Response inline
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of dan (ddp)
> Sent: Wednesday, August 3, 2016 5:52 AM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] eventchannel decoder testing
>
> On Tue, Aug 2,
Pedro,
Awesome! Your method worked flawlessly. Thanks!
Cal
On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote:
>
> Hi Cal,
>
>
> Try disabling counters. They lose synchronisation specially when agents
> are reinstalled.
> Edit /var/ossec/etc/internal_options.conf and set
>
I know that, but maybe somebody know a way around that. Thats why I
ask.There is always a way, and I will find it :-)
Thanks.
On Wed, Aug 3, 2016 at 4:16 PM, dan (ddp) wrote:
> On Wed, Aug 3, 2016 at 9:07 AM, Herman Harperink
> wrote:
> > Hi Dan,
One thing to also check is permissions and ownership on "merged.mg" - many
times I see it get mucked up and OSSEC can't read it. I have found that if
I delete it, then restart OSSEC it will be re-created and it no longer has
issues sending the file after that. (Not sure WHY it happens though)
Hmm -- I re-use IDs all the time. Did it when I had 30,000+ agents, and now
with only 10,000. You just have to delete the key (I don't like that they
are commented out) and make sure you remove the rids agent files in
/var/ossec/queue/ossec/rids - find the number of the agent you removed and
my user is an administrator. On his behalf, I ran the executable file
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
Hi Craig,
did you try to use the new decoders?. I think it could be work.
Steps:
- Create a backup of your decoder.xml
- Replace "windows decoder" copying from line 174 to 417 of this file