I am currently running 2.9RC2 on both client and server:
What is the best way to go about testing an eventchannel log? I have the
following set in my local ossec.conf on my windows agent:
Microsoft-Windows-Sysmon/Operational
eventchannel
I am using the default sysmon decoder
Hi Chanti.
By default, OSSEC doesn't allow to add an agent with a removed agent's ID.
When OSSEC adds a new agent, the information about it is written at
/var/ossec/etc/client.keys. When you remove an agent, the corresponding
line isn't removed but "tainted" with a "!" symbol.
If you want to
Hi Graeme.
According to the log, I think the problem occurs when the manager tries to
send the merged.mg to an agent that has not sent the keep-alive in the last
20 minutes. This may happen if a lot of agents get connected, or send the
keep-alive at the same time.
So, if many agents send a
Hi,
We have a pretty decent implementation of the ossec with max clients set to
3000.
So far we have generated close to 2900 client keys with in the past 1
year.
But at the same time , a lot of people moved out and almost 500 endpoints
are not in use.
If we delete those 500 endpoints
We discovered that ossec-syscheckd is freaking out on one single node, in a
particular way. I'm looking for advice on how to troubleshoot this.
I found ossec-sysckeckd was consuming 99 to 100% CPU on the box.
I purged the ossec-hids-agent package, and its configuration, and its
registration
Seeing a lot of errors in the logfiles like this:
2016/07/28 16:41:48 ossec-remoted: ERROR: Unable to send file 'merged.mg'
to agent.
2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted
message.
2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg'
to
On Thu, Jul 28, 2016 at 11:35 AM, skad wrote:
> Hello,
>
> Is it possible to use ossec to audit databases for changes to schemas,
> critical tables (with phi/pci/pii data), security configs etc.,
> If its possible and if anyone has anyone done that, could you pease share
>
On Thu, Jul 28, 2016 at 11:25 AM, Dominik wrote:
> Dear all
> somehow I'm missing something fundamental on Active Response - it just does
> not work for me.
>
> I'm working on an ubuntu ossec server V2.8.3
>
> I want to run an active response on rule 2902. So I changed the
>
Hello,
Is it possible to use ossec to audit databases for changes to schemas,
critical tables (with phi/pci/pii data), security configs etc.,
If its possible and if anyone has anyone done that, could you pease share
your experiences?
Thank You,
Skad
--
---
You received this message
Dear all
somehow I'm missing something fundamental on Active Response - it just does
not work for me.
I'm working on an ubuntu ossec server V2.8.3
I want to run an active response on rule 2902. So I changed the
configuration the following way:
purge-integrity
purge-integrity.sh
Hi Rocio,
thank you for the link, i will definitly work on it and give you a feedback
. Thank you =)
On Wednesday, July 27, 2016 at 5:14:48 PM UTC-4, Rocio Romero wrote:
>
> Hi EvilZ,
>
> I think this link can be useful for you :)
>
>
>
11 matches
Mail list logo