I started getting queue and connection errors on my ossec 2.5.1 server that
I can't seem to resolved. I tried a solution on the FAQ, but that only temp.
fixed the error. Here is a sample of the ossec.log file:
2010/12/03 12:17:34 ossec-logcollector: INFO: (unix_domain) Maximum send
buffer set to:
, Michael Starks
ossec-l...@michaelstarks.com wrote:
Nicholas Ritter wrote:
I googled this question before posting and found not hits, I apologize
in advance if I have missed this discussion on the list. I want to
create rules that treat web application scans from McAfee ScanAlert
though, so regex is probably ok.
On Mon, May 10, 2010 at 9:42 AM, Nicholas Ritter ritter6...@gmail.com
wrote:
The two different sets of log entry samples came from two different
versions
of Linux. The remote servers are using spitting out the first log entries
when the remote servers are RHEL
, May 7, 2010 at 11:16 AM, Nicholas Ritter ritter6...@gmail.com
wrote:
I did some digging, and gained more insight into what is going on. It
appears that CentOS and RHEL trigger alarms differently because of how su
is
setup on the systems out of the box. But because of the way the rules
match
, 2010 at 4:48 PM, dan (ddp) ddp...@gmail.com wrote:
Can you give us log samples?
On Thu, May 6, 2010 at 3:38 PM, Nicholas Ritter ritter6...@gmail.com
wrote:
I correct my email, I meant rule 5503.
On Thu, May 6, 2010 at 2:33 PM, Nicholas Ritter ritter6...@gmail.com
wrote:
Has anyone
I correct my email, I meant rule 5503.
On Thu, May 6, 2010 at 2:33 PM, Nicholas Ritter ritter6...@gmail.comwrote:
Has anyone noticed issues with OSSEC 2.4.1 when alerting on SU related
events from Linux based hosts? Our Solaris boxes are fine, but I noticed
that when an SU session (say su
Has anyone noticed issues with OSSEC 2.4.1 when alerting on SU related
events from Linux based hosts? Our Solaris boxes are fine, but I noticed
that when an SU session (say su to root) on a linux box occurs, an alert is
tripped (rule id 5303) but something doesn't seem right because 5303 is a
Is OSSEC v2.3 do incremental checks on growing log files? Is there a need
for such a capability?
This question may have been asked before, but I was curious if there was a
repository of rules and decoders around, or plans to create one. Whereas it
is understandable that most people would not share rules because they are
either to custom or to security-sensitive in nature, it seems they may be
I dealt with this issue earlier this week. The OSSEC-for-splunk app is
compatible with Splunk v3 only. You can get the app from the splunk site
only when accessing though a splunk 3 install (or I have the tar ball of the
app.)
I don't know if the original author is planning a Splunk v4 OSSEC app
Sorry to say this after posting to the list. I figured out how to group
alerts. I am still a bit vague on the grouping and centralized management of
the rules for remote servers running OSSEC agents.
On Wed, Dec 30, 2009 at 1:06 PM, Nicholas Ritter ritter6...@gmail.comwrote:
Is there a way
Is there a way to (in OSSEC v2.3) group servers/agents for alert
notification and rule customization/execution? I noticed that I can do it
based on event severity, but is it possible to do it based on individual
servers, or groups of servers?
I have a centralized OSSEC system with OSSEC agents
12 matches
Mail list logo