Volotinen eero.voloti...@iki.fi
wrote:
2012/4/24 Mike Sievers saturnge...@googlemail.com:
Hi,
ossec version is 2.6
md5sum: 5a8582fbad878819fdcc598d15902b57 /sbin/init
(dont´t know yet if it is ok)
Mike
2012/4/23 dan (ddp) ddp...@gmail.com
What version of OSSEC?
Does the md5
check with rootkit hunter.
Alex
Envoyé depuis mon BlackBerry smartphone MTN Congo
--
*From: * Mike Sievers saturnge...@googlemail.com
*Sender: * ossec-list@googlegroups.com
*Date: *Sun, 22 Apr 2012 14:41:17 +0200
*To: *ossec-list@googlegroups.com
*ReplyTo: * ossec
Hi List,
on my opensuse 12.1 I found:
Trojaned version of file '/sbin/init' detected. Signature used: 'HOME'
(Suckit rootkit).
I hope this is false positive, isn´t it?
And some alerts like this:
File '/dev/.sysconfig/network/config-lo' present on /dev. Possible hidden
file.
???
Hi List!
Is it possible to use a cron job to delete old files?
Is it really necessary to stop / start ossec for this job?
Best regards,
Mike
29, 2010 at 2:25 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Yes.
Remove line at file client.keys?
2010/10/28 dan (ddp) ddp...@gmail.com
I don't understand the question. Are you trying to re-use an ID?
On Thu, Oct 28, 2010 at 2:38 AM, Mike Sievers
saturnge...@googlemail.com wrote
Yes.
Remove line at file client.keys?
2010/10/28 dan (ddp) ddp...@gmail.com
I don't understand the question. Are you trying to re-use an ID?
On Thu, Oct 28, 2010 at 2:38 AM, Mike Sievers
saturnge...@googlemail.com wrote:
... I now created a new id/key and it works.
Is it also possible
... I now created a new id/key and it works.
Is it also possible to remove an ID instead only an agent?
2010/10/21 dan (ddp) ddp...@gmail.com
On Thu, Oct 21, 2010 at 7:42 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi list,
the server was already connected and there is no firewall
yes, active response is enabled
the process is still running
???
2010/10/26 dan (ddp) ddp...@gmail.com
On Tue, Oct 26, 2010 at 9:15 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi,
the ossec.log said:
ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible
Hi Dan,
ok, I did it and now I am waiting.
How do I select specific nodes?
Mike
2010/10/26 dan (ddp) ddp...@gmail.com
There is no srcip decoded in the log message (and no IP at all).
Remove that line and it should work.
On Tue, Oct 26, 2010 at 9:25 AM, Mike Sievers
saturnge
Hi List,
for example: (server1=agent)
OSSEC HIDS Notification.
2010 Oct 26 15:06:00
Received From: (server1) 192.168.224.49-/var/log/messages
Rule: 1002 fired (level 2) - Unknown problem somewhere in the system.
Portion of the log(s):
Oct 26 15:06:26 server1 libvirtd: 15:06:26.774: error :
Hi,
the ossec.log said:
ossec-agentd(1210): ERROR: Queue '/queue/alerts/execq' not accessible:
'Queue not found'.
After a reboot of the machine. The folder is empty:
ls -a
/var/ossec/queue/alerts
(nofile)
???
Mike
is very old at this point.
On Wed, Oct 20, 2010 at 12:49 AM, Mike Sievers
saturnge...@googlemail.com wrote:
good morning
I will try this what you wrote me (sregex)
This also do not work:
agent_config
syscheck
directories check_all=yes/boot/directories
/syscheck
Hi list,
the server was already connected and there is no firewall.
I still can't connect agent and server, but why?
2010/10/21 13:36:39 ossec-agentd: INFO: Trying to connect to server (
192.168.2.11:1514).
2010/10/21 13:37:00 ossec-agentd(4101): WARN: Waiting for server reply (not
started).
:03 AM, Mike Sievers
saturnge...@googlemail.com wrote:
hi dan (and lis)
yes, the agent conf was copied and I restartet all
but there is something different now:
(agent.conf)
agent_config name='n001'
syscheck
ignore/etc/ppp/chap-secrets/ignore file is not ignored
my version is 2.3
2010/10/19 dan (ddp) ddp...@gmail.com
On Tue, Oct 19, 2010 at 10:03 AM, Mike Sievers
saturnge...@googlemail.com wrote:
hi dan (and lis)
yes, the agent conf was copied and I restartet all
but there is something different now:
(agent.conf)
agent_config name
Hi list
I am using ossec with agents. But the don't use the:
/var/ossec/etc/shared/agent.conf file
I really have no idea and no error log.
What can be happend?
What tests are possible?
agent_controls says:
ID: 005, Name: n001, IP: 192.168.40.2, Active
Best,
Mike
/agent_config
maybe the syntax is simply wrong?
Mike
2010/10/19 dan (ddp) ddp...@gmail.com
On Tue, Oct 19, 2010 at 9:38 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi list
I am using ossec with agents. But the don't use the:
/var/ossec/etc/shared/agent.conf file
I really have
...@gmail.com
Did the agent receive the new agent.conf?
Did you restart the agent processes afterwards?
On Thu, May 20, 2010 at 4:35 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi List,
it looks like, that ossec is igoreing my agent.conf.
But why?
My test is very simple
Hi List,
it looks like, that ossec is igoreing my agent.conf.
But why?
My test is very simple:
agent_config
localfile
location/var/log/my.log/location
log_formatsyslog/log_format
/localfile
/agent_config
I have no file my.log , so I expected to get an error like:
ossec-logcollector
Hi at all!
Yes, the agent was restarted.
This is my agent.conf
agent_config name=”test1|test2″
localfile
log_formatsyslog/log_format
location/var/log/rc.dhcpd.log/location
/localfile
syscheck
directories check_all=yes/boot/directories
/syscheck
/agent_config
--
To
... looks like the is a problem with the name in agent.conf. I used the
hostname.
What kind of names should I use?
--
To unsubscribe, reply using remove me as the subject.
Hi List!
The agent.conf was pushed from the server to the agent,
but the agent still only uses the ossec.conf file.
(for testing I added an new directory to check : directories
check_all=yes/boot/directories
)
What can be wrong?
--
To unsubscribe, reply using remove me as the subject.
what about:
netstat -an | grep 1514 ?
--
To unsubscribe, reply using remove me as the subject.
Hello List,
how do I remove an ID '007' already present? (They must be unique.)
Provide the ID of the agent to be removed (or '\q' to quit): 007
Confirm deleting it?(y/n): y
2010/03/22 08:56:15 manage_agents(1102): ERROR: Not enough Memory.
Exiting.
Best,
Mike
To unsubscribe from this group,
Hi List!
Is it possible to change the alerts.log format? I would like to
receive an alert in just one line.
Like:
2010 Mar 12 10:18:39 host-sec-syscheck , ** Alert 1268385519.244686:
mail - ossec,syscheck, Rule: 550 (level 7) - 'Integrity checksum
changed.', Src IP: (none) ,User: (none),
Hi at all!
I setup ossec as a server, but for example
./manage_agents (only shows)
* OSSEC HIDS v2.3 Agent manager. *
* The following options are available: *
(I)mport key from the server (I).
(Q)uit.
Info: this is a local installation
Agent ID: 000 (local instance)
On 24 Feb., 19:46, dan (ddp) ddp...@gmail.com wrote:
On Wed, Feb 24, 2010 at 3:56 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi!
For me ./agent_control -R 000 do not work:
2010/02/24 09:55:26 agent_control
and it didn't
seem to work
for me. agent_control -R agent_id restarted the process and kicked off
a syscheck scan just fine though.
On Fri, Feb 19, 2010 at 8:48 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi!
There are no error in my log file
How can I check if active response
agent_id and it didn't
seem to work
for me. agent_control -R agent_id restarted the process and kicked off
a syscheck scan just fine though.
On Fri, Feb 19, 2010 at 8:48 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi!
There are no error in my log file
How can I check if active
agent_control requires active response be enabled.
Are you getting any errors in the log files?
On Fri, Feb 12, 2010 at 9:51 AM, Mike Sievers
saturnge...@googlemail.com wrote:
Hi list,
after installing new patches, I want to start the integrity check to
get the messages soon at not after
Hi list,
after installing new patches, I want to start the integrity check to
get the messages soon at not after a few hours. I tried agent_control -
r -u , but with no success.
Was that wrong?
Andy
problem was resolved
On 10 Feb., 15:31, Mike Sievers saturnge...@googlemail.com wrote:
Hello List!
I can't start ossec as agent because of:
2010/02/10 15:02:03 ossec-agentd(1103): ERROR: Unable to open file '/
etc/client.keys'.
2010/02/10 15:02:03 ossec-agentd(1750): ERROR: No remote
Hello List!
I can't start ossec as agent because of:
2010/02/10 15:02:03 ossec-agentd(1103): ERROR: Unable to open file '/
etc/client.keys'.
2010/02/10 15:02:03 ossec-agentd(1750): ERROR: No remote connection
configured. Exiting.
The file client.keys exists. It was created with manage_agents.
001
please look at ossec.log
Mike
On 10 Feb., 10:05, Ozgur Ozdemircili ozgur.ozdemirc...@gmail.com
wrote:
The installation of Ossec went well, yet when I restart the server /
var/ossec/bin/ossec-control restart It comes up with the following
error:
2010/02/10 10:00:06 ossec-syscheckd(1210):
34 matches
Mail list logo