Hi all,
How can I parse json log format with ossec?? According to docs, the
more close logformat supported by ossec is multiline, but I don't see
how can I configure this ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
---
You received this message because you are subscribed
but then discovered a couple of issues that we would like to
address first. The most recent beta is pretty stable, though, and will
be pretty close to what is in 2.7.1.
many thanks Michael
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
---
You received this message because you are subscribed
rule 1002 always
will be a false possitive ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 09/08/2012 02:24 AM, JB wrote:
There may be an option (c), using regular expression:
groupaa|bb|cc/group
Good. Previous, configurations exposed doesn't works. I will try this.
--
CL Martinez
carlopmart {at} gmail {d0t} com
.
Is it possible to disable rule 1002 only for this case??. For example,
whem my cutom-openbsd-pf decoder is used, disable rule 1002 ...
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
-server
and in on serverB:
ha-server
master_serverA.A.A.A/slave_server
sync_rids_allowedyes/sync_rids_allowed
bi-directional_sync_ridsyes/bi-directional_sync_rids
/ha-server
This approach it could be usefull to sync for example, local_decoder.xml
or rules.
--
CL Martinez
carlopmart
On 08/26/2012 01:10 AM, Michael D. Wood wrote:
I had the same problem and compared the backslash forward slash to a
known working system. I had to actually delete the agent file from the
/var/ossec/rids directory (don't quote me on the directory, I'm on my
phone, can't check for accuracy) .
telnet.exe
1 File(s) 79,872 bytes
0 Dir(s) 149,738,332,160 bytes free
C:\Windows\System32
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
and Settings/All Users/Start Menu/Programs/Startup'
--
CL Martinez
carlopmart {at} gmail {d0t} com
label not allowing ossec access to the file.
MAC label?? Uhmm, maybe you are right ...What permissions do I need to
setup in this binary??
At this moment SYSTEM, Administrators and Users use Read Execute ...
Only TrustedInstaller have full control ...
--
CL Martinez
carlopmart {at} gmail
On 08/25/2012 10:27 PM, carlopmart wrote:
On 08/25/2012 10:18 PM, Michael Starks wrote:
On 08/25/2012 02:17 PM, Ryan Schulze wrote:
forward slash, backslash problem ?
'C:\Windows/System32/telnet.exe' != 'C:\Windows\System32\telnet.exe'
'C:\Windows/System32/telnet.exe is correct. I
After updating my ossec server to a latest release in bitbucket, I see
this error on manager side:
ossec-logcollector(2301): ERROR: Definition not found for:
'logcollector.remote_commands'.
What does it means??
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 07/07/2012 04:31 PM, carlopmart wrote:
After updating my ossec server to a latest release in bitbucket, I see
this error on manager side:
ossec-logcollector(2301): ERROR: Definition not found for:
'logcollector.remote_commands'.
What does it means??
Ok, it seems a new option under
Hi all,
Is it possible to configure a command on an ossec agent to read a
tcpdump binary file?? For example:
localfile
log_formatcommand/log_format
commandtcpdump -nv -ttt -r /var/log/pflog/command
/localfile
Could this be work??
--
CL Martinez
carlopmart {at} gmail {d0t} com
a lot of events).
May be these problems can be solved in next ossec release: using a real
MTA like postfix or qmail instead of ossec-maild, and modifiying
ossec-remoted when is used to receive alot of syslog messages using
rsyslog or syslog-ng todo this task ...
--
CL Martinez
carlopmart
On 05/05/2012 09:13 PM, dan (ddp) wrote:
\p?
Otherwise, provide a sample please.
On May 4, 2012 4:18 PM, carlopmart carlopm...@gmail.com
mailto:carlopm...@gmail.com wrote:
Hi all,
I am trying to write a new decoder to process CEF log formats, but
I have a problems to escape
Hi all,
I am trying to write a new decoder to process CEF log formats, but I
have a problems to escape '|'. For example:
regex offset=after_prematch^\d\|\d+\|/regex
doesn't works ... How can I escape '|' special character??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 05/01/2012 02:14 AM, dan (ddp) wrote:
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com
mailto:carlopm...@gmail.com wrote:
Hi all,
I have several problems with ossec-remoted process and ossec's
syslog remote options. My ossec server is configured to receive syslog
messages
: 10.200.101.207; proto: tcp; product:
VPN-1 FireWall-1; service: 443; s_port: ;'
**Phase 2: Completed decoding.
No decoder matched.
Where is the problem??
--
CL Martinez
carlopmart {at} gmail {d0t} com
:
192.168.74.18; dst: 10.200.101.207; proto: tcp; product: VPN-1 FireWall-1;
service: 443; s_port: ;'
**Phase 2: Completed decoding.
No decoder matched.
Where is the problem??
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
Package binutils-2.17.50.0.6-20.el5.i386 already installed and latest
version
Nothing to do
Where is the problem??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Hi all,
Somebody knows how can these files be reloaded without stopping server
processes?? Something like kill -HUP ossec_service.pid??
--
CL Martinez
carlopmart {at} gmail {d0t} com
=FreeBSD works??
thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Works!!.
On 04/14/2012 08:00 PM, dan (ddp) wrote:
It should work.
On Apr 14, 2012 1:57 PM, carlopmart carlopm...@gmail.com
mailto:carlopm...@gmail.com wrote:
Hi all,
I have configured a centralized agent configuration. But i have 5
freebsd servers that I need to control using
consolidate in one report several
group alerts??
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 10/27/2011 01:55 AM, Michael Starks wrote:
On 10/26/2011 07:15 AM, carlopmart wrote:
b) Ability to use agent collectors. For example for remote locations,
one server acts a collector for a remote LAN and forwards all alerts,
logs, etc to the central OSSEC server.
You should be able do
,
etc until ossec-central-server will be up.
Thanks Daniel.
--
CL Martinez
carlopmart {at} gmail {d0t} com
, this is what I need, but without using syslog and
ossec-server1 and ossec-server2 will be able to store all alerts, logs, etc
until ossec-central-server will be up.
Thanks Daniel.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Use the syslog forwarder to forward to a local rsyslogd. Use the
advanced
Martinez
carlopmart {at} gmail {d0t} com
until server
push new agent.conf file ...
Bye.
--
CL Martinez
carlopmart {at} gmail {d0t} com
/manual/agent/agent-management.html). Server
configuration goes apart.
Bye.
--
CL Martinez
carlopmart {at} gmail {d0t} com
://linux.cern.ch) is:
[root@lorien]# cat /etc/redhat-release
Scientific Linux CERN SLC release 6.0 (Carbon)
--
CL Martinez
carlopmart {at} gmail {d0t} com
Hi Daniel and member lists,
Daniel, is it possible to include ScientificLinux and derived distros
like SL CERN (http://linux.cern.ch) under cis_rhelX_linux_rcl.txt audit
file for the next ossec release??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Hi all,
Where can I find a changelog or new features about next ossec
version?? I am very interested to know if it is possible to install new
ossec version in a HA environment in more accurately manner than now.
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Martinez
carlopmart {at} gmail {d0t} com
On 03/10/2011 03:53 PM, dan (ddp) wrote:
reportd isn't really a daemon like the others, it's supposed to run
sometime around midnight.
It also looks like you have 2reports sections squished together.
Then, do I need to create one reports section for each report??
--
CL Martinez
carlopmart
Hi all,
Somebody have tried to install ossec agent for windows 2.5.1 on a
Windows 2008 R2 SP1 server?? I see on ossec's website that it is a 32
bit client. Can I expect some problem??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
only.
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 03/08/2011 04:19 PM, Michael Starks wrote:
On Tue, 08 Mar 2011 14:39:20 +0100, carlopmart carlopm...@gmail.com
wrote:
Hi all,
Is it need to restart an ossec server when an agent is added? After
add an agent, my ossec server says:
Really??
Well, not exactly. You should only have
of strange interaction
between /dev/shm, the clustering stuff, and OSSEC's checks. I'd hit up
support at redhat to see if they have any thoughts on the matter.
Many thanks Dan.
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 03/03/2011 06:29 PM, carlopmart wrote:
Hi all,
Recentlly my OSSEC server fired some strange alarms like this:
** Alert 1299172717.237104: mail - ossec,rootcheck,
2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15-rootcheck
Rule: 510 (level 7) - 'Host-based anomaly detection event (rootcheck
disable option in agents.conf or individual agents ossec.conf file
?
using centralized configuration, only in agents.conf.
anybody has example files please post me i will appreciate your great help
-Satish
--
CL Martinez
carlopmart {at} gmail {d0t} com
DEL REG 0,15
8736 /dev/shm/request_buffer-JI55eG
gfs_contr 1270root DEL REG 0,15
9002 /dev/shm/request_buffer-Gmeo3Q
Maybe is it a false positive?? can I configure more verbose options
for this alarm??
Thanks.
--
CL Martinez
carlopmart
carlopmart {at} gmail {d0t} com
md5sum needs to be the same on agent and server. And try to restart
ossec services on the agent side if needed ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Syscheck last started at: Thu Mar 3 18:14:44 2011
Rootcheck last started at: Thu Mar 3 18:19:19 2011
md5sum needs to be the same on agent and server. And try to restart ossec
services on the agent side if needed ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart
on agent and server. And try to restart ossec
services on the agent side if needed ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 03/03/2011 09:24 PM, Nate Woodward wrote:
Hello,
Quick question: Can you specify multiplesystem_audit files in the
rootcheck section of ossec.conf/agent.conf, or is only one allowed?
You can specify multiple files ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
log_formatsyslog/log_format
location/var/log/maillog/location
/localfile
/agent_config
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 02/25/2011 08:11 PM, dan (ddp) wrote:
People have shared rules on this list, the dev list, the IRC channel,
and probably other methods.
Does anyone think an ossec-rules mailing list would be useful?
IMHO, very very useful.
--
CL Martinez
carlopmart {at} gmail {d0t} com
carlopmart {at} gmail {d0t} com
.
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 02/24/2011 10:35 AM, carlopmart wrote:
Hi all,
When agent.conf file is modifiyed, is neccessary to restart all services on the
OSSEC server side or only ossec-remoted/ossec-monitord daemons ?? Or is
agent.conf
automatically read by the the ossec server and push it on the ossec client
On 02/24/2011 05:54 PM, carlopmart wrote:
On 02/24/2011 05:28 PM, carlopmart wrote:
Hi all,
Like I explain in another email I need to setup agent centralized configuration
for
my ossec client. With one ossec client that previously I have installed withou
configuring this feature at first time
On 02/24/2011 05:28 PM, carlopmart wrote:
Hi all,
Like I explain in another email I need to setup agent centralized configuration
for
my ossec client. With one ossec client that previously I have installed withou
configuring this feature at first time, all works ok, but with a new ossec
/another.log/location
log_formatsyslog/log_format
/localfile
/agent_config
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
question. Exists some problem to sync client.keys file between all the
servers that makes HA??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
=audit(1293039242.349:133): user pid=14323 uid=0 auid=1000 ses=1
msg='cwd=/tmp/f/csf cmd=2F62696E2F6C73202D6C61 terminal=pts/3 res=success'
Do I need to change user for acct on my local_rules.xml??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
=? addr=? terminal=cron res=success''
**Phase 2: Completed decoding.
decoder: 'auditd'
... but alert, it isn't generated ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
On 12/22/2010 10:19 PM, dan (ddp) wrote:
Many thanks for your help dan.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Not a problem. Can you post your final decoder for the archives? It
might help someone else looking to do the same thing.
Of course, no problem. Here it is:
decoder
will get all the logs of the agent, correct?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
that if ossec server is stopped, ossec agent stores logs and alarms
until ossec server returns??
--
CL Martinez
carlopmart {at} gmail {d0t} com
with OSSEC
these three hosts.
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Martinez
carlopmart {at} gmail {d0t} com
On 12/15/2010 07:38 PM, carlopmart wrote:
Thanks Dan.
I have installed ossec as a server disabling rootchek, syscheck and active
response.
But when I launch ossec init script syscheckd is started. How can I prevent to
start
syscheckd??
Thanks.
Ok, It appears that the agent and the server
. But when I launch ossec init script syscheckd is started. How can
I prevent to start syscheckd??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
I think, in the syscheck section, you can add
disabledyes/disabled. I don't see it in the documentation, but I
see references in the source
On 12/15/2010 08:49 PM, Michael Starks wrote:
On Wed, 15 Dec 2010 18:38:23 +0100, carlopmart carlopm...@gmail.com wrote:
Hi all,
Somebody know if it is possible to do two different installations on
the same host, one as an agent and another as a server??
Sure:
http
have tried it, and doesn't works. Syscheckd is started ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
But does it do anything? If the process runs but doesn't do anything
does it matter that it runs?
You can also stop it from running by modifying the ossec-control
script. It's an easy little
Hi all,
Is it possible to configure some ossec natted agents to connect to an ossec
server? How can I configure ossec server to distinguish them?? I have five
linux
hosts to monitor, but they are behind a natted firewall.
Many thanks
--
CL Martinez
carlopmart {at} gmail {d0t} com
Hi all,
Somebody have tried to install ossec 1.x or 2.x under RedHat Cluster Suite
(4.x/5.x)?? I need to support HA configuration for my agents and servers ..
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Martinez
carlopmart {at} gmail {d0t} com
Hi all,
How can I update from 1.5.1 to 1.6 release?? I can't find anything about this
on OSSEC docs ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Kevin Reiter wrote:
carlopmart wrote:
: Hi all,
:
: How can I update from 1.5.1 to 1.6 release?? I can't find anything
: about this on OSSEC docs ...
Just run the installer - it will detect a previous version and ask you if
you'd like to upgrade.
This message may contain
this behavior?
*btw, can you provide more information to us? (
http://www.ossec.net/wiki/index.php/Community_manual:BugReport )
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Jun 27, 2008 at 11:37 AM, carlopmart [EMAIL PROTECTED] wrote:
Please any hints about
Ok, I have found whereis the problem: my laptop mounts a remote nfs share that
contains 20 iso images using 75GB of data ...when syscheck starts, checks all
in
this nfs share. I have included on ignore section and now all works as expected
...
Sorry for the noise ...
carlopmart wrote
Hi all,
I see this link about configure snort with ossec, but link is broken ...
Somebody knows where can I find original doc??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Please any hints about this??
carlopmart wrote:
Hi Daniel,
I have compiled and executed ossec-rootchek with these results:
[EMAIL PROTECTED] rootcheck-1.5]$ sudo ./ossec-rootcheck
** Starting Rootcheck v1.5 by Daniel B. Cid**
** http://www.ossec.net/en/about.html#dev-team
://www.ossec.net/en/rootcheck.html
*Note that very few things changed from 1.5 to 1.5.1, so could this
problem be there before
and you never noticed? Also, does the CPU goes down after a while?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Sun, Jun 22, 2008 at 7:57 AM, carlopmart
Hi all,
Tody I have installed ossec 1.5.1. When syscheckd process starts consumes all
free cpu usage (sometimes arrives to 99% or 100%)... Using ossec 1.5, syscheckd
doesn't produce this type of problem ... How can I fix this??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
[EMAIL PROTECTED] wrote:
Dear all,
Please help me on how to provide high availability, active-active or
active-standby, to OSSEC solution. I need to focus on client
server ;-)
thank you in advance
Panom N.
Use Redhat Cluster Suite, also on CentOS
--
CL Martinez
carlopmart
.
--
CL Martinez
carlopmart {at} gmail {d0t} com
of your logs, it can be very helpful..
Thanks,
Hello Daniel,
I don't have any problem to share my firewall logs. If you need it, please
contact me.
Many thanks.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/31/07, carlopmart [EMAIL PROTECTED] wrote:
Hi all,
Is cp firewall-1 log
Hi all,
Is cp firewall-1 log format supported? If not, exists some option to record
alerts via ossec-agent to ossec-server?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
this config from server automatically to the agents. Is it possible???
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scott Speirs wrote:
carlopmart wrote:
Hi all,
I have install ossec 1.3 on two rhel5 servers. On both servers ossec
generates this alert??
OSSEC HIDS Notification.
2007 Sep 12 09:51:32
Received From: xenhost-rootcheck
Rule: 510 fired (level 7) - Host-based anomaly detection event
/module/sbs/parameters/capacity_mode' is owned by root and has
written permissions to anyone.
What does it means???
--
CL Martinez
carlopmart {at} gmail {d0t} com
Hi all
Somebody knows if it is possible with ossec 1.3 to send agent logs to
server every 30 min. for example? And Can an agent wait until server is
up after system server down??
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
88 matches
Mail list logo