Sure. I've been sick and I didn't pay attention much to this grouplist.
On Wed, Nov 27, 2013 at 3:34 AM, rockands...@gmail.com wrote:
thanks for the explanation and for the manifest, Stephane!
yes, i have an ossec user with the uid 5, so I will adapt this now.
at the moment i only have
Like Splunk, Sumologic just released several applications to help parsing
logs. OSSEC is one of them. You can find details at this URL:
http://www.sumologic.com/applications/ossec/
Sumologic is a splunk competitor, and is a SaaS provider, using cloud
services exclusively.
-Stephane
--
---
You
In your first email, I will suggest to have a program_name entry for logger
first, before the prematch section, so phase 2 will be filled.
-Stephane
On Fri, Aug 9, 2013 at 9:54 AM, David Blanton david.blanton...@gmail.comwrote:
Okay this is pretty weird. I wanted to start from scratch
Christian
Am 13.03.2013 18:16, schrieb Stephane Rossan:
Hi all,
I use Ossec 2.6 on my server and unix clients.
Recently, I tried to tune rule 533, and set the level of alert from 7
to 6. In my setup, 6 doesn't generate email alerts.
After few hours of this implementation, I noticed
I'm testing it at the moment...
Thanks.
On Wed, Mar 13, 2013 at 2:26 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Mar 13, 2013 at 2:07 PM, Stephane Rossan steph...@rossan4.com
wrote:
I know. I've been banging my head on this one. I can not figure the
issue. I
guess I will have to change
'
-c config Read the 'config' file
-D dirChroot to 'dir'
I hope it helps.
On Tue, Feb 26, 2013 at 12:46 AM, Fredrik fredrik.ke...@gmail.com wrote:
Hi Stephane,
Thanks for your post! Sorry, my bad - the example I sent was generic and
not an exact message from the logs :( Please find
I don't see how your log is related to rule 1002 ( if_sid1002/if_sid).
I suggest you remove this line as well. You can test your new rule with
ossec-logtest -f, it will give you insight on your rules hierarchy.
-Stephane
On Feb 25, 2013 2:56 PM, Kevin Kelly ke...@whitman.edu wrote:
I believe
'
Level: '7'
Description: 'sudo shell execution'
**Alert to be generated.
-Stephane.
Hi all,
I just installed OSSEC 2.7 on linux, and noticed the following error
messages in ossec.log:
2012/12/07 21:51:33 ossec-remoted(1408): ERROR: Invalid ID for the source
ip: 'x.x.x.x'.
It is filling up the file quickly, any idea what the issue is?
Thanks,
-Stephane
I agree auto-registration a.k.a ossec-authd is the easiest way to get keys.
I already provided a puppet manifest using it in a previous post. With this
method, don't have to worry about scp/ftp/rsync keys between server and
clients.
On Fri, Nov 30, 2012 at 5:25 AM, dan (ddp) ddp...@gmail.com
Here is a copy of my ossec manifest. I've built a RPM to install OSSEC
through puppet, and I use auto-registration to install agents clients on my
unix hosts:
class node_security::ossec::agent {
# Define variables
$ossec_server = extlookup(ossec_server)
# Install
I believe you have to use ignore as file/directory you want to exclude:
ignore/var/lib/backuppc/ignore
On Wed, Nov 7, 2012 at 3:01 PM, SupuS kope...@zserver.cz wrote:
Hello,
I would like to exlude direcotory /var/lib/backuppc from ossec-syscheckd
completly. Ossec server is installed on the
Hi all,
I need a rule for Apache to check if a bad useragent like Nikto, Zeus,
WebReaper etc is crawling a webserver. Additionally I need a file where all
my forbidden useragents are listed. My first thought was to use the list
tag in a rule like this:
rule id=109005 level=14
not found error.
*Thanks for the hint ;) I'll change that!!
Stephane
Am Montag, 2. April 2012 15:21:29 UTC+2 schrieb Daniel Cid:
Can you take a look at the file
src/analysisd/compiled_rules/compiled_rules.h to see if your new
function
is there?
Also, did you re-run make and copied the new
Hello,
I just wanted to share about my experience about disconnected agents status in
agent_control.
I have a setup with 200+ agents deployed, every agent were in a connected state
until 2 days ago.
I have some windows agents but most of them are Unix (RedHat/CentOS/AIX). I
have several VLAN,
?
Let me know.
Thanks,
-Stephane R.
unreachable) resolving 'rfc-ignorant.org/DS/IN':
2001:500:48::1#53'
**Phase 2: Completed decoding.
decoder: 'named'
**Phase 3: Completed filtering (rules).
Rule id: '12100'
Level: '0'
Description: 'Grouping of the named rules'
I have an OSSEC 2.6 version installed.
-Stephane
In my RPM, ossec-authd works, it just generates a lot of defunct
processes, a restart of the daemon, on a regular basis, fixes that.
On 1/6/12 8:08 AM, dan (ddp) ddp...@gmail.com wrote:
On Fri, Jan 6, 2012 at 10:54 AM, Jason 'XenoPhage' Frisvold
xenoph...@godshell.com wrote:
On Jan 6, 2012, at
, autoregistration is a very nice feature to have.
I created RPM for x86_64 and i386 RHEL/CentOS 5 machines.
I hope it helps.
-Stephane
On 1/4/12 5:02 PM, Joe S js.li...@gmail.com wrote:
I few people have mentioned that they were working on making RPMs for
OSSEC, given the issues with the Atomic RPMs linked
It is usually due to a permission issue on /var/ossec/queue/ossec
directory.
The ossec daemon can not create the socket file.
I got the problem in the past...
In my setup:
/var/ossec/queue has dr-xr-x---
/var/ossec/queue/ossec has drwxrwx---
On 11/28/11 7:50 AM, Toby t...@easyliveauction.com
In my environment, I use a combination of OSSEC RPM (I built it) and
puppet to download, deploy and auto-register my agents.
I obviously use OSSEC 2.6.
-Stephane
On 11/15/11 10:53 AM, ninefofo ninef...@gmail.com wrote:
Hey, its noob again.
Any direction I can take on unattended/silent installs
Ossec 2.6 comes with an auto-registration mechanism. I tested it with
Linux systems, works great.
However, I have no idea with windows client.
On 8/11/11 8:54 AM, ScottyMace scottym...@gmail.com wrote:
Any ideas on bulk deployment and the issues with key management? 3
scenarios:
1. 1500+
can register your clients with agent-auth.
Be aware you will have to install openssl-devel before the compilation of
your server/client.
Without it, you will get an error message like wan't compile with SSL.
-Stephane Rossan
On 8/11/11 11:49 AM, ScottyMace scottym...@gmail.com wrote:
Cool, were
23 matches
Mail list logo
