RE: [ossec-list] eventchannel decoder testing

Response inline > -Original Message- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of dan (ddp) > Sent: Wednesday, August 3, 2016 5:52 AM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] eventchannel decoder testing > > On Tue, Aug 2,

[ossec-list] Re: Agents not connecting, traffic visible in tcpdump

Pedro, Awesome! Your method worked flawlessly. Thanks! Cal On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote: > > Hi Cal, > > > Try disabling counters. They lose synchronisation specially when agents > are reinstalled. > Edit /var/ossec/etc/internal_options.conf and set >

Re: [ossec-list] Filter out dynamic dns hostnames

I know that, but maybe somebody know a way around that. Thats why I ask.There is always a way, and I will find it :-) Thanks. On Wed, Aug 3, 2016 at 4:16 PM, dan (ddp) wrote: > On Wed, Aug 3, 2016 at 9:07 AM, Herman Harperink > wrote: > > Hi Dan,

[ossec-list] Re: ERROR: Unable to send file 'merged.mg' to agent.

One thing to also check is permissions and ownership on "merged.mg" - many times I see it get mucked up and OSSEC can't read it. I have found that if I delete it, then restart OSSEC it will be re-created and it no longer has issues sending the file after that. (Not sure WHY it happens though)

[ossec-list] Re: can we re-use agentID's

Hmm -- I re-use IDs all the time. Did it when I had 30,000+ agents, and now with only 10,000. You just have to delete the key (I don't like that they are commented out) and make sure you remove the rids agent files in /var/ossec/queue/ossec/rids - find the number of the agent you removed and

[ossec-list] Re: Unable to start agent (check config)

my user is an administrator. On his behalf, I ran the executable file -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [ossec-list] eventchannel decoder testing

Hi Craig, did you try to use the new decoders?. I think it could be work. Steps: - Create a backup of your decoder.xml - Replace "windows decoder" copying from line 174 to 417 of this file