[ossec-list] eventchannel decoder testing

I am currently running 2.9RC2 on both client and server: What is the best way to go about testing an eventchannel log? I have the following set in my local ossec.conf on my windows agent: Microsoft-Windows-Sysmon/Operational eventchannel I am using the default sysmon decoder

[ossec-list] Re: can we re-use agentID's

Hi Chanti. By default, OSSEC doesn't allow to add an agent with a removed agent's ID. When OSSEC adds a new agent, the information about it is written at /var/ossec/etc/client.keys. When you remove an agent, the corresponding line isn't removed but "tainted" with a "!" symbol. If you want to

[ossec-list] Re: ERROR: Unable to send file 'merged.mg' to agent.

Hi Graeme. According to the log, I think the problem occurs when the manager tries to send the merged.mg to an agent that has not sent the keep-alive in the last 20 minutes. This may happen if a lot of agents get connected, or send the keep-alive at the same time. So, if many agents send a

[ossec-list] can we re-use agentID's

Hi, We have a pretty decent implementation of the ossec with max clients set to 3000. So far we have generated close to 2900 client keys with in the past 1 year. But at the same time , a lot of people moved out and almost 500 endpoints are not in use. If we delete those 500 endpoints

[ossec-list] syscheckd caught in infinite loop

We discovered that ossec-syscheckd is freaking out on one single node, in a particular way. I'm looking for advice on how to troubleshoot this. I found ossec-sysckeckd was consuming 99 to 100% CPU on the box. I purged the ossec-hids-agent package, and its configuration, and its registration

[ossec-list] ERROR: Unable to send file 'merged.mg' to agent.

Seeing a lot of errors in the logfiles like this: 2016/07/28 16:41:48 ossec-remoted: ERROR: Unable to send file 'merged.mg' to agent. 2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted message. 2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg' to

Re: [ossec-list] FIM For Database Security?

On Thu, Jul 28, 2016 at 11:35 AM, skad wrote: > Hello, > > Is it possible to use ossec to audit databases for changes to schemas, > critical tables (with phi/pci/pii data), security configs etc., > If its possible and if anyone has anyone done that, could you pease share >

Re: [ossec-list] Not getting Active Response to work - reducing number of messages with integrity sum changes upon package update

On Thu, Jul 28, 2016 at 11:25 AM, Dominik wrote: > Dear all > somehow I'm missing something fundamental on Active Response - it just does > not work for me. > > I'm working on an ubuntu ossec server V2.8.3 > > I want to run an active response on rule 2902. So I changed the >

[ossec-list] FIM For Database Security?

Hello, Is it possible to use ossec to audit databases for changes to schemas, critical tables (with phi/pci/pii data), security configs etc., If its possible and if anyone has anyone done that, could you pease share your experiences? Thank You, Skad -- --- You received this message

[ossec-list] Not getting Active Response to work - reducing number of messages with integrity sum changes upon package update

Dear all somehow I'm missing something fundamental on Active Response - it just does not work for me. I'm working on an ubuntu ossec server V2.8.3 I want to run an active response on rule 2902. So I changed the configuration the following way: purge-integrity purge-integrity.sh

Re: [ossec-list] Syscheck Report_Change

Hi Rocio, thank you for the link, i will definitly work on it and give you a feedback . Thank you =) On Wednesday, July 27, 2016 at 5:14:48 PM UTC-4, Rocio Romero wrote: > > Hi EvilZ, > > I think this link can be useful for you :) > > >