Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-05-23 Thread Gert Verhoog
I think I'm just really confused as to what "regex" and "match" are actually matching against. Given the following log event: 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck File

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

2017-05-23 Thread Gert Verhoog
Unfortunately, it's still not working, and I'm not sure what else I can try... This is what I'm doing: The log entries that I want to ignore all look like this (from archives.log): 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck File

[ossec-list] Disable the ossec-agent for OS updates.

2017-05-23 Thread andrii . pravdyvyi
I am going to update my Linux servers and I tried to disable the ossec-agent for this time. I was the following workarounds: 1. stop agent on a host 2. run /var/ossec/bin/syscheck_control -u AGENT_ID 3. update 4. up agent But after start agent I got lots of trigger "new files in the server"

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares
I see your point.. I thought you were talking about the *integratord*. I never tried it using AR, but in your active-response configuration I see: > local It means that OSSEC is going to execute the script in the agent that generated the event. So, you must to configure your slack script in

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Hello again Jesus, As I did state, so we're not misunderstanding each other, I do not run the wazuh forked version, but the 2.9.0 OSSEC version. This is the configuration settings i've got: ossec-slack.sh SLACKUSER="ossec" CHANNEL="#channel" SITE="https://hooks.slack.com/services/...;

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Jesus Linares
Hi Fredrik, this is the flow: - The integrator reads the alerts from alerts*.log *filtering by *rule_id*, *level*, *group *or *event_location*. - It executes the script using the arguments *hook_url *and *api_key*. - The slack script send the alert to slack. Clarification: The host

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Clarification: The host specific alerts are sent to slack but the agent alerts are being ignored. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

2017-05-23 Thread Fredrik Hilmersson
Hello and thanks Jesus, I've read the documentation, however I do not use the forked wazuh version of OSSEC so i'm not sure that the integrator applies? What I want to clarify regarding my issue, so I do not misunderstand the approach. The OSSEC server (host) is the one responsible for sending

Re: [ossec-list] Re: problems registering agents

2017-05-23 Thread Topper Bowers
Thank you! This is a huge help. The upgrade to 2.0 locally was painless *and* fixed my authd issues. Now to production. On Mon, May 22, 2017 at 7:19 PM, Jesus Linares wrote: > Hi, > > it is a known issue in that version (1.1.1). It is related with the > algorithm that assigns