[ossec-list] Re: Windows agent - unable to start agent (check config)

Hi. Have you added the original administrator and your own account to the "Administrators" group? I followed your steps, added my user account to "Administrators", closed and reopened my session, and it did work. Regards. -- --- You received this message because you are subscribed to the

Re: [ossec-list] Windows agent - unable to start agent (check config)

Try to add and admin user to this new Administrator group and reinstall Ossec --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com > On Mar 29, 2016, at 4:21 PM, Krzysztof Zaklikiewicz > wrote: > > Hi > > I downloaded from http://ossec.wazuh.com/windows/ > >

Re: [ossec-list] Windows agent - unable to start agent (check config)

Did you use the UI (win32ui.exe) to add the key? You need to import the key extracted from Manager. Open it as Administrator, paste the key on "Authentication key" and click on "Save" button. The log is telling us that you didn't add the key, so the file client.keys is not created. On Tue, Mar

Re: [ossec-list] Windows agent - unable to start agent (check config)

Hi I downloaded from http://ossec.wazuh.com/windows/ In addition, I had to manually add the IP address of the server to ossec.conf 192.168.17.14 Logs of ossec.log 2016/03/29 21:36:22 ossec-agent: INFO: Service does not exist (OssecSvc) nothing to remove. 2016/03/29 21:36:22 ossec-agent:

Re: [ossec-list] Windows agent - unable to start agent (check config)

Hi Krzysztof are you compiling your own windows agent from sources? or you are downloading from any web? Jose Luis Ruiz Wazuh Inc. j...@wazuh.com > On Mar 29, 2016, at 4:03 PM, Krzysztof Zaklikiewicz > wrote: > > Hello > > I can't start

[ossec-list] Windows agent - unable to start agent (check config)

Hello I can't start ossec agent for Windows 7 Pro - agent displays error unable to start agent (check config). My Windows is Polish, I added group Administrators and nothing changed. Please help. Best regards Krzysztof Zaklikiewicz -- --- You received this message because you are

Re: [ossec-list] How to ignore log ?

On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey wrote: > Hi, > > I am getting this alert form all the hosts - > > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" > profile="docker-default"

[ossec-list] Re: id "|" or "," ??

I think it is hard to simulate correlation on OSSEC, it has some tools as you said like frecuency, timeframe, if_matched_sid, if_matched_group... I think the best and simple approach is to create two rules matching the ID's, but as far as I know It won't work as you desired. For example:

[ossec-list] Re: Filter Windows Event Log at client

I used *or* and it worked. Thanks very much! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options,

[ossec-list] Re: Filter Windows Event Log at client

I used *or* and it worked. Thanks very much! Vào 17:57:11 UTC+7 Thứ Ba, ngày 29 tháng 3 năm 2016, Jesus Linares đã viết: > > Hi, > > try with *and*/*or*: > > > Security > eventchannel > Event/System[EventID=5140 and EventID=5144] > > > Regards, > Jesus Linares. > > On Monday, March 28,

[ossec-list] Re: id "|" or "," ??

Thank you for taking the time to answer with examples Pedro! One last related question if ya don,t mind..? I am trying to wrap my head around a rule firing off after a simple bit of correlation. Is it possible? I know this is the job of the SIEM, but I am trying to get the SIEM to only

[ossec-list] Re: id "|" or "," ??

If you need to filter for one specific ID you need to use the *pipe |* option, I don't think you can use "," inside ** tags to concatenate anything. "," character will be treated like an string character not a regex one so it will try to match for *"IDNumber,".* As you know, one example of

[ossec-list] Re: Filter Windows Event Log at client

Hi, try with *and*/*or*: Security eventchannel Event/System[EventID=5140 and EventID=5144] Regards, Jesus Linares. On Monday, March 28, 2016 at 10:58:57 AM UTC+2, Duẩn Phạm wrote: > > Hi, > > I have installed the new version of OSSEC v2.8.3. I have a windows ossec > client. I would

[ossec-list] Re: Decoding long messages - multiple regex statements

Hi, first, I would use the same format for both messages. Two options: - Change log format in each device. - Choose one: - 1Mar2016 15:17:09 redirect st4600fw01n1 - Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 - This part could be your parent decoder

[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."

Hi, that alert is related to a *kernel-level check* (anomaly detection checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check if the pid is a thread (not showing in /proc". The code inspects all process

Re: [ossec-list] OSSEC Rule Creation Help

Hi, The regex for field *same_source_ip *could be *\w+*. But, I'm not sure if the field *same_source_ip *is OS_Regex or OS_Match. Check out the documentation: http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html If you need help to create specific rules, it would be very useful to