 
>> >> 
>> >>  
>> >>authentication_success 
>> >>OSSEC: Authentication Report 
>> >>1...@456.com 
>> >>yes 
>> >>
>> >> 
>> >>
>> >>  syscheck 
>> >>  Daily report: File changes 
>> >>  1...@456.com 
>> >> 
>> >> 
>> >> 
>> >> However, I can run those reports fine in the terminal, but it doesn't 
>> send 
>> >> any reports through email. 
>> >> 
>> >> Yes: I have checked that ossec-maild is running it is, I swear! 
>> >> Yes: I have checked the spam/junk folder in my inbox as well I 
>> swear! 
>> >> 
>> >> When I run reportd manually it displays the report just fineand 
>> even 
>> >> in the logs it says 
>> >> 
>> >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating 
>> >> output... 
>> >> 
>> >> I'd expect it at least to say this after I restart OSSEC as well? 
>> >> 
>> >> When does ossec-reportd run or does it have to be started through a 
>> >> cronjob? 
>> >> Does the mailing of reports work for you? 
>> >> 
>> >> best, 
>> >> theresa 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: reportd not sending any email

2016-04-18 Thread theresa mic-snare

oh no!!
OSSEC segfaulted

2016-04-19T00:01:58.311800+02:
00 tron kernel: ossec-monitord[20021]: segfault at 1a ip 7f68290ab8b5 
sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]

since this was 1 Minute after midnight I suspect reportd causes this

this is what the OSSEC log has to say:

2016/04/19 00:01:53 ossec-monitord: INFO: Starting daily reporting for 'OSSEC: 
Authentication Report'
2016/04/19 00:01:58 ossec-monitord: INFO: Report 'OSSEC: Authentication 
Report' completed. Creating output...
2016/04/19 00:02:13 ossec-monitord: INFO: Starting daily reporting for 'Daily 
report: File changes'
2016/04/19 00:02:18 ossec-monitord: INFO: Report 'Daily report: File 
changes' completed. Creating output...

a few seconds later another segfault

2016-04-19T00:02:18.278790+02:
00 tron kernel: ossec-monitord[20062]: segfault at 1a ip 7f68290ab8b5 
sp 7fff84248bc0 error 4 in libc-2.12.so[7f6829008000+18a000]

Hmm... :(

Am Montag, 18. April 2016 17:37:48 UTC+2 schrieb dan (ddpbsd):
>
> On Mon, Apr 18, 2016 at 11:34 AM, theresa mic-snare 
>  wrote: 
> > Awesome, thanks for the tip Dan! 
> > I will look for it tonight, if it actually works and does send a report, 
> > then I will send a PR with a disclaimer on the documentation page, 
> because 
> > it isn't mentioned there yet. 
> > 
>
> Much appreciated! 
>
> > I have also looked at the code to see if I could find any indicator when 
> the 
> > email would be sent...but alas, I haven't found anything there either. 
> > 
>
> My bad memory is telling me monitord is the place to look. 
>
> > 
> > Am Montag, 18. April 2016 17:24:37 UTC+2 schrieb theresa mic-snare: 
> >> 
> >> Hi all, 
> >> 
> >> I've configured reportd to send reports on syscheck and successful 
> >> authentication 
> >> 
> >>  
> >>authentication_success 
> >>OSSEC: Authentication Report 
> >>1...@456.com  
> >>yes 
> >>
> >> 
> >>
> >>  syscheck 
> >>  Daily report: File changes 
> >>  1...@456.com  
> >> 
> >> 
> >> 
> >> However, I can run those reports fine in the terminal, but it doesn't 
> send 
> >> any reports through email. 
> >> 
> >> Yes: I have checked that ossec-maild is running it is, I swear! 
> >> Yes: I have checked the spam/junk folder in my inbox as well I 
> swear! 
> >> 
> >> When I run reportd manually it displays the report just fineand 
> even 
> >> in the logs it says 
> >> 
> >> 2016/04/18 17:13:49 ossec-reportd: INFO: Report completed. Creating 
> >> output... 
> >> 
> >> I'd expect it at least to say this after I restart OSSEC as well? 
> >> 
> >> When does ossec-reportd run or does it have to be started through a 
> >> cronjob? 
> >> Does the mailing of reports work for you? 
> >> 
> >> best, 
> >> theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule

2016-04-18 Thread James Stallings

This is the first rule I have attempted since inheriting the 
system/platform.

It is worth noting however that the "no_email_alert" is 
> redundant in this case, because the rule level is set to zero.


Yea, I was grasping at straws here. 


On Monday, April 18, 2016 at 12:05:54 PM UTC-4, LostInThe Tubez wrote:
>
> Your rule triggers for me when I test it (on v2.8.3), so the problem is 
> likely not with your rule. It is worth noting however that the 
> "no_email_alert" is redundant in this case, because the 
> rule level is set to zero. 
>
>  
>
> What is the output of ossec-logtest, using the line from your sample 
> alert? No errors in your ossec.log on the server? Are other rules in your 
> local_rules.xml working?
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *James Stallings
> *Sent:* Saturday, April 16, 2016 3:42 PM
> *To:* ossec-list 
> *Subject:* [ossec-list] Rule 1002 continues to fire after creating local 
> overwriting rule
>
>  
>
> I'm trying to ignore an NRPE ssl handhshake alert while I wait for the 
> responsible team to resolve it. 
>
>  
>
> Here is a sample alert:
>
>  
>
> OSSEC HIDS Notification.
> 2016 Apr 16 18:06:17
> Received From: (some_host) some_ip->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
> Apr 16 18:06:16 some_host nrpe[12791]: Error: Could not complete SSL 
> handshake. 5
>
>
>
>
> --END OF NOTIFICATION
>
>  
>
> Here is the rule I have created in my local_rules.xml config.
>
>  
>
> 
> 
> 1002
> nrpe
> no_email_alert
> Could not complete SSL handshake
> Ignore nrpe ssl handshake errors
> 
>  
>
>  
>
> This still does not seem to be working. I've tried alerting the rule by 
> dropping program name and options. I've restarted the OSSEC daemon on the 
> server after every change.
>
>  
>
> Could anyone point me in the right direction?
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] RootCheck disableing

2016-04-18 Thread joe . cosgrove

Interesting... that should be the only config that you need to update in 
order to disable the root check. I tried it in my lab and disabled it 
properly as well. 

On Sunday, April 17, 2016 at 4:56:15 AM UTC-4, eyal gershon wrote:
>
> I checked again the logs - 
>
> 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured.
> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file configured.
> 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan.
>
> The log says the check did run,
> Is there another configuration file I might be missing?
>
> On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote:
>>
>> I have reproduced your configuration on my labs, rootcheck is not 
>> starting again. Could you re-verify that agent.conf file is right on your 
>> agent?
>>
>> On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote:
>>>
>>> 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101).
>>> 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan.
>>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured.
>>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file 
>>> configured.
>>> 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan.
>>>
>>> The start of the scan is right after the restart of the ossed-hids 
>>> restart from the original post
>>>
>>> On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote:

 On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon  
 wrote: 
 > Hey, 
 > 
 > I tried to disabled the rootcheck on one of the servers. 
 > I have added the following line to the agent.conf file - 
 > 
 >  
 > yes 
 >  
 > 
 > and after I am restarting the service I get the following output - 
 > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck 
 > disabled. Exiting. 
 > ossec-syscheckd: WARN: Rootcheck module disabled. 
 > 
 > and a few min later I see in the logs that the rootcheck is running 
 again. 
 > any one have an idea why did I miss? 
 > 

 Which log messages are you seeing specifically? 

 > -- 
 > 
 > --- 
 > You received this message because you are subscribed to the Google 
 Groups 
 > "ossec-list" group. 
 > To unsubscribe from this group and stop receiving emails from it, 
 send an 
 > email to ossec-list+...@googlegroups.com. 
 > For more options, visit https://groups.google.com/d/optout. 

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule

2016-04-18 Thread Jesus Linares

Your rule seems to work well. Could you paste here the output of logtest?

On Monday, April 18, 2016 at 6:05:54 PM UTC+2, LostInThe Tubez wrote:
>
> Your rule triggers for me when I test it (on v2.8.3), so the problem is 
> likely not with your rule. It is worth noting however that the 
> "no_email_alert" is redundant in this case, because the 
> rule level is set to zero. 
>
>  
>
> What is the output of ossec-logtest, using the line from your sample 
> alert? No errors in your ossec.log on the server? Are other rules in your 
> local_rules.xml working?
>
>  
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *James Stallings
> *Sent:* Saturday, April 16, 2016 3:42 PM
> *To:* ossec-list 
> *Subject:* [ossec-list] Rule 1002 continues to fire after creating local 
> overwriting rule
>
>  
>
> I'm trying to ignore an NRPE ssl handhshake alert while I wait for the 
> responsible team to resolve it. 
>
>  
>
> Here is a sample alert:
>
>  
>
> OSSEC HIDS Notification.
> 2016 Apr 16 18:06:17
> Received From: (some_host) some_ip->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
> Apr 16 18:06:16 some_host nrpe[12791]: Error: Could not complete SSL 
> handshake. 5
>
>
>
>
> --END OF NOTIFICATION
>
>  
>
> Here is the rule I have created in my local_rules.xml config.
>
>  
>
> 
> 
> 1002
> nrpe
> no_email_alert
> Could not complete SSL handshake
> Ignore nrpe ssl handshake errors
> 
>  
>
>  
>
> This still does not seem to be working. I've tried alerting the rule by 
> dropping program name and options. I've restarted the OSSEC daemon on the 
> server after every change.
>
>  
>
> Could anyone point me in the right direction?
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: reportd not sending any email

Re: [ossec-list] Re: reportd not sending any email

Re: [ossec-list] Re: reportd not sending any email

Re: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule

Re: [ossec-list] RootCheck disableing

Re: [ossec-list] Rule 1002 continues to fire after creating local overwriting rule

6 matches

Site Navigation

Mail list logo

Footer information