Re: [ossec-list] Alert fires, but no email generated?

Thanks Eero! Yes, this works in my setup :) Tried it to make sure. Sendmail is installed on this particular box, so changed mail into sendmail and fired away :) Best regards, Fredrik On Wednesday, February 24, 2016 at 8:12:41 AM UTC+1, Eero Volotinen wrote: > > is this working on your ossec

Re: [ossec-list] Alert fires, but no email generated?

is this working on your ossec server: echo foo | mail youremail@yourdomain -s 'test' could you give example of your mail configuration? Eero 2016-02-24 9:00 GMT+02:00 Fredrik : > Thanks Eero! > > Anything specific to look for that could conflict with this particular >

Re: [ossec-list] Alert fires, but no email generated?

Thanks Eero! Anything specific to look for that could conflict with this particular alert - mail alerts seems to be working fine for other rules? I checked the mail.info for anything obvious, but couldn't see anything suspicious at a first glance... Best regards, Fredrik On Wednesday,

Re: [ossec-list] Alert fires, but no email generated?

Please check your mail server configuration? 2016-02-24 8:28 GMT+02:00 Fredrik : > Thanks Santiago, please find more details below. > > Best regards, > Fredrik > > Yes, I see the alert written to alerts.log (pulled the alert below out of > the archive from yesterday) and

Re: [ossec-list] Alert fires, but no email generated?

Thanks Santiago, please find more details below. Best regards, Fredrik Yes, I see the alert written to alerts.log (pulled the alert below out of the archive from yesterday) and email alerts are working for other rules. I also restarted ossec but to no avail. Strange! ossec-alerts-23.log.gz:

Re: [ossec-list] Alert fires, but no email generated?

Did you say other alerts are triggering emails correctly? Everything looks good to me, but here are some questions that might help troubleshoot the problem. Do you see the alert in alerts.log file? Have you configured other global email settings? What is your email_alerts_level? On Tue, Feb 23,

[ossec-list] Alert fires, but no email generated?

Hi All, Another question for all you Ossec gurus. I have another rule set up to handle messages in a somewhat strange format (below). I would like this to ultimately trigger an email alert - which is working for other rules. Feb 23 20:18:06 ossec-srv SCEP[26457]: Malware alert:

[ossec-list] Re: Alert message on the subject

Hi, *I did not test it* but try the following: Open the file /var/ossec/etc/internal_options.conf and modify the line (in your OSSEC Manager): # Maild full subject (0=disabled, 1=enabled) *maild.full_subject=1* It seems like OSSEC has two different kind of subjects: #define MAIL_SUBJECT

[ossec-list] Re: Alert message on the subject

Hi, I think you can't change the subject. At least, I can't find anything related to that in the documentation . What is your final goal?. Regards. Jesus Linares. On Tuesday, February 23, 2016 at 6:01:45

Re: [ossec-list] Re: active-response alerts?

Decoder and rules for active-response are the same in both Wazuh and OSSEC. I meant that rules 601-606 are for a specific sh (check tag *action*), so if you are using a custom sh you will not see the alert. Also, alert 600 is generic (for all active responses) but level is 0. Regards. Jesus

[ossec-list] Alert message on the subject

how do I add the alert message on the subject. * Subject: OSSEC Notification - Alvin - level Alert 3 -> (ossec server started.)* OSSEC HIDS Notification. 2016 Feb 23 13:35:53 Received From: alvin->ossec-monitord Rule: 502 fired (level 3) -> "Ossec server started." Portion of the log(s):

Re: [ossec-list] rules files as symlinks

It is interesting that symlink works for ossec.conf under etc folder, but doesn't work for client.keys under etc folder for agent type. On Wednesday, February 17, 2016 at 10:13:46 AM UTC-8, Santiago Bassett wrote: > > Yes, if it is inside the jail then that should be ok. Also check that your

Re: [ossec-list] Re: Active responce is not working

Sorry I missclicked and sent the post. test.sh (+x and root:ossec) #!/bin/sh ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5 LOCAL=`dirname $0`; cd $LOCAL cd ../ PWD=`pwd` # Logging the call echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log active-response.log

Re: [ossec-list] Re: Active responce is not working

Hi, I have exactly the same files open: ossec-exe 43796root3u unix 0x8801d66cfa80 0t01261890 /var/ossec/queue/alerts/execq ossec-ana 43800 ossec3u unix 0x8801d66cf380 0t01261891 /queue/ossec/queue ossec-ana 43800

Re: [ossec-list] Re: active-response alerts?

Seems that wazuh already has a decoder and rules for active-response. (Not sure if these are also in ossec proper) https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/ossec_rules.xml -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] Re: Active responce is not working

I tried. If i understand correct, analyticsd send active responces to execd Could you please run command lsof | grep ossec | grep queue to compare with my output ? Thank you! root@serv-10244 [~]# lsof | grep ossec | grep queue ossec-exe 2797 root5u unix 0x88000c3ad0c00t0

[ossec-list] Re: Active responce is not working

I have been trying to replicate your situation, you can install either local or server installation, it is working on both. I made it work by adding tag into section like this: testar *server* 6 <*rules_id*>yourRuleID,yourAnotherRuleID Try to specify what rules will trigger

[ossec-list] Re: Active responce is not working

Now i haven't any whitelist. #ossec.log 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response initialized ... 2016/02/23 07:18:57 ossec-analysisd: DEBUG: Active response Init completed. #Test active response: root@serv-10244 [/var/ossec/active-response/bin]# ./testar.sh action user

Re: [ossec-list] Re: active-response alerts?

On Feb 23, 2016 12:42 AM, "Barry Kaplan" wrote: > > So I'm confused then. The server decided to initiate these actions on the client, no? The server rules are what decided those actions. Should the server not log that it took this action, given the elevated level of the rules?

[ossec-list] Re: Active responce is not working

Hi, The daemon in charge of executing active-response scripts is *"ossec-execd",* I think your conf is good*,* active-response should be active and working, try to force some response and check active-response.log. Check ossec.log for entires like: 2016/02/23 03:48:19 ossec-analysisd: INFO:

Re: [ossec-list] Removing agent by deleting line in client.keys?

Ok, thanks Pedro. I have changed the role to use 'manage_agents -r' and to restart the ossec server. Much nicer. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an

Re: [ossec-list] Re: active-response alerts?

Hi Barry, if you want to see the rules generated by active response you must watch the active response log (as it said Dan): syslog /var/ossec/logs/active-responses.log Now, you will see in archives.log (with option yes) the log received: 2016 Feb 23 10:59:06

[ossec-list] Re: clamav?

On Tuesday, February 23, 2016 at 3:40:29 PM UTC+5:30, Jesus Linares wrote: > It seems your solution is working, but I give you others possible ways to > write in syslog: > >- freshclam: edit */etc/clamav/freshclam.conf* and set "LogSyslog yes" > > I had though that freshclam (which is

Re: [ossec-list] Removing agent by deleting line in client.keys?

Hi Barry, You can run manage_agents with option "-r" and it will remove an agent, so you can create some scripts to automatize the process. /var/ossec/bin/manage_agents -r AGENTID OSSEC has internally a hash table with client.keys table, removing manually from client.keys or using

[ossec-list] Active responce is not working

Why active-responces is not working ? I receive email notification, but active responce had not started. What may caused a problem? #etc/shared/ar.conf: restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 testar0 - testar.sh - 0 slack0 - slack.py - 0 #alert.log ** Alert

[ossec-list] Re: clamav?

Hi Barry, It seems your solution is working, but I give you others possible ways to write in syslog: - freshclam: edit */etc/clamav/freshclam.conf* and set "LogSyslog yes" - clamscan: clamscan --infected -r $SCAN_DIRECTORY --log=$LOG_FILE --stdout | logger -i -t clamav -

[ossec-list] Re: How to group Syscheck notifications

Thank you so much for the great answer! Hi again, > > About getting a list of all modified files, you can execute > syscheck_control binary to get a list of file by agent,day: > > /var/ossec/bin/syscheck_control -i AGENTID > > > So your active-response script can periodically check that command

[ossec-list] Re: clamav?

Looks like the clamav rules are just fine. Only the clamav daemon writes to syslog. So I added a rsyslog config: $ModLoad imfile $InputFileName {{ clamav_scan_log_file }} $InputFileTag clamd: $InputFileStateFile stat-{{ clamav_scan_log_file }} $InputFileSeverity error $InputFileFacility