We also had the same trouble getting the central config to work until we were
told that active-response had to be enabled on the clients first. I don't
think that is documented anywhere, but it is what got our central config to
start working.
Patrick Swartz
-Original Message-
From:
: Swartz, Patrick H
Subject: agent-auth (4000 limit)
Hi: I just ran into this issue over the weekend - did you find a solution?
On 2/14/12 9:54 AM, Swartz, Patrick H patrick.swa...@firstdata.com
wrote:
Hi Dan,
Yes we use the -D option. I have reason to believe that we are hitting a
hard-coded limit
Hi All,
When using the syslog output, is it possible to send the output to two
different syslog servers?
This is what I have in our server's ossec.conf --
syslog_output
server192.168.246.96/server
port514/port
/syslog_output
!-- Splunk --
syslog_output
Hi All,
I need a second set of eyes. For some reason I can't seem to get Ossec to
generate alerts for syscheck rules any longer. I can use syscheck_control to
see the files are being recognized as changed, but no actual alerts are being
generated.
I'm using Ossec 2.6 on Linux for the
Hi All,
Another Solaris compile issue. This time with Solaris 8 (yes, I know it is old
and unsupported).
We modified the Makeall file to point to the openssl headers, but it still
fails. This is with Ossec 2.6.
root# find /usr/local -name opensslconf.h
My apologies for posting w/o a subject line...
Patrick Swartz
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Swartz, Patrick H
Sent: Thursday, February 16, 2012 4:59 PM
To: ossec-list@googlegroups.com
Subject: [ossec-list
not working - internal error
How are you running ossec-authd? Do you need the -D /opt/ossec flag
for agent-auth? Is there already an n1dpmmgr2 agent? Maybe check
permissions on the client.keys file.
On Fri, Feb 10, 2012 at 11:32 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi All
I
Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Swartz, Patrick H
Sent: Friday, February 10, 2012 10:32 AM
To: ossec-list@googlegroups.com
Subject: [ossec-list] agent-auth not working - internal error
Hi All
I ran across an issue last night that I
Hi All
I ran across an issue last night that I can't find an answer for. In our
environment we have 2 machines setup as Ossec servers (due to
geographic/firewall rules), one of them responds fine when a client sends the
key request using 'agent-auth -m 10.10.10.1 -D /opt/ossec, however,
Hi All,
Well, with RH, SuSE, and Solaris10 out of the way.. now on to AIX5.3...
I tried compiling the OSSEC package on a AIX 5.3 system
and I get these errors
5- Installing the system
- Running the Makefile
*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
gcc -c -g
@googlegroups.com
Subject: Re: [ossec-list] Solaris compile with SSL support help
On Tue, Jan 17, 2012 at 11:45 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi Dan,
Well.. that helped it compile .. however, even though I didn't see any errors
when I run the agent-auth command I get the error
-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, January 18, 2012 7:53 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Solaris compile with SSL support help
On Wed, Jan 18, 2012 at 8:44 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi Dan,
I tried adding
-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, January 18, 2012 7:53 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Solaris compile with SSL support help
On Wed, Jan 18, 2012 at 8:44 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi Dan,
I tried adding
@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, January 18, 2012 8:40 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Solaris compile with SSL support help
On Wed, Jan 18, 2012 at 9:14 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Ugh... please ignore my question
@googlegroups.com
Subject: Re: [ossec-list] Solaris compile with SSL support help
I'm guessing it didn't work?
Try adding -I/usr/sfw/include/openssl to the CFLAGS line of
src/Config.Make (add it before ${CPATH} )
On Mon, Jan 16, 2012 at 4:19 PM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote
Hi All,
We are trying to compile Ossec 2.6 on Solaris (starting with Solaris
10) with SSL support.
Here is what we have -- System: SunOS 5.10
It appears that the headers are at -- /usr/sfw/include/openssl
aes.h conf.h err.h obj_mac.h rc2.h
stack.h
Of Jason 'XenoPhage' Frisvold
Sent: Wednesday, January 11, 2012 6:53 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9
On Jan 11, 2012, at 3:34 PM, Swartz, Patrick H wrote:
Hi All,
I'm need to compile 2.6 on a RHEL3u9 server but it fails
Hi All,
I'm need to compile 2.6 on a RHEL3u9 server but it fails at the
os_auth phase. The following Openssl packages are installed --
openssl-0.9.7a-33.23, openssl096b-0.9.6b-16.46, and
openssl-devel-0.9.7a-33.23
We need the compile to be built with openssl.
Here are the messages during
-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, January 11, 2012 3:17 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] 2.6 compile error on RHEL3u9
On Wed, Jan 11, 2012 at 3:34 PM, Swartz, Patrick H
patrick.swa
] On
Behalf Of Swartz, Patrick H
Sent: Wednesday, January 11, 2012 3:34 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] 2.6 compile error on RHEL3u9
Hi Dan,
Thanks for the quick reply..
Here is what is installed on the build server:
rpm -qa|grep krb5
krb5-workstation-1.2.7-64
krb5-devel
, Jan 11, 2012 at 4:38 PM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Update.. that Kerberos header is under -- /usr/kerberos/include/krb5.h ...
Is this just a matter of telling the ossec compile where to look? If so, how
do I do that?
Thanks!
Patrick Swartz
-Original
/path/to/text/file
That should work. If not, just add -I/usr/kerberos/include to the
CFLAGS line and give it a shot.
On Wed, Jan 11, 2012 at 5:17 PM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Please forgive this noobie question.. how does one apply said diff?
Patrick Swartz
I would be glad to help with any testing for this. I have multiple flavors
(SLES[9-11] RHEL[3-6] - 32bit/64bit) and a wide variety of hardware to test
with. I can't be much help with the actual spec file, but willing to help with
the testing.
Patrick Swartz
-Original Message-
From:
I'm trying to setup ossec-authd using Daniel's instructions at
http://dcid.me/2011/01/automatically-creating-and-setting-up-the-agent-k
eys/
But, I get this error when trying to run:
/bin/ossec-authd -d
ERROR: Not compiled. Missing OpenSSL support.
Could
The online manual states that log monitoring for Agentless is slated
for sometime in the future. Does anyone know when that might come to
fruition?
Thanks,
Patrick Swartz
-
The information in this message may be proprietary and/or
@googlegroups.com
Subject: Re: [ossec-list] Agentless log monitoring
There's nothing special planned that I'm aware of. Remote syslog
covers most devices.
On Mon, Oct 10, 2011 at 10:15 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
The online manual states that log monitoring for Agentless
Is the communication between the OSSEC manager and an agentless agent
encrypted? Or is it dependent on the RPC method used?
Thanks,
Patrick Swartz
-
The information in this message may be proprietary and/or
confidential, and protected from
Dan,
Since the wui is a dead project, and you suggest using a modern and
maintained
Project, can you give suggestions as to what some of those are?
I have looked at the Ossec-Slunk project, but it seems almost as dead,
the maintainer doesn't answer any questions and there isn't a newsgroup
like
@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Monday, September 05, 2011 1:32 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Rule help please
What is your real goal? This thread is a jumbled mess.
On Fri, Aug 26, 2011 at 10:35 AM, Swartz, Patrick H
lead me to believe that ossec-logtest cannot be used, but I don't
know.
Thank you for any input,
Patrick Swartz
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Swartz, Patrick H
Sent: Sunday, August 28, 2011 8:47 AM
To: ossec-list
,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Aug 26, 2011 at 11:35 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi All,
I apologize for troubling the list with what I thought was a simple
rule, but for the life of me I can't figure out why my rule isn't
firing.
I'm running
-
From: Swartz, Patrick H
Sent: Sunday, August 28, 2011 8:19 AM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Rule help please
I have setup a rule where one only has the if_group and the other only has
the if_sid and still neither fire. I have removed all rules except
Hi All,
I apologize for troubling the list with what I thought was a simple
rule, but for the life of me I can't figure out why my rule isn't
firing.
I'm running OSSEC 2.6 on SuSE 10 and am testing with a Linux and a
Window client.
Here is part of my ossec.conf
directories realtime=yes
Hi All,
Can someone please point in the right direction with the proper use of
the match tag.
Is there any difference in using:
matchblah | blah1 | blah2 /match
Versus:
matchblah/match
matchblah1/match
matchblah2/match
Is one way an AND and the other an OR, or am I completely
Hi All,
As I continue to understand the proper use of rules, I still have a few
questions.
Given this list of files/directories that need to be monitored:
/opt/Apache/httpd-2.2.12/conf/cmi_cntpay_p
/opt/Apache/httpd-2.2.12/conf/opnpmnt_cntpay_p
/opt/Apache/httpd-2.2.12/conf/sprt_cntpay_p
Hi Daniel,
Could you expand on the effects of disabling the counters? Understand the
consequences would help us decide the best path to follow.
Thank you for all you do!
Patrick Swartz
UNIX Planning Engineering (DSUSSE)
First Data
402-777-7337 desk
402-871-8981 cell
-Original
with that logic , only to see that it is not working .
I'd love to be told that i am wrong , as this will make the config and
rules easier to maintain - but AFAIK , the ! nullifier option is not
with in the scope of the OSSEC rules loading logic .
Assaf
Swartz, Patrick H wrote:
Hi All,
Question
Hi All,
Question about using the ! in the local_rules.xml for the hostname
tag, like the following...
!-- Testing excluding specific files from specific servers --
rule id=100500 level=0
if_sid550, 551, 552/if_sid
matchmdas/match
matchsgsdas/match
(ddp)
Sent: Thursday, May 06, 2010 4:53 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] excluded files rule
Are they simple enough to be able to use globbing for those files?
On Thu, May 6, 2010 at 9:25 AM, Swartz, Patrick H
patrick.swa...@firstdata.com wrote:
Hi All,
Using
39 matches
Mail list logo