[ossec-list] OSSEC fails to start after install from RPM on RHEL7

Hello, Not finding any useful information regarding my problems anywhere. I'm new to OSSEC HIDS. I played around a little bit with an appliance version, but now want to install it on a DevOps host. I just did a fresh install of OSSEC HIDS from the atomicorp repo. Install seemed to go

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

I see, I'll try same_location then as I believe that should serve my purpose as well. Thanks! On Thursday, April 6, 2017 at 10:49:16 AM UTC-7, dan (ddpbsd) wrote: > > On Thu, Apr 6, 2017 at 1:46 PM, dan (ddp) > wrote: > > On Thu, Apr 6, 2017 at 1:29 PM, Jake B.

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

On Thu, Apr 6, 2017 at 1:46 PM, dan (ddp) wrote: > On Thu, Apr 6, 2017 at 1:29 PM, Jake B. wrote: >> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is >> there anyway to use the agents name in a rule or decoder? I have my agents

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

On Thu, Apr 6, 2017 at 1:29 PM, Jake B. wrote: > Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is > there anyway to use the agents name in a rule or decoder? I have my agents > named after the hostname so I was thinking that could potentially be

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams wrote: > Hi, > > I tried to do this, but I'm getting: > > ERROR: Parent decoder name invalid: 'rootcheck' > ERROR: Error adding decoder plugin > > I don't see the rootcheck decoder within decoder.xml as well, any ideas? > It

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is there anyway to use the agents name in a rule or decoder? I have my agents named after the hostname so I was thinking that could potentially be another option. Don't see anything about it in the documentation however.

[ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi, I tried to do this, but I'm getting: ERROR: Parent decoder name invalid: 'rootcheck' ERROR: Error adding decoder plugin I don't see the rootcheck decoder within decoder.xml as well, any ideas? Thanks again for the help! On Wednesday, April 5, 2017 at 12:26:31 PM UTC-7, Rob Williams wrote:

Re: [ossec-list] When doing rootchecks, OSSEC does not get the full information for the log

On Wed, Apr 5, 2017 at 11:13 AM, Jake B. wrote: > I'm not server if this is a problem with the OSSEC configuration or the host > itself, but there are some events where the logs or full message only have > some of the information I need. For example, this will be the full

Re: [ossec-list] Redundancy manager (backup)

On Wed, Apr 5, 2017 at 11:32 AM, Martin wrote: > Hello Victor, > > I tried to run a second manager and I've the same file > /var/ossec/etc/client.keys on it and on the first manager. I've copied the > local_rules, ossec.conf, local_decoder as well. > > And I've specified on

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

Hi Jesus, Thanks for the reply. Would this also alert on the first instance of this? I still do want to alert, but I want to avoid the spam that comes with it as it typically happens in large batches with little to no difference in meaning between the different events. Thanks! On Thursday,

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams wrote: > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to alert only once if the same > ID (filepath) has alerted in the past minute): > > > > 510

Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Hi, check this out: https://groups.google.com/forum/#!topic/ossec-list/USAF6jF8yk8 Regards. On Wednesday, April 5, 2017 at 10:45:52 PM UTC+2, Rob Williams wrote: > > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to

[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

Hi Jake, take a look at rule 511 . It is the way to ignore a event coming from rule 510. You could do the same with a composite rule, it would be something like: 510