[ossec-list] reindexing logs

Hi dear community, i had a problem with logstash, after i resolve it i saw what in kibana are missing logs, how can i resolve the problem and reindexing all my logs to kibana I will be thankful if someone will help me step by step i appreciate your help, and a lot of respect for developers

[ossec-list] Re: List of logged in users AND List of the last logged in users

only work on > *nix platforms. > > Kat > > On Wednesday, April 6, 2016 at 2:38:26 AM UTC-5, Maxim Surdu wrote: >> >> Hi dear community, >> >> i install and configure about 10 agents, and of course i have a lot of >> users, i need to monitoring when they

[ossec-list] List of logged in users AND List of the last logged in users

Hi dear community, i install and configure about 10 agents, and of course i have a lot of users, i need to monitoring when they are working or drink coffee in ossec_rules.xml i have next rules 530 ossec: output: 'w' alert_by_email List of logged in users. It will not

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

On Mar 3, 2016 4:18 AM, "Maxim Surdu" <maxs...@gmail.com > > wrote: > > > > Hi dear community, > > > > i install and configure about 10 agents, and of course i have a lot of > users,a part of this users are ftp Clients

[ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

Hi dear community, i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients in policy-rules.xml i have next rules authentication_success 4 pm - 7 am Successful login during non-business hours. login_time,

[ossec-list] Re: exclude service-users

17 LinMV su[1202]: >> pam_unix(su:session): session opened for user homer by root(uid=0)' >>hostname: 'LinMV' >>program_name: 'su' >>log: 'pam_unix(su:session): session opened for user homer by >> root(uid=0)' >> >> >> **Phase 2: Completed

[ossec-list] Re: the length of time the user logged in

o alert?. ssh, ftp, normal login? > > Regards. > > On Thursday, February 18, 2016 at 10:14:32 AM UTC+1, Maxim Surdu wrote: >> >> Hi dear community, >> >> i install and configure about 10 agents, and of course i have a lot of >> users, i have logs when

[ossec-list] exclude service-users

Hi dear community, i install and configure about 10 agents, and of course i have a lot of users,a part of this users are service-users in policy-rules.xml i have next rules authentication_success 4 pm - 7 am Successful login during non-business hours. login_time,

Re: [ossec-list] OSSEC not sending error.log

I will remind logall is acctive yes yes DC2.*.*** msurdu@*.** ossec@*.** 1 6 joi, 11 februarie 2016, 09:41:06 UTC+2, Maxim Surdu a scris: > > Yes, my agent is showed as active but just a part of access log are

Re: [ossec-list] OSSEC not sending error.log

fine. > > My question is, do you see anything from the agent in that same file? Does > the agent appear as active? > > Best > > On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu <maxs...@gmail.com > > wrote: > >> i check my logs are in /var/ossec/logs/ossec.log on

[ossec-list] Agent did not start

/queue/ossec/queue'. Giving up.. ossec-syscheckd did not start please any suggestions because this servers are very important for monitoring logs. Many thanks, Maxim Surdu -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To u

Re: [ossec-list] Agent did not start

februarie 2016, 14:36:42 UTC+2, dan (ddpbsd) a scris: > > > On Feb 10, 2016 7:32 AM, "Maxim Surdu" <maxs...@gmail.com > > wrote: > > > > Hi dear community, > > > > i install and configure about 10 agents > > > > but one of then after inst

Re: [ossec-list] Agent did not start

ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. [root@mx2 bin]# miercuri, 10 februarie 2016, 14:37:58 UTC+2, Maxim Surdu a scris: > > [root@mx2 bin]# tail -f /var/ossec/logs/ossec.log > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG:

Re: [ossec-list] Agent did not start

I check client.keys all is ok miercuri, 10 februarie 2016, 14:40:24 UTC+2, Maxim Surdu a scris: > > 2016/02/10 14:27:25 ossec-execd: INFO: Started (pid: 24817). > 2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > 2016/02/10 14:27:

Re: [ossec-list] Agent did not start

145K Dec 30 09:31 ossec-luac* 536K -r-xr-x--- 1 root ossec 535K Dec 30 09:32 ossec-syscheckd* 8.0K -r-xr-x--- 1 root ossec 4.3K Oct 13 00:21 util.sh* miercuri, 10 februarie 2016, 14:48:06 UTC+2, dan (ddpbsd) a scris: > > > On Feb 10, 2016 7:38 AM, "Maxim Surdu" <maxs..

Re: [ossec-list] Agent did not start

queue_= 4.0K -rwxrwxrwx 1 ossec ossec1 Feb 10 12:03 .wait* miercuri, 10 februarie 2016, 14:49:58 UTC+2, Maxim Surdu a scris: > > [root@mx2 bin]# ll > total 2.4M > 4.0K dr-xr-x--- 2 root ossec 4.0K Dec 30 09:32 ./ > 4.0K dr-xr-x--- 11 root ossec 4.0K Dec 30 09:32 ../ > 192K

Re: [ossec-list] OSSEC not sending error.log

log? > > > On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <maxs...@gmail.com > > wrote: > >> Hi Santiago, >> >> This my output >> >> root@my:/home/msurdu# lsof /var/log/apache2/error.log >> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE

Re: [ossec-list] OSSEC not sending error.log

t actually there. > > I hope that helps, > > Santiago. > > On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <maxs...@gmail.com > > wrote: > >> Dear community, >> I am having a problem in OSSEC. I have configured the OSSEC client to >> monit

[ossec-list] OSSEC not sending error.log

Dear community, I am having a problem in OSSEC. I have configured the OSSEC client to monitor the Apache and Nginx error.log apache /var/log/nginx/access.log apache /var/log/nginx/error.log apache /var/log/apache2/error.log apache

[ossec-list] for what time ossec save logs?

Hi everyone, Who can tell me how much time ossec saves my logs? i need to configure or how it is work?, i need ossec to save my logs for minimum 2 years. Any help would be greatly appreciated Thanks, Maxim -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] Re: mail for a specific rule

i recevie mail with alert level 2, and higher but not recieve mail from this rule, i simulate/test the alert is working is showing in kibana and ossec wui but not reciev mail :( miercuri, 23 decembrie 2015, 17:10:37 UTC+2, Maxim Surdu a scris: > > yes, i change and all rules are loade

Re: [ossec-list] Re: mail for a specific rule

ossec show me logs and rule is working for /var/log/maillog and var/log/secure but ossec send me mail just from /var/log/maillog miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris: > > yes the rule is work > > > Alert 1450884351.34521849: mail - policy_viola

[ossec-list] mail for a specific rule

Hi everyone, I am new in Ossec, i installed Virtual Appliance of ossec, all is working fine, can i do to ossec mail me for specific rule? for example for this rule authentication_success 06:00 pm - 09:00 am Successful login during non-business hours. login_time, Any

[ossec-list] Re: mail for a specific rule

This rule is locate in /var/ossec/rules/policy_rules.xml miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: > > yes i want for a specific mail, but i not recieve mail form this alert > > miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: >> >>

[ossec-list] Re: mail for a specific rule

yes i want for a specific mail, but i not recieve mail form this alert miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: > > Hi everyone, > > I am new in Ossec, i installed Virtual Appliance of ossec, all is working > fine, can i do to ossec mail me fo

Re: [ossec-list] Re: mail for a specific rule

yes, i change and all rules are loaded when ossec is started miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: > > On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com > > wrote: > > This rule is locate in /var/ossec/r

Re: [ossec-list] Re: mail for a specific rule

r user msurdu by (uid=0) miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris: > > On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <maxs...@gmail.com > > wrote: > > yes, i change and all rules are loaded when ossec is started > > > > Is the rule firing (ca

Re: [ossec-list] Re: mail for a specific rule

yes, sorry for my bad english miercuri, 23 decembrie 2015, 17:44:37 UTC+2, dan (ddpbsd) a scris: > > On Wed, Dec 23, 2015 at 10:43 AM, Maxim Surdu <maxs...@gmail.com > > wrote: > > ossec show me logs and rule is working for /var/log/maillog > > and var/log/secure

[ossec-list] User who change files

Hi everyone, I am new in Ossec, i configure ossec-server and ossec agent, all is working formidable! i can see logs when file is change but not who did it and what changed can someone help me to set ossec to get more info?

Re: [ossec-list] how to add user to web UI?

what web interface you recommend me to use, which i can create users for authentication to see logs because kibana have not :( marți, 22 decembrie 2015, 15:04:55 UTC+2, dan (ddpbsd) a scris: > > On Tue, Dec 22, 2015 at 7:25 AM, Maxim Surdu <maxs...@gmail.com > > wrote:

[ossec-list] how to add user to web UI?

Hi everyone, I am new in Ossec, i configure ossec-server and ossec agent, all is working formidable! i change password for user in ossec-wui, can i add another user and can i do it admin or simple user?if i can how can i do it? Any help would be greatly appreciated Thanks, Maxim -- ---

Re: [ossec-list] Re: logs level 0 and level 1

no luni, 21 decembrie 2015, 15:07:06 UTC+2, dan (ddpbsd) a scris: > > On Mon, Dec 21, 2015 at 8:03 AM, Maxim Surdu <maxs...@gmail.com > > wrote: > >> but in ossec-wui in stats is showing me what i have alert with level 0 > and > >> 1 > > >

Re: [ossec-list] Re: logs level 0 and level 1

> > i check ossec.conf and i have > 1 but in ossec-wui or kibana is showing just alerts with minum 2, but i know what i have alerts with level 0 and 1 and i need them to be showed ossec-wui or kibana -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] Re: logs level 0 and level 1

> but in ossec-wui in stats is showing me what i have alert with level 0 and > 1 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To

[ossec-list] logs level 0 and level 1

Hi everyone, I am new in Ossec, i configure ossec-server and ossec agent, all is working formidable! but i want ossec or kibana show me all logs include logs level 0 and level 1 i change my ossec.conf and i add code yes, in the ossec stats i see what i have logs with levels 0 and 1 but do

[ossec-list] Re: logs level 0 and level 1

my alerts with level 0 and 1 are not in alerts.log -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more

[ossec-list] Re: Location of OSSEC-WUI

I find it /opt/lampp/htdocs/ossec-wui but where is locate Kibana? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

[ossec-list] Re: Location of OSSEC-WUI

I find it /opt/lampp/htdocs/ossec-wui /usr/share/kibana who can help me with this topic? https://groups.google.com/forum/#!topic/ossec-list/-IbGTSrBwIQ i already did it for ossec-wui but how to do for kibana??

[ossec-list] Re: Location of OSSEC-WUI

I find it /opt/lampp/htdocs/ossec-wui /usr/share/kibana who can help me with this topic? i already did it for ossec-wui but how to do for kibana?? -- --- You received this message

[ossec-list] level alerts in colors

Hi everyone, I am new in Ossec, i configure ossec-server and ossec agent, all is working formidable! but how can i configure the ossec to show me the level alerts in colors, like if level of alert is 15 to show in OSSEC WEBUI or KIBANA with red color if it level of alert is for example 7 to

[ossec-list] Re: alert for logging outside working hours

my software and hardware clock are synchronized but one of them is with AM and PM second is with 24 hours [root@ossec ~]# hwclock Wed 09 Dec 2015 11:18:53 AM EET -0.610627 seconds [root@ossec ~]# date Wed Dec 9 11:18:54 EET 2015 luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris

[ossec-list] Re: alert for logging outside working hours

Allert is working fine! In kibana the log is coming with* 2015 Dec 08 17:45:20* in mail alert is coming with *2015 Dec 08 *07*:45:20* not 17:45 or 05:45 but 07:45 and this can be problematic luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris: > > Hi everyone, > > I am new

[ossec-list] Re: alert for logging outside working hours

The correct time is showed in kibana luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris: > > Hi everyone, > > I am new in Ossec, i configure ossec-server and ossec agent, all is > working formidable! > but i need to create an alert to show me people who are logging

[ossec-list] alert for logging outside working hours

Hi everyone, I am new in Ossec, i configure ossec-server and ossec agent, all is working formidable! but i need to create an alert to show me people who are logging outside working hours in my system server or agent for example my company working hours are Monday-Friday from 09.00 until 18.00