Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread dan (ddp)
On Thu, Jul 6, 2017 at 9:52 PM, Ian Brown wrote: > Dan, > > Apparently it isn't compatible: > > ../bin/ossec-logtest -v > 2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for > decoder 'decoder' > 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread Ian Brown
Dan, Apparently it isn't compatible: ../bin/ossec-logtest -v 2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for decoder 'decoder' 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. On 7/6/2017 6:48 PM, dan (ddp) wrote:

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread dan (ddp)
On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown wrote: > Dan, > > It's what comes in SecurityOnion's latest iso (securityonion-14.04.5.2.iso). > > ./ossec-logtest -V > > OSSEC HIDS v2.8 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it

Re: [ossec-list] Re: I'm unclear why my rule is not matching...

2017-07-06 Thread dan (ddp)
On Wed, Jul 5, 2017 at 10:41 PM, Ian Brown wrote: > Dan, > > All my regex experience comes from Perl. It's clear this regex does things > a bit differently than how I expected. In Perl \.+ means only match 1 or > more periods. > > Another difference I've discovered is that

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread dan (ddp)
On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown wrote: > Dan, that matches for the source and destination IP addresses, but if I > understand logtest's "Phase 2" output correctly, using those additional > decoders drops all the other things that the original windows decoder found:

[ossec-list] Re: OSSEC log analysis settings for apache access/error.log

2017-07-06 Thread Kazim Koybasi
Thanks for quick response. Server has running apache , I restarted apache it show log that it monitors all apache config and I connect with my browser and made multple 404 error codes from same server . default log level is 7 for ossec. OSSEC exact configuration like below and my server hosts

Re: [ossec-list] OSSEC log analysis settings for apache access/error.log

2017-07-06 Thread dan (ddp)
On Jul 6, 2017 4:38 PM, "Kazim Koybasi" wrote: I added config below to etc/shared/agent.conf in ossec-server home directory but there is no alerts in server.What could I need with this configuration? apache /var/log/httpd/site/site_log

[ossec-list] OSSEC log analysis settings for apache access/error.log

2017-07-06 Thread Kazim Koybasi
I added config below to etc/shared/agent.conf in ossec-server home directory but there is no alerts in server.What could I need with this configuration? apache /var/log/httpd/site/site_log -- --- You received this message because you are subscribed to the Google