It really sounds like you are missing a step -- perhaps post the steps you
do for the install, adding an agent etc, showing the commands and results.
We need something more to help you.
Kat
On Thursday, April 13, 2017 at 5:24:32 PM UTC-5, Руслан Аминджанов wrote:
>
> Hello!
> I
I actually monitor
/home/*.ssh,/root/.ssh
And have AR set that if a new directory appears in /home, it restarts the
agent so it adds it to the wildcard.
On Monday, March 20, 2017 at 10:47:13 PM UTC-5, jingxu...@bettercloud.com
wrote:
>
> Recently, we are trying to use OSSEC to monitor
Hi,
Could you post the log entries? Also, an ssh -vvv output would help to see
what is going on. It is clearly a connection problem, but hard to diagnose
based on what you have posted.
Kat
On Friday, March 17, 2017 at 10:20:58 PM UTC-5, Marcin Gołębiowski wrote:
>
> I can't seem t
You could set the appropriate folders, assuming *nix system, such as
/bin,/usr/bin,/sbin,/usr/sbin for realtime monitoring and new file alerts.
Then if an installed package, regardless of YUM or dpkg/apt is installed,
even by just copying it into place, you would still get an alert.
Kat
; upon exit. For example, after you edit the sshd_rules.xml,
enter
:wq!
That will over-write the file. However, any changes to the built-in files
will be overwritten next time you upgrade, so Victor's comment about using
local_rules.xml is actually more correct.
Kat
On Monday, March 20, 2017 at 1:56:2
arting OSSEC and you do not
have alerting on new files setup, then you may not see the alerts either.
I use this feature for monitoring in realtime if users put SSH private keys
on a public server, rather than their laptop. I have AR setup to remove any
private keys immediately upon alert gen
Hi all,
It seems to me that 2.9.0 is released - at least no more RC# after the last
one. My question is, is this the case, and if so, could the website be
updated to reflect it? According t the github release is with 25 days ago,
but website still indicated 2.8.3?
Thanks
Kat
--
---
You
I'll write something up and submit it.
Kat
On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote:
>
> hi all,
>
> man, not having a good day.
>
> I was starting to run out of space on my / volume as a result of ossec
> logs piling up. i need to keep the logs, s
it all up -- perhaps I will do a quick userguide doc that can
be added to OSSEC. I specifically use this method with sshfs to mount a
larger file store on the backend of my OSSEC managers.
Kat
On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote:
>
> hi all,
>
> man, not ha
.
Cheers
Kat
On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote:
>
> hi all,
>
> man, not having a good day.
>
> I was starting to run out of space on my / volume as a result of ossec
> logs piling up. i need to keep the logs, so i added a new drive (to the
&g
erformance hit is negligible.
Obviously if you tried to do a trigger on each insert for the entire
database, that would kill it, but . you can do a lot of creative things
with OSSEC.
Cheers
Kat
On Sunday, January 8, 2017 at 7:19:34 AM UTC-6, Mike Hammett wrote:
>
> My current cen
In case anyone is curious - with proper server sizing, I have run OSSEC
Managers with 20-30,000 agents connected.
:-)
Kat
On Thursday, August 18, 2011 at 4:49:26 AM UTC-5, PJG wrote:
>
> Dear All,
>
> We are planning on ramping up our OSSEC deployment.
>
> There's a war
The Wazuh fork is actually newer, but regardless there should never be a
conflict from 2.x to 2.x with agent and server. When you say "conflict" -
can you be more specific on the error you are seeing?
Kat
On Friday, January 20, 2017 at 5:14:09 PM UTC-6, Alejandro M wrote:
>
> H
I already did. :-)
#1027
On Thursday, January 19, 2017 at 12:15:14 PM UTC-6, dan (ddpbsd) wrote:
>
> On Tue, Jan 17, 2017 at 3:06 PM, Kat <uncom...@gmail.com >
> wrote:
> > The problem is simple - the install.sh is where this is taken care of,
> but
> > no one
minor typo on this line:
echo "$PROFILE" >> $NEWCONFIG
that should read
echo "$PROFILE" >> $NEWCONFIG
On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić wrote:
>
> Hello list,
>
> I am having trouble setting up agent's ossec.conf by the install.sh
> script
WCONFIG
fi
# add this block to check for and add a preset profile name for the
agent (from preloaded-vars.conf)
if [ "$X{USER_AGENT_CONFIG_PROFILE}" != "X" ]; then
PROFILE=${USER_AGENT_CONFIG_PROFILE}
echo "$PROFILE" >> $NEWCONFI
branches and make my brain stop
contorting please :-) I want to get all the best parts of all the
enhancements from all the teams, but I am not quite sure there is one
branch that incorporates them all? Then again, I could be completely wrong?
Kat
--
---
You received this message because you
Wouldn't it be easier rather than to modify the rule - simply add these to
the ignores with -
/dev/oracleasm
??
Just a thought.
Kat
On Tuesday, August 30, 2016 at 9:12:33 AM UTC-5, Stephen LuShing wrote:
>
> I have been getting this notification which I am trying to fix. This is an
&g
Hi all --
Just wondering on the status of 2.9 RC2? Been several weeks now. Any
updates on the final release?
Thanks
Kat
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving e
ackage. You don't need to add the
client as well, since the server will do just fine on its own. So install
ossec-hids and ossec-hids-server.
That should get you going just fine.
Cheers
Kat
On Monday, August 22, 2016 at 12:59:28 PM UTC-5, Shawn Wiley wrote:
>
> I have a pair of Red Hat 6
ens though)
Cheers
Kat
(PS - Hi Graeme!)
On Thursday, July 28, 2016 at 11:43:32 AM UTC-5, Graeme Stewart wrote:
>
> Seeing a lot of errors in the logfiles like this:
>
> 2016/07/28 16:41:48 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 2016/07/28 16:41:5
and
remove that file. Then you are free to re-use agent IDs all the time.
Cheers
Kat
On Thursday, July 28, 2016 at 2:03:34 PM UTC-5, Chanti Naani wrote:
>
> Hi,
> We have a pretty decent implementation of the ossec with max clients set
> to 3000.
> So far we have generated close
. Without
knowing everything about your setup, I would say you could probably safely
ignore these for now, then focus on the rest of the alerts to try to get a
clear understanding of what "normal" is.
Cheers
Kat
On Friday, July 8, 2016 at 2:34:20 PM UTC-5, Brad Carey wrote:
>
>
You should disable RIDS:
remoted.verify_msg_id=0
The errors should go away. The problem is, RIDS must be removed on both
agent and server, that may be causing issues.
Kat
On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:
>
> Hi,
>
>
>
> I hav
of the problems observed.
Kat
On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:
>
> Hi,
>
>
>
> I have been using Ossec for quite a while and we decided to upgrade the
> version (2.7.1) to 2.8.3 and that was relatively successful except for the
The windows systems do not have the same commands for looking at users.
Your commands for looking at both logged in and last, will only work on
*nix platforms.
Kat
On Wednesday, April 6, 2016 at 2:38:26 AM UTC-5, Maxim Surdu wrote:
>
> Hi dear community,
>
> i install and config
to be
extremely reliable and I have had no issues. I do run with as high as
20,000 agents in some cases with no issues.
Cheers
Kat
On Thursday, February 18, 2016 at 7:36:10 AM UTC-8, James Dough wrote:
>
> Looking at the hybrid install type; it installs two versions of ossec,
> that have been red
Just a silly question I don't see in this thread -- do you have ANY
clients defined on the server itself??
What is currently in /var/ossec/etc/clients.keys?
-Kat
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubs
I have seen many issues with CentOS 7 becoming unresponsive. Kernel issues.
Try removing OSSEC, but my guess, it will still hang. Are you current on
all patches?
-K
On Thursday, July 2, 2015 at 6:47:53 PM UTC-7, Caleb P wrote:
If I start OSSEC, my Centos 7 AWS instance becomes unresponsive
How many folders/files are you monitoring for changes?
On Friday, May 10, 2013 1:32:33 AM UTC-7, Winni Neessen wrote:
Hi,
I am running OSSEC 2.7 on FreeBSD 8.4. Recently I received a kernel
warning, that maxfiles was exceeded.
I was wondering how this could be, as kern.maxfiles was
I know some people have asked about the listen ports changed command that
they offered as a default/example in OSSEC install..
I too find it useful, but got tired of a lot of alerts for ports over 1024.
This still handles IPv4 and v6 ports:
*netstat -tan | awk '$NF != LISTEN || $4 ~
Ok, I am thinking off the cuff here -- but was starting to wonder how
OSSEC could scale more easily to large infrastructures. One of the primary
issues is analysisd being single threaded. BUT -- since analysisd does not
trap the port - 1514 for anything - that is left up to remoted - then why
I have compiled OSSEC all the way thru AIX 6.1 and JB is right. gcc has issues,
native C compiler always works. I did get it to work with gcc but only after
fighting it. I will go back through my notes and see what I can find. If you
happen to have IBMs c, it should work fine however.
--
There are a couple of typos thanks to HTML formatting you might want to fix
-- things like lt instead of
But things for the write up -- very nice.
-K
On Wednesday, March 13, 2013 10:20:29 AM UTC-7, perezbox wrote:
Hey Folks
I put together this little post to better help those that are
Still seeing high CPU usage for authd. Hmmm...
On Tuesday, March 12, 2013 1:06:18 PM UTC-7, Kat wrote:
Been seeing that a lot too -- going to try the repo update and see how
that works.
Perhaps it is time for a 2.7.1 release - I think we have enough general
fixes to warrant it.
cheers
are you checking the right logs and do you have the ARs set for the right
place? Sometimes people forget the log entries will be in agents log files,
not the SERVER.
On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote:
Hello,
I recently upgraded my ossec server to 2.7 and
Been seeing that a lot too -- going to try the repo update and see how that
works.
Perhaps it is time for a 2.7.1 release - I think we have enough general
fixes to warrant it.
cheers
-K
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
Just wondering if I am missing something. I have an agent that has used too
much space for syscheck changes. I want to re-init with new rules. If I run
syscheck_control with -u it says it will INIT the database, but the old
stuff is still there. So I have to get on every system to clear the old
Update to 2.7 on both Manager and client ...
On Sunday, March 3, 2013 11:46:51 PM UTC-8, Umair Mustafa wrote:
I installed Ossec Server and some agents on other servers. But the thing
is that out of 10 agents only 7 servers are able to communicate with Ossec
Server and 3 are not.
This is
The only issues you have to keep in mind are the maxagents - pretty simple
- but there is another hidden setting in the client keys creation that is
in the code.
Set to 4000 by default. Have to edit that and set it to whatever. I fixed
the makefile to do it when you change the setmaxagents.
Well - it happened - I lost a server (hardware raid failure and corrupted
drives).
So here is the question - all the agents have keys, but I lost the other
end - is there ANY way to rebuild a server from this sort of thing and
recover?
I can't think of anything, since it is all built around
this.
thanksBest
Regards
*From:* Kat javascript:
*Date:* 2013-01-31 03:18
*To:* ossec-list javascript:
*Subject:* Re: [ossec-list] splunk+ossec ossec-agent Disconnected?
Has nothing to do with splunk
Has nothing to do with splunk or not -- and my guess is this is not ossec
2.7?
You can check if you have a tool like netcat (default installed on Linux)
by doing
nc -u server-address 1514
then type a few lines to see if on the server you are seeing errors in the
log file (incorrectly
having built/installed on numerous Solaris systems, even as recently as
last week - it does work. But yes, it can be a little touch. Most of it, I
have found, is related to the appropriate build environment and libraries.
Doublecheck the pre-reqs for things like openssl libraries, and all the
Just wondering if there is some reason with the agent-auth has to use IP
when requesting a client key rather than a hostname? Kind of messy when
trying to build in automated installs into RPMs and puppet across multiple
datacenters.
Is there some logical reason I am missing?
thanks
K
--
If you happen to find a patch lying around... :-)
On Tuesday, January 29, 2013 10:14:53 AM UTC-8, dan (ddpbsd) wrote:
On Tue, Jan 29, 2013 at 12:44 PM, Kat uncom...@gmail.com javascript:
wrote:
Just wondering if there is some reason with the agent-auth has to use IP
when requesting
Firstly - you probably want to get the 2.7 package and build that, rather
than the rpm of the 2.6. If you do the source build, which is pretty
simple based on the install.sh script - it should find the pre-reqs based
on libraries. If it does not, then the Percona version does not contain the
If you install as Local then it turns off the ability to communicate
outside of the configuration. If you convert these to hybrid, then you
could do what you want. I did that with a few servers during testing -
wanted to see if a local installation would be viable as making it hybrid.
Then at
You should take a look at this patch:
https://groups.google.com/forum/?fromgroups=#!search/accumulator/ossec-dev/NfQaFREyCHI/ycoRVq6YD_gJ
On Thursday, December 13, 2012 8:21:51 AM UTC-8, Mike Hubbard wrote:
Hello -
I am trying to construct a set of rules that cause a change in behavior if
Take a look at Security-Onion
This combines tools like Snort and OSSEC and brings it into a single
platform. There is also a SecurityOnion for Splunk that expands on this
idea.
-K
On Wednesday, December 12, 2012 10:56:49 AM UTC-8, Leonardo Pezente wrote:
im a noob in ossec, but i think it
Yes -- I did it. Works fine. Just install it normally and select Upgrade
as it will find the previous version.
On Monday, December 10, 2012 9:13:07 PM UTC-8, peng lin wrote:
can use 2.7 replace ossim 's ossec ?
is that everyone do it ?
If I am reading your problem - you are saying ossec.conf on the AGENT is
not being overwritten -- if this is correct - then yes, it is not - it
won't. Only agent.conf gets pushed to the agents. ossec.conf is set
manually on agents, so if you expect it to get changes - you need to use
puppet or
is minimal -- filename, inode #)
cheers
Kat
auditd is a Unix-centric process. Kind of like ACLs though. They all have
it, but they all have slightly different ways of enabling and managing.
when you exit vi/vim - just do :wq! - if you are root while editing - it
will over-write it and you don't have to change perms.
On Wednesday, October 10, 2012 2:36:41 PM UTC-7, Adam wrote:
I set up rsyslog to get messages from a remote network device and put the
messages in
Scanning does not necessarily provide a blip. Do you have any kind of
tool logging scans or are you doing something beyond an nmap scan, such as
brute force login attemps. Something has to create a log entry for OSSEC to
see. Based on what you are saying - is there any kind of entry in any of
it.
Lots of other things come to mind and I have begun this process, but if
someone else has already done it - well, I just thought I would ask.
cheers
Kat
are correct - management through a
configuration system such as puppet or cfengine is the only way to go, and
not trying to use the agent management directly within OSSEC.
Just my 2 cents
Kat
On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote:
I know there are deployments of more than
I ran into the same problem - *IF* you try updating a 2.6 install with the
beta - you must REPLACE it. So no to upgrade and then delete the existing
folder (when it asks) and install new 2.7. Otherwise it keeps some files
(have not verified which) that cause this.
On Wednesday, September 19,
new v4 of Alienvault has 2.6 - so simply upgrade your appliance.
-K
Is there a way to tell OSSEC to use the timestamp of the actual logfile
entry rather than its own internal timestamp of when it sees the alert?
This should be a configuration option - *hint hint*
Unless there is already a way to do this.
thanks
K
a week and if the alert is still there, you have a
way to show them.
Some people could say just lengthen the frequency on the running of the
audit - but I don't want to do that, I want them to run daily, but not
alert daily if I already know about something.
Does that make sense?
-Kat
Ok, here is a tricky one I can't figure out..
I have a simple rule with an ignore=7200 so it does not fire too much. BUT,
what if I only want to set the ignore PER HOST? In other words, if it
triggers on another host it should alert then set the ignore timer. Yeah, I
am not aware of a
If you restart the client, it will get pushed within a minute - assuming
you had restarted the manager so it knows there was a change.
I had this problem with a large install of 4000+ agents in the beginning,
but in general, if the agent is restarted shortly after manager, the files
were
Here's hoping there is a simple answer to this. I know of the technique to
run the forensics into ossec-logtest. And that is a fabulous tool/method.
But, I want to take a previous years data - BO - (before ossec) and run it
through and have ossec actually process it into the appropriate log
Here is a problem I am trying to figure out a work-around.
Looking for files that might be unauthorized copies of files. For example,
/etc/passwd. But, if you add that to the rootkit_files in etc/shared - you
would want to list it as */passwd -- but how could you get it to only
trigger if it
Just wondering where to find docs on writing/updating rules for
rootkit/rootcheck? Format and all that is what I am looking for. I am
looking through the various root check files under etc/shared, but
can't seem to find the syntax for these files in the docs. :-(
Any help/suggestions?
-K
4 installs --
1700 hosts
1200 hosts
1340 hosts
and 900 (oops, that is not over 1000, but close)
Use puppet to manage deployments rather than OSSEC itself. Also,
puppet maintains more than just agent.conf. Splunk on the backend with
Splunk for OSSEC app handling all the details. Also, because
FYI - running TCPDUMP is not a good test to verify the firewall block or
not, since tcpdump puts the NIC in promiscuous AND intercepts the packets
BEFORE the firewall sees them. So even if you are seeing the packets, you
don't know they are being blocked or not without reviewing your firewall
Hi all..
Here is an odd one. I have a folder with a few dozen subfolders. I
want to set up report_changes on all the subfolders with a specific
file in it - for example:
/opt/conf/*/*act_config
And it seems to work fine - but here is the odd part. The *sh_config
is a txt file in every folder,
That first paragraph should read the *act_config - not
*sh_config...
Sorry if that was confusing.
On Feb 13, 8:05 am, Kat uncommon...@gmail.com wrote:
Hi all..
Here is an odd one. I have a folder with a few dozen subfolders. I
want to set up report_changes on all the subfolders
I always wondered about that - shouldn't anything in Local... get
processed before the built-in?
I did have a feeling it was order dependent, and I took the route of
making the rules decoded_as - windows_date_format and everything
works, and this now confirms my thoughts that local did NOT get
What am I missing - it just keeps firing on the windows-date-format --
so frustrating, it must be simple, I am just blind today:
Logentry:
2012-01-12 15:19:58 Package: attack.vector:
removing(string1,string2,string3) by administrator
decoder:
decoder name=fw-private
I am working on a bunch of updated rules for PIX/ASA firewall
messaging - my question is since these use an existing decoder and
group of rules, what is the best way to add them. Should I be using
local_rules or how could I contribute them to update the pix_rules
set?
thanks
k
I keep seeing these from more than one person - with over 6000 agents
in 3 DC's I can tell you I have found the quickest solution:
1. Although this is frowned upon - on the agents - wipe /var/ossec/
queue/rids/ on each of the offending agents
2. find the agent ID in the same folder on the
Any ideas why this won't work if udp 1513 is not bound:
remote
connectionsyslog/connection
port1513/port
/remote
remote
connectionsecure/connection
/remote
It only listens on 1514 - and here is the kicker - even if I remove
the secure option, it still won't listen on any other port -
Never mind --
You can't use syslog WITHOUT allowed-ips of some sort.
ERROR: No IP or network allowed in the access list for syslog. No
reason for running it. Exiting.
You don't have all the pieces to the gcc compiler installed fully.
You need the compiler and the supporting libraries, etc. That is where
you are getting the cc1 errors.
On Jan 19, 10:02 am, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi All,
Well, with RH, SuSE, and Solaris10 out
Just wondering if there is a simple way that saying in a 5 minute
period - an alert triggers an active response 20 times, I only want
the AR to activate ONCE? I know how to set counters on the alert, but
I don't want to do that. I want the alert to keep logging - but I
don't want the response to
I am baffled --
Below is an alert - which triggered an active response. It should have
executed a block on my pix, but for some reason the IP was lost in
translation so to speak. The Src IP shows up correctly in the alert,
and in the script, it is set via $3, but if I output the string with a
A! ... um, No. :-(
On Dec 20, 10:14 am, dan (ddp) ddp...@gmail.com wrote:
Is expectsrcip/expect set in the command definition?
Something to ponder however -- I thought it was in there - instead
there was an unmatched /expect on a line within the command
definition - and no error was generated, that is how I missed it.
A bug perhaps?
On Dec 20, 10:21 am, Kat uncommon...@gmail.com wrote:
A! ... um, No. :-(
On Dec
Anyone have any idea why a server would ignore the localfiles for
monitoring? I have some alerts that SHOULD be triggering, but they do
not trigger on the server, only on agents. Yes, the config file is the
same. This is as simple as /var/log/secure being monitored for logins/
failures/etc and
3 identical servers ---
2 work, 1 does not.
all same OS, built from source.
logtest works on all - so it MUST be something with the config. Going
to enable logging and see what I can find. One question - this
particular server was configured for logging to DB, but then I decided
to not use it
Yep -- sending 1800 agents to a single server so it has a lot to
analyze. I am finding that this causes many of the agents to show
disconnected because they can't get to the server while it is
processing very busy nodes. So rather than throw additional servers at
it, I have all the cores, but I am
You know, I was thinking it was that simple - then I thought - But
wait, it can't be that simple.. And yet sometimes it is.
DOH!
On Nov 28, 2:16 pm, dan (ddp) ddp...@gmail.com wrote:
directories/home/*/.ssh/directories ?
Hi all..
Just trying to come up with a way to monitor all .ssh folders in /
home, but NOT monitor anything else in home. I want to keep an eye on
the key files and if they get altered/replaced. I have to think that
someone else has wanted to do this before and already has a regex or
something?
What am I missing here?
here is the log entry and my very simple decoder just to start and it
fails:
Oct 31 11:22:05 127.0.0.1 W 5219816637.934 elo_581 213.126.45.119 GET /
L/2284/58299/7d/origin-www.freeport.org.adns.net/night.jpg 200
188362153 1 097903 0 ASP/JSP%20source%20code%20leakage
why is there no way to delete a post you put up when you realize you
made stupid mistakes? Can someone delete this please. Moderators?
Yeah, I guess it would help if I realized some obvious things like my
fields and characters, etc. DOH!
On Nov 21, 1:38 pm, Kat uncommon...@gmail.com wrote:
What
This is more annoying that a real issue, but thought I would ask
anyway.
What would cause agents to show as disconnected after weeks of
working flawlessly with no issues?
I understand it has to do with keep-alive and NOT activity - although
ALL the agents are still sending data and we are not
You need to add /bin/false to the /etc/security/login.cfg
There is a line in the file that says SHELLS and has a list of all
valid shells.
I created a script to run from my nim server to push it out - I do
this, just to have a backup if needed (not the cleanest, but it
works):
cp
I am taking this up on my own to resolve this... Pretty good at RPMs -
working on a solution and a new SPEC file..
More to follow
-K
I thought I would share this..
OSSEC has been a huge help not to mention savings. In 2 very large
cases - over 3000 nodes - OSSEC has replaced Tripwire as the
Filesystem check, and because of all the fantastic features it adds,
it brings even more ROI to the teams involved.
In several instances,
Simple(?) question...
Looking for the best way to log all sudo su - someuser.
Obviously, it already flags sudo root, but I am looking to track all
the users who are authorized to sudo to other accounts and when they
do it. I could modify the syslog_rules - which worked, but since that
is a bad
Hmm, if you can do
mysql -u ossecuser -p
and login to mysql
then why can't ossec connect with the same info?
ossec-dbd(5202): ERROR: Error connecting to database
??
, Kat uncommon...@gmail.com wrote:
Hmm, if you can do
mysql -u ossecuser -p
and login to mysql
then why can't ossec connect with the same info?
ossec-dbd(5202): ERROR: Error connecting to database
??
did something similar using the smaller version of splunk (500 meg) -
stuck with a single server, but created dashboards inside splunk to
split the appropriate alerts.
Something to think about.
On Oct 19, 9:27 am, Sherman Butler sbut...@cequint.com wrote:
I'm wondering if it's possible to have
it sucked up over 2G and was still running!
On Oct 19, 8:49 pm, dan (ddp) ddp...@gmail.com wrote:
# ls -l /var/ossec/queue
total 36
drwxr-xr-x 2 ossecr ossec 512 Oct 18 18:56 agent-info
drwxr-xr-x 2 ossec ossec 512 Feb 14 2011 agentless
drwxrwx--- 2 ossec ossec 512 Oct 17
Oh and re-install with Update does not fix it - it won't re-create
the folders, it only copies what it needs to - i.e. UPDATE. And of
course if you tell it NOT to update, you lose your client keys..
*sigh*
Very glad I seemed to spark some interest in getthing the SPEC files
updated. It just makes for a much nicer/cleaner release for 2.6 since
the SPEC is very old there and missing compiles of a lot of the newer
features.
Thanks to all and if I can help, just let me know.
-K
1 - 100 of 125 matches
Mail list logo
