On 2016-05-04 19:36, Antonio Querubin wrote:
Actually the script did break and assumed one of parameters was
dropped in commit 168cb2f. And the mistake wasn't caught until now.
I'll submit a patch shortly.
Good catch and thank you. I don't think the script ever worked, even
before the
On 07/13/2015 11:24 AM, theresa mic-snare wrote:
Hi,
any ideas on how to disable ossec-remoted (at least tempoarily until I
have also agents configured)
thanks,
theresa
I believe if there are no agents configured to talk to the manager then
there will be no reason for starting it and it
On 07/08/2015 02:21 AM, Mcse Windows wrote:
Hi All,
I would like to know with the reports like how many users are connected
usb drives to their desktops\laptop to copy the data to the pen
drives,how many users daily uploading the data to cloud,how many users
are sending attachments via
On 07/01/2015 04:50 PM, Jon Price wrote:
Ive had ~1000 agents connected to a single ossec server for the past 18
months. About ~2 months ago agents started dropping like flies.
I noticed many lines in the client.keys on the server have been replaced
with #*#*#*#*#*#*#. I believe this is
On 05/26/2015 12:03 PM, dan (ddp) wrote:
I think you can read the file with syslog-ng, strip of the OSSEC
specific header, and use syslog-ng to foward the log messages to
logstash. I feel like I looked into stripping the header many years
ago with syslog-ng, but I don't remember details.
On 06/26/2015 09:00 AM, Carl Hilinski wrote:
We have log files that must be kept for six years and we have log files
that must be kept for one year. Log files older than 6 years or 1 year
must be expunged after that period. For example, coldfusion logs need to
be saved for six years, but
On 06/16/2015 01:29 AM, horst knete wrote:
Hey guys,
while adding more and more ossec agents to our ossec server installation
we are running into the issue, that the ossec-analysisd have an cpu
consumation of about 85% and the ossec-remoted of about 30% of a single
cpu thread.
There's no
On 06/10/2015 05:08 AM, H.Merijn Brand wrote:
Running ossec-hids-2.8.1 on OpenSUSE 13.2
I have several (trusted) IP's in /var/ossec/etc/ossec.conf's whitelist
section, like
--8---
global
white_list127.0.0.1/white_list
white_list^localhost.localdomain$/white_list
On 05/27/2015 07:19 AM, Xavier Mertens wrote:
Hi Gil,
When I wrote this patch for OSSEC a long time ago (it was later
integrated into the main branch), my goal was not to create
geolocalized alerts. IMHO, to add this feature, it requires a lot of
patching because you need to define a new
On 05/19/2015 05:41 PM, Ryan Wendel wrote:
I'm working through how to use OSSEC and am humming along nicely. The
one thing I haven't figured out yet is how to run an agent on the OSSEC
server itself. Do I need to perform a separate installation? On Redhat I
noticed the service name is simply
On 2015-02-10 11:45, Jose Moreno wrote:
Hi Dan,
Thanks very much for the reply.
I'll go on trying to figure out why we need to restart ossec. Hope to
bring soon the findings
Kind regards,
Jose Moreno
I have observed this behavior in the past as well. CDB is supposed to
not require a
On 2015-01-27 14:43, Todd Courtnage wrote:
To answer my own question, simply adding the contents of client.keys
on one of my agents to the the server client.keys file did not work. A
different error in the logs on the agent:
2015/01/27 20:34:51 ossec-agentd: WARN: Duplicate error: global:
0,
On 2015-01-13 1:07, BKeep wrote:
Does it make sense to ship all endpoint logs to the central log
repository then use rsyslog to redirect the logs to local files,
graylog2, and OSSEC?
I have deployed OSSEC in several environments over the years. My
preference is to use OSSEC agents for
On 2014-12-15 14:18, Bill Price wrote:
I'm trying to decode the following message:
Dec 11 06:27:14 snmpd[1469]: last message repeated 23 times.
The pre-coding phase of ossec-logtest reports:
**Phase 1: Completed pre-decoding.
full event: 'Dec 11 06:27:14 snmpd[1469]: last message repeated 23
On 12/12/2014 06:02 PM, Brent Morris wrote:
It should be noted that the decoders seem fine for me (and I suspect
everyone else). I think that github issue is bogus.
I think it is correct, but of course I could have made a mistake.
Follow what I posted above... basically, IIS Manager
On 2014-12-08 9:56, Damian Gerow wrote:
On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) ddp...@gmail.com wrote:
Possibly compromised systems shouldn't have control over a
database
they do not have control over. That's kind of the idea behind
sending
the hashes to the manager. It helps prevent
On 2014-12-02 7:07, GBNeil wrote:
Hi Folks,
Newbie question: are any specific rights required for Win Server 2008
to install/manage Ossec 2.8.1 Agents?
Thanks in advance for any help!
Administrator rights are required.
--
---
You received this message because you are subscribed to the
On 2014-12-01 6:03, Philipp Hoferichter wrote:
Hello Together,
is it possible to change the default User and Group for ossec?
Curious: why would you want to? OSSEC does a pretty good job at
establishing unique accounts with properly privilege-separated
processes.
--
---
You received
On 2014-12-02 13:46, theresa mic-snare wrote:
hello community,
out of curiosity, i was wondering, is there any reason why ossec
installs everything in /var/ossec?
why not the usual directories /opt/ and /etc ?
is there any specific reason to this?
no judging, just wondering ;-)
i'm writing a
On 11/30/2014 10:04 AM, fi...@vivaldi.net wrote:
I thought that was the issue too, but I have 3.1 GB of free disk space.
http://www.ivankuznetsov.com/2010/02/no-space-left-on-device-running-out-of-inodes.html
--
---
You received this message because you are subscribed to the Google Groups
On 11/30/2014 04:20 PM, fi...@vivaldi.net wrote:
Hi,
In a test installation, I noticed that if I add /var/ossec directory in
the list of directories that syscheck should monitor, disk usage speeds
up really fast. In less than 2 hours, disk usage on on a test system
doubled.
What's the
On 2014-11-18 6:55, DefensiveDepth wrote:
I have an OSSEC agent monitoring some Windows eventlogs through the
eventchannel config and then sending them to the OSSEC manager and
archiving them. The SIEM is then parsing the archive and indexing the
logs. Unfortunately, these eventlogs are
On 2014-11-18 9:04, Janaka Abeywardhana wrote:
Hi,
I have the same issue.
Agent 2.8 on Windows 2012.
Runs locally and add/deleted the route and logs to active-response.log
If it works when you run it manually then I'll have to defer to the
current developers. It may be a combination of the
On 11/13/2014 11:24 AM, fanfan...@gmail.com wrote:
Le jeudi 13 novembre 2014 17:50:42 UTC+1, dan (ddpbsd) a écrit :
On Thu, Nov 13, 2014 at 11:48 AM, fanf...@gmail.com javascript:
wrote:
Hello
I want to ignore alerts when my client OSSEC reboots.
What is a
On 2014-11-05 5:49, priyonko chakraborty wrote:
Can you suggest your views, if we can implement any rule to discard
the connection from OSSEC agent to Servers if it crosses some
threshold. Like if the we will get Event count after '2':
13179011-8264848 (62%), there should be some rule which
On 11/03/2014 09:51 AM, David Alston wrote:
Our security auditor is asking us to monitor our codebase for unintended
changes in production. We're currently ignoring the directory where the
code is stored, but need to change that. I'm hoping that I can find a
way to manually suppress alerts
On 2014-10-30 15:50, David Alston wrote:
Greetings!
I've been asked to do file integrity monitoring on the perl code that
we write and push out to our production servers.
Is there a way to tell OSSEC to do a one-time re-scan the directories
our code is in and not send an alert? We don't want
On 2014-10-27 9:58, Art Mandler wrote:
The
if_sid31100/if_sid
seems to be the problem, since 31100 doesn't exist in my version of
ossec.
Removing it means the rule matches nothing.
This is the version I am currently running. I have had one
false-positive where there was a '{' about 100 bytes
On 2014-10-27 14:09, dan (ddp) wrote:
Windows is odd (why does it put so many spaces in odd places?)
This highlights the need for a documented OSSEC log format. OSSEC
constructs the message as it sees fit but this will always be confusing
unless a standard is developed from which the log
On 10/25/2014 10:03 AM, Art Mandler wrote:
Hey folks -- Did anyone ever come up with a working solution for 2.8?
Does the rule I posted not work for you?
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and
On 10/17/2014 11:46 PM, Antonio Querubin wrote:
SHA1 was deprecated in 2011 and disallowed after 2013 for signature
generation. For legacy signature verification and other non-signature
hash applications it's still acceptable.
Ref: NIST Special Pub 800-131A Table 9.
Thanks. Well, there ya
On 10/16/2014 06:38 AM, jason polachak wrote:
All,
Do you know if OSSEC is able to support these three DoD STIG
requirements?
Rule Title: The file integrity tool must be configured to verify ACLs.
Vulnerability Discussion: ACLs can provide permissions beyond those
permitted through the
On 10/15/2014 03:24 AM, de...@scratters.com wrote:
I have an application which OSSEC fits perfectly with, at least as far
as the security aspects of the problem are concerned - which is about
80% of my problem. However I'd also like some additional log monitoring,
which isn't so much security
On 10/15/2014 01:40 PM, Colin Bruce wrote:
What I have seen suggests that both are possible but every attempt I
have made has failed. It installs and runs but port 1514 is never opened
so although it will send reports about itself no other agent can
connect. Although the conf file in /etc has
On 10/13/2014 11:18 AM, David Masters wrote:
The whole purpose of this exercise is to not have to go to each
individual machine to input the key and configuration. We have over
3000 machines so that really is just not feasible. If the key server
is input manually when the software is
On 10/12/2014 04:34 AM, David Masters wrote:
I have searched through the listings and the internet and cannot seem to
find a solution to this issue.
We have approximately 3200 computers (Windows 7) that we are trying to
get configured with OSSEC. The agent is part of the image that we are
On 10/09/2014 09:04 PM, Erik Karnafel wrote:
Where can I find the log retention period on OSSEC.
I would like to increase the amount of days the logs are stored for, and
I’m not able to see that in the config file.
OSSEC has no log retention capabilities. Logs are kept indefinitely
unless
On 2014-10-04 5:30, Jan Andrasko wrote:
Hello Michael,
Thanks for sharing this. Any specific reason for the '.+' after the
'()'?
You are right, '.*' is better. Thanks for pointing this out.
Also, the ':' before ';' is not part of the exploit, so you may want
to remove that.
You are right
On 2014-10-02 8:08, Robert Moerman wrote:
Hello,
I've been trying to write a rule to detect CGI-based shellshock
attacks via the apache log parser, but I find the signature doesn't
fire (even when I see the string in the apache logs):
DETECT () { :; }; IN URL STRING
rule id=12
On 2014-10-03 9:12, Jan Andrasko wrote:
rule id=120003 level=13
if_sid31100/if_sid
regex()\.+{\.+:;};/regex
descriptionShellshock Attempt/description
groupattack,/group
/rule
Thanks for sharing this. Any specific reason for the '\.+' after the
'()'? I'm not sure you'll
On 2014-09-24 14:06, dan (ddp) wrote:
Turning off realtime gave me some alerts.
** Alert 1411585150.5153: mail - local,syslog,syscheck,
2014 Sep 24 14:59:10 localhost-syscheck
Rule: 554 (level 15) - 'File added to the system.'
New file '/var/test/eleven' added to the file system (Old md5sum
On 2014-09-23 10:40, Eric Johnfelt wrote:
The active-response script that comes with the Windows agent is just
hopelessly broken... here is why...
It didn't work at all prior to 2.8. At least it works now from the
command line (with the latest update). As to why it only works that way
On 2014-09-23 13:05, Eric Johnfelt wrote:
Don't take my comments as disparaging. Given our networking team
refuses to do *any* active-response from the core down to the edge
devices... even though we have all the tools for it and no policy or
funding from senior leadership, OSSEC really has
On 09/22/2014 11:11 AM, dan (ddp) wrote:
Michael hasn't updated the status of that bug in a while, so I'm
guessing it's still an issue.
Yup, it's still an issue. Not much else to say unless someone needs me
to try some things.
--
---
You received this message because you are subscribed to
On 2014-09-19 8:13, Abhi wrote:
After starting OSSEC on the new server, around 22 agents started
reporting correctly but that was only till an hour. After that, most
of the agents dropped off, leaving the active count to only 4.
This might be an issue with the rids. Try deleting the files in
On 2014-09-18 19:47, Dave Martin wrote:
If I delete another rule, the one in question can be added with no
errors. I guess we can only have 17 rules. :-)
I suspect there is a syntax error in there somewhere. An element might
not be closed. What happens with the rule in there and then running
On 2014-09-19 4:21, Chard wrote:
Hi,
I'm looking into Centralized agent configuration with OSSEC.
I understand that you create the file var/ossec/etc/shared/agent.conf.
But does this need to include all the default config of ossec as well
as any additional option I may add? eg include this.
On 09/17/2014 09:22 AM, SoulAuctioneer wrote:
I want to do a lot of work on the Windows agent to try and make it
better. One of the big changes I have planned is getting rid of the
Windows GUI. In my opinion the GUI doesn't provide enough value to make
it worth maintaining the fairly
On 2014-09-17 10:15, James M. Pulver wrote:
If you're a Windows admin who's afraid of the command line, I doubt
you'll be one for long. Doubly so if you can't do scripting...
Maybe so, but why make someone's job more difficult? I think his point
is that in the Windows world, a configuration
On 2014-09-15 10:17, MDACC-Luckie wrote:
All:
The standard deployment instructions in our group for installation of
the OSSEC (2.6) agents on servers is to set ACTIVE RESPONSE as
disabled. There is some question/concern by our management that this
was not done on all server. Are there any
On 2014-09-12 8:30, Randy Dover wrote:
I have been running OSSEC HIDS for several years. It is currently
installed on Centos, ver 5.1. I looked in the documentation to see
what versions of Centos are supported but didn't see any.
I tend to run Debian-based (Mint) for desktop and Redhat-based
On 2014-09-08 19:45, Jay Bittner wrote:
One problem I've noticed in the logs, which isn't very helpful, is
that some for the event 'Windows Logon Success' (Alert 1410221611),
often times it puts 'ANONYMOUS LOGON' or 'SYSTEM', instead of the
actual user account that logged in. But on other
On 2014-08-29 1:43, rsmarti...@gmail.com wrote:
Dear all,
I have a Ossec manager and some agents, and I would like to add a
second manager in active-standby or active-active mode.
Is possible to configure high availability in Ossec? Is there any
documentation about it? I'm not able to find it.
On 09/07/2014 07:19 PM, Brian Kellogg wrote:
Due to the amount of logs we will be throwing at OSSEC these two log
files will get extremely large very fast; 100s of Gigabytes in a day. I
do not need to keep a history of them as we capture the archives.log
file via syslog-ng to ELSA and the
On 2014-09-05 14:21, Brian Kellogg wrote:
I have some ASA logs I need to write custom decoders for but they
contain less thans and greater thans. How do I handle these in the
decoders regex? thanks
Sep 05 2014 12:08:37: %ASA-4-722051: Group VPN_GROUP User tsmith
IP 1.2.3.4 IPv4 Address
On 09/02/2014 04:13 PM, Bonnie Beeler wrote:
OSSEC has reported these files have changed. I did a search on the
machines for file changes and those files don't show as being modified
on the reported date. Does anyone know why these files might show as
changed?
Try calculating the checksum
On 09/02/2014 03:42 PM, Bonnie Beeler wrote:
Yes, they all have the same time, Windows and Linux. I'm not sure what
you mean by I assumed you knew what you were doing when you posted I
have been into ossec for all of 1 week with my new job, so I don't know
a whole lot about it, other than to
On 2014-08-25 8:44, Ullman, Mitch wrote:
I know this is a no-no, but have you tried with SELinux on permissive
or disabled?
OSSEC does not require SELinux to be disabled nor does it require any
changes to policy.
--
---
You received this message because you are subscribed to the Google
On 2014-08-25 11:50, Ullman, Mitch wrote:
Good to know. I always turn a suspicious eye toward SEL, though.
Fair enough. I suppose I should mention that using the WebUI would
require a change to SELinux policy since it is trying to access things
outside of the web root.
--
---
You
On 08/24/2014 06:41 PM, Greg Hall wrote:
Hi,
I am getting inundated with netstat port change alerts:
Rule: 533 fired (level 7) - Listened ports status (netstat) changed
(new port opened or closed).
I understand check_diff compares the current netstat output against an
entry in an
On 2014-08-05 4:01, morgan cox wrote:
Just to add i'm having the same issue on Windows 2008/2012 servers
with AR and Ossec 2.8
https://groups.google.com/forum/#!topic/ossec-list/bTAbuvSZKGo
I found a couple more issues, so try the attached instead (rename to
.cmd). Can I just say that
On 08/05/2014 04:01 AM, morgan cox wrote:
Just to add i'm having the same issue on Windows 2008/2012 servers with
AR and Ossec 2.8
https://groups.google.com/forum/#!topic/ossec-list/bTAbuvSZKGo
Well, I wasn't able to find the working version, but the shipped version
seems to be close. Can
On 2014-08-14 8:02, kinomakino wrote:
i was reading about udp buffer but and don´t know how many increase, im
studying it. have you got any parameters reference about this?
These settings are about right for me in an environment with 300-500
EPS.
# Increase UDP buffer size to 128MB due to
On 2014-08-09 8:01, Randy Dover wrote:
I am performing a vulnerability scan internally (using OpenVAS on
Kali). I am getting the alerts below.
Is there a way to filter or exclude these events if they are coming
from the server that OpenVAS (Kali) is installed on? Either by IP
address or server
On 2014-08-06 5:16, Ameya Bhatkal wrote:
Hi Everyone,
I have setup OSSEC 2.8 Manager using Security Onion 12.04 LTS. The
Ossec Client agents have been installed on 6 Windows machines.
I receive alerts for file additions and modifications but not when the
monitored files are deleted.
Have you
On 2014-08-01 8:03, James Whittington wrote:
I am trying to get Active Response working on a Windows 2012 server.
I enabled AR in the local Windows 2012 OSSEC config file.
On the agent side OSSEC Log I get some warnings about some linux shell
based active responses not being present (which
On 2014-08-01 12:34, James Whittington wrote:
- It referenced %WINDIR% and %OSSECPATH% and I didn't see those
defined anywhere so I'm not sure where it came from
This is a definite issue. It's like that on mine too. There should be a
function in there to pull that from the registry and
On 2014-07-31 9:43, Luc Paulin wrote:
Hi Everyone,
I am currenlty setting up OSSEC due to PCI requirement. Most of
everything is now fully setup, but now I have a questions
How do handle alert generated by the system ? I mean as per PCI my
understanding is that we must prove that for each alert
On 2014-07-30 9:28, James Whittington wrote:
I have seen several examples of decoders folks have written for IIS
7.
I have tried out a couple of different ones yet each time the
ossec-logtest stops at the windows-date-format decoder.
This is something I have in my local decoder file that I
On 2014-07-29 15:04, morgan cox wrote:
Any ideas how to troubleshoot why its not dropping?
What happens if you run it manually?
--
---
You received this message because you are subscribed to the Google Groups ossec-list group.
To unsubscribe from this group and stop receiving emails from
On 2014-07-23 4:56, Christian Beer wrote:
Hi I downloaded the Benchmark paper and tool a quick look.
The question is what is to do? As I understand the document one has to
copy the script snippets from the audit sections into the CIS text
files
and annotate with some information, right?
This
On 07/16/2014 09:55 PM, Lance A. Brown wrote:
I have a request to tune the output of Rule 18152: Multiple Windows
Logon Failures. They would like:
Ok, let's step through this. Unfortunately, we'll probably end up at a
point where I show that it won't work, but the process is important to
On 07/18/2014 08:59 AM, Alexander Pietrasch wrote:
Yeah your right but in our infrastructure we have Windows-Clients and it
is a step more to set up a cronjob on every system.
Ryan posted a good solution. Don't forget that the Windows agents need
active response enabled in ossec.conf.
--
On 07/11/2014 09:02 AM, sgtze...@googlemail.com wrote:
You ask,/is it really necessary to detect multiple user IDs?/ I'd say
yes, because I want to avoid false positives. We have several fine,
upstanding clients on our servers with incorrectly configured devices
that regular poll the server with
On 2014-07-10 7:38, Farnsworth, Robert wrote:
Yes it comes from an e-mail alert. I'll check out the client.keys
Thanks, for the reply.
This must be coming from something other than OSSEC. Do you use the
Atomic version or Alien Vault?
--
---
You received this message because you are
On 2014-07-07 10:07, Randy Dover wrote:
How should I comment it out?
I edited syslog_rules.xml (in
The way I edited it was:
# rule id='1003'...
# description...
# /rule
So, in essence, I just put a # in front of each of the lines.
That didn't work. I'm still getting the emails. And getting a
On 2014-07-01 12:51, Jeremy Rossi wrote:
Just tested and confirmed this is fixed in master. I am going to start
the process of cutting a new release tonight to get this fix out.
Please also look at issue #236, which may be related.
--
---
You received this message because you are
On 2014-06-30 8:59, Randy Dover wrote:
I am getting frequent Rule: 1003 fired) emails:
Received From: (ServerName) ###.###.###.### (ServerIP) -WinEvtLog
Rule: 1003 fired (level 13) - Non standard syslog message (size too
large).
Portion of the log(s):
I have tried modifying this rule
On 06/28/2014 05:18 AM, Gerard Petersen wrote:
Is it acceptable operating procedure for ossec to clean
out the database without stopping the agents or is there temporary agent
shutdown involved?
Yes. Just run ./bin/syscheck_control -u id
One more thing I noticed. All hits that are not around
On 06/16/2014 05:49 AM, Gerard Petersen wrote:
I've been thinking about stopping the daemons, running the updates, and
while restart them, forcing the checks. This would result in controlled
output bursts, but also in increased risk due to the daemons temporarly
not watching the system ... So,
On 06/27/2014 04:18 PM, OSSEC junkie wrote:
Is it possible to expand the amount of monitoring and logging that OSSEC
currently has in regards to the Windows Event Viewer log for System,
Application, and Security? Meaning, I want OSSEC to record every single
event recorded into the event viewer
On 2014-06-24 13:59, Aaron HotelBravo wrote:
So I am completely new to OSSEC and I am currently getting spammed
with alerts from my OSSEC testing. This is and example of one of the
alerts.
Received From: (hostname) IP-WinEvtLog
Rule: 18151 fired (level 10) - Multiple failed attempts to perform
On 2014-06-18 7:57, Jeremy Rossi wrote:
One of the things that has become more and more clear is that people
expect ossec to do this. Be it bad docs that are not clear, or
something else. Part of me agrees that use the correct tools for the
job, but why ship the logs twice? And more
On 2014-06-18 11:08, Darin Perusich wrote:
Seriously? OSSEC is FAR from a replacement for centralized syslog
server, and to think it is folly IMO. Can OSSEC guarantee it will
receive all incoming logs? Can OSSEC store those logs in multiple
format, text, sql database? How does OSSEC handle the
On 2014-06-17 3:17, horst knete wrote:
Hey Guys,
we are implementing an OSSEC Installation in our Environment due the
the great functionality of the System.
We got Agents on both Linux and Windows and the Log Shippment is
working fine.
But as we tested what happen if the OSSEC Server goes
On 2014-06-17 15:46, Janelle wrote:
Hi all,
Just a question -- I want to logall - and that part is easy, BUT -
would anyone know of a way to NOT log the commands that are being
monitored?
They kind of mess up the database since command results can be
multi-line and more. I want to just log all
On 2014-06-17 16:31, Janelle wrote:
Trying to send archives to a syslog server for archival, and it
can't handle all the extraneous code.
Ah, yes. I have done this as well and had this problem with keepalives
and such. Another issue is that the ossec log format isn't syslog. It
looks like
On 2014-06-17 16:40, ronnie...@verizon.net wrote:
Hello,
How would I go about installing the agent on Server Core since we
don't have a GUI installed?
Try the installer with the /S switch.
--
---
You received this message because you are subscribed to the Google Groups ossec-list group.
On 06/15/2014 12:37 PM, Nicolas Zin wrote:
Ok,
on which distribution are you?
Because I recompiled ossec 2.8 for ubuntu precise, and geoip works for me.
CentOS release 6.4 (Final)
--
---
You received this message because you are subscribed to the Google Groups ossec-list group.
To
On 06/14/2014 02:18 PM, Nicolas Zin wrote:
did you also install the geoip database:
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz
wget
http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
gunzip
On 2014-06-13 4:56, Gary Mason wrote:
I used to get this on 2.6 and still get them on 2.7.1
Presumably the snapshots in 2010 didn't have a full fix.
Would like to know the implications of this - is it really a bug that
can be ignored or is there something else going on under the surface ?
On 06/13/2014 06:37 PM, Dan Crichton wrote:
I added GeoIP support on OSSEC 2.8 based on the instruction from
http://www.ossec.net/files/ossec-hids-2.7-release-note.txt
and I get the following error message:
Starting OSSEC: ossec-maild(2302): ERROR: Invalid definition
for
On 06/13/2014 10:41 PM, Michael Starks wrote:
How do I fix that?
From your install dir
cd src
make setgeoip
cd ..
./install.sh
Of course you probably already did that. I don't have a problem starting
ossec, but I do see stuff like this:
Src IP: 117.26.249.228
Src Location: Unknown (4
On 2014-06-09 8:49, Dan Kennedy wrote:
Good day all. It seems like I'm seeing a very odd issue with regard to
Windows events coming through to the OSSEC management server. I've set
this up before without any configuration changes received all the
events I wanted from the Windows end point (a
On 2014-06-09 10:01, Dan Kennedy wrote:
Thanks for the reply. I know that the console is running 2.7 I
believe the agents are 2.8 as I upgraded them shortly after I put the
2.7 ones onto the systems. I'll revert those agents to 2.7 test a
bit, then report back. Thanks kindly!
Dan's right.
On 06/07/2014 07:58 PM, Michael Starks wrote:
-'Installed on' date in Windows Agent Manager is incorrect.
Also, the seconds field is cut off since the window is no longer
resizeable, but that field is probably not even necessary.
--
---
You received this message because you
On 06/08/2014 01:32 PM, PAL 18 wrote:
I upgraded OSSEC, and on service startup i get this error:
ossec-analysisd: Configuration error. Exiting.
In ossec.log, I tracked it down to:
2014/06/08 14:27:00 ossec-testrule: INFO: Reading local decoder file.
2014/06/08 14:27:00 ossec-analysisd:
On 06/08/2014 05:46 PM, awiddersh...@hotmail.com wrote:
That window was never resizable. It had a resize bar but that never did
anything. How is the version not correct? It pulls that from the
VERSION.txt file each time. That should get updated upon installing a
new version:
On 06/04/2014 11:58 AM, Steven Stern wrote:
# ps -ef |grep ossec
ossecm 17982 1 0 11:55 ?00:00:00 /var/ossec/bin/ossec-maild
root 17984 1 0 11:55 ?00:00:00 /var/ossec/bin/ossec-execd
ossec17990 1 0 11:55 ?00:00:00
/var/ossec/bin/ossec-analysisd
On 2014-06-05 15:49, Bjoern Schwabe wrote:
The client.keys looks like this:
002 xp2 172.16.215.128
c3e69f757b182a39aa78e73824f6673b720c01fe8a24d92f74be647d40671fc3
Your key has been compromised. It would be a good idea to change it now.
--
---
You received this message because you are
1 - 100 of 590 matches
Mail list logo