You have to change the frequency value on each host. Changing the value on the
manager will not affect the frequency on the agents.
For the centralized configuration, you will need to use the file
/var/ossec/etc/shared/agent.conf. The values in agent.conf will be combined
with the agent's
The alerts need to be from ossec, not the cisco device directly. You can run
the asa logs through logtest to get this format.
-Original Message-
From: Kai
Sent: 01/26/2011 5:20:45 AM
Subject: [ossec-list] Generating Cisco ASA Reports
Hello,
i'm trying to create a report based on a
Logtest outputs to stderr, so you'll have to redirect it with that in mind.
ossec-logtest -a file 21 should save it to file.
-Original Message-
From: Kai Renz
Sent: 01/26/2011 8:35:21 AM
Subject: Re: [ossec-list] Generating Cisco ASA Reports
Maybe i just found the solution:
cat
Alerts.log only gets alerts. The syslog client in ossec only sends alerts. Not
all log messages will get forwarded from the manager to an external syslog
server.
-Original Message-
From: Saket
Sent: 01/04/2011 6:49:57 PM
Subject: [ossec-list] Consolidating ossec.log and
I'm on my mobile, so this will be short and simple. I'll add detail later.
I think you're going about this the wrong way. Look for the full_command
documentation. I think that's a better path to follow for this task (for now).
The full_command opttions will let you run your search on the agents
Check the limits set for users, for instance open files limits.
-Original Message-
From: Marcos Tang
Sent: 12/15/2010 12:27:09 AM
Subject: [ossec-list] ossec-remoted can't be started on OSSEC server when the
number of OSSEC agents larger than the default vaule
Hi,
I am deploying
They will be merged. I have configurations for both OS and name for my systems,
and they work together.
-Original Message-
From: Castle, Shane
Sent: 12/08/2010 7:45:56 PM
Subject: [ossec-list] Another question about shared/agent.conf
I have read the online doc and I still have a
This isn't restart-free, but I setup an active response to restart agents when
agent.conf has changed.
-Original Message-
From: Jefferson, Shawn
Sent: 10/21/2010 12:31:14 PM
Subject: RE: [ossec-list] Re: Day 4: What bugs you: problems, challenges and
room for improvement.
I'd like
It's available in 2.5.1.
You can try the logall option, it might help.
Make sure your listening ports are changing too.
-Original Message-
From: Jefferson, Shawn
Sent: 10/16/2010 12:40:21 PM
Subject: Re: [ossec-list] RE: Checking Open Ports
Look very similar to mine.
I put a rule for
Do you mean the check_diff feature? I'd give you a link, but I'm on my mobile...
There isn't an official roadmap, basically if you want a feature you code it
and submit, or find someone who'll do that for you.
-Original Message-
From: Tim Eberhard
Sent: 10/09/2010 12:15:51 PM
Subject:
Oops, I meant the report_changes option in syscheck, check_diff is different.
-Original Message-
From: Tim Eberhard
Sent: 10/09/2010 12:15:51 PM
Subject: [ossec-list] dev roadmap?
All,
I hate to ask such a basic question but after browsing/googling I have been
unable to find any kind
Are you talking about the WUI? If you are, it's a permissions problem. Check to
make sure the user apache runs as is in the correct groups.
-Original Message-
From: menachem tauman
Sent: 10/09/2010 2:10:16 PM
Subject: [ossec-list] install Problem
Dear Sir
I am try to test your
Not really. You could stop syscheck, clear the db, update, and restart
syscheck. But that seems like a lot of work.
-Original Message-
From: Toby
Sent: 10/09/2010 2:36:42 PM
Subject: [ossec-list] Reducing noise during updates
Is there a way to tell OSSEC that I'm going to run Windows
book and it made no mention of that feature.
Excellent stuff, I greatly appreciate the response. I'll check it out read up.
Sorry to add white noise to the list.
-Tim Eberhard
On Oct 9, 2010, at 1:55 PM, ddp...@gmail.com ddp...@gmail.com wrote:
Oops, I meant the report_changes option
Check your syscheck configuration in ossec.conf/agent.conf. The error it
provides before the SF may be a clue. Feel free to post your config if you
would like more assistance.
-Original Message-
From: kai-uwe.schu...@t-systems.com
Sent: 09/28/2010 5:45:16 AM
Subject: [ossec-list]
the same baseline? (so no update when a file is modified)
Thanks you.
On 2 sep, 15:21, dan (ddp) ddp...@gmail.com wrote:
On Thu, Sep 2, 2010 at 9:01 AM, ItsMikeE goo...@ernstoff.net wrote:
When syscheck is run for the first time it creates a baseline of files
to be monitored.
In the event
install on the Mac's and then de-install the compiler once ossec has
been install
Thanks in advance for all the help.
Regards
/MemoHerdez.
On Wed, Aug 25, 2010 at 7:25 AM, dan (ddp) ddp...@gmail.com wrote:
What part of the installation are you having issues with? If the
development tools
when I look at the decoder.xml, I don't see
anything regarding syscheck
On Sep 2, 6:52 pm, dan (ddp) ddp...@gmail.com wrote:
There's a rule for when a log is rotated, so I'm guessing it might
fire if the log file was cleared.
If the logfile is modified and it changes inodes ossec may start over
I don't have the link handy, but you can search for command on ossec.net to
find it. You'd basically be looking for the full_command option.
-Original Message-
From: Jason 'XenoPhage' Frisvold
Sent: 09/04/2010 11:25:24 PM
Subject: Re: [ossec-list] ossec check_diff and netstat
4.7.
I created the binary package as this server doesn't have gcc install due to
security implications. I thought 2.6 kernel has support for real time
monitoring.
On Thu, Jul 29, 2010 at 11:06 AM, dan (ddp) ddp...@gmail.com wrote:
According to the manual it will. Are you sure it was compiled
What version of gcc?
-Original Message-
From: George Ochola
Sent: 07/28/2010 3:45:06 AM
Subject: [ossec-list] Error Installing OSSEC Agent on HP-UX
Dear All
I have installed GNU gcc compilers on HP-UX box but when run OSSEC agent
installation i get the error below; Is any body has
The configurations you mentioned belong in the ossec server's ossec.conf.
I believe all entries that match an agent in the agent.conf will be merged.
After the md5s change you have to manually restart the agent's ossec processes.
-Original Message-
From: Mark F
Sent: 07/26/2010 3:51:20
You installed the binaries in the wrong location?
When install.sh was run originally, was /opt/ossec entered as the location
you'd like ossec to be installed in?
The error message is pretty clear. the program expects to live in /var/ossec,
but can't.
-Original Message-
From: Devendra
Check the documentation (the localfile section of the general configuration
options in the manual), there is a limited amount of globing you can do in the
localfile configs.
-Original Message-
From: Nikolaidis Fotis
Sent: 07/23/2010 12:56:00 PM
Subject: [ossec-list] Ossec directory
Those are PHP errors, not ossec errors. It looks like they're from ossec-wui.
It looks like the functions in the messages are getting the wrong arguments.
You can look at the functions in the php documentation to see what they expect.
-Original Message-
From: Dave
Sent: 07/23/2010
Find a replacement for ereg_replace(), and use it.
-Original Message-
From: Timothy
Sent: 07/21/2010 10:27:07 PM
Subject: [ossec-list] Re: Web UI
Hi with reference to my previous post, I made it home and I am posting
a bunch of the php errors
Deprecated: Function ereg_replace() is
I think people generally use the install from precompiled binaries method for
installing on esx. There's probably more info in the google groups archives.
-Original Message-
From: ewall
Sent: 07/21/2010 4:30:33 PM
Subject: [ossec-list] OSSEC agent on VMware ESX 3.5?
Hello,
They are not hardcoded, and do not have to be the same on every system.
-Original Message-
From: ItsMikeE
Sent: 07/22/2010 6:12:16 AM
Subject: [ossec-list] UID and GID of ossec
I have done one server installation and one agent installation of
ossec.
In both cases the user ossec was
You can configure ossec to help with this. If the dos is jus eating up
bandwidth itmight be a bit harder to do tha if the dos is trying to eat up
cpu/ram.
-Original Message-
From: jjennings
Sent: 07/21/2010 3:37:49 PM
Subject: [ossec-list] ossec usage
I joined the list to try and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jul 20, 2010, at 12:57 PM, ddp...@gmail.com wrote:
At this point, it may be significantly outdated. i'm guessing parts of it
will be useful, and other parts not so much.
Well that sucks.. Just got the book today and started leafing through
At this point, it may be significantly outdated. i'm guessing parts of it will
be useful, and other parts not so much.
-Original Message-
From: Jason 'XenoPhage' Frisvold
Sent: 07/20/2010 9:52:10 AM
Subject: Re: [ossec-list] ossec.conf on server and on clients
-BEGIN PGP SIGNED
The first time the sysceck process runs it creates a baseline database. On
subequent runs it should compare the new info to the older db. I do not know if
these checks are done after it has finished its run, or if it checks for
changes as it goes through the fs.
If you're using a realtime
Nope. Right now (and I have no idea if this will ever change) there's no way to
change this behavior.
Sent from my Nokia phone
-Original Message-
From: Thomas K. Rosin
Sent: 06/28/2010 8:20:36 AM
Subject: Re: [ossec-list] Centralized agent configuration: How to overwrite
complete
somewhere to speed things up???:) maybe I don't know. thanks
though
On Jun 21, 2:35 pm, dan (ddp) ddp...@gmail.com wrote:
Are these entries in both the ossec.conf on the agents producing the
errors, and in the agent.conf?
If so, that's where this error is coming from. Put the entries in one
,
That W in your decoder should be a w. Other than that, your
decoder works for all of our environments (Redhat, Solaris, SuSE
Mac).
Cheers!
Trevor
On Jun 9, 3:35 pm, dan (ddp) ddp...@gmail.com wrote:
Thanks for pointing that out. I've submitted a couple of fixes
(including an addition similar
keep the local logs or
does it stop logging locally and send everything wholesale to the
remote syslog?
On Jun 10, 3:56 pm, dan (ddp) ddp...@gmail.com wrote:
You could setup rsyslog to listen for udp messages on a loopback
address, and use ossec's csyslog to forward messages to it.
Probably
The agent.conf will be pushed out automatically, but it could take some time.
Restarting the ossec server usually speeds that process up.
After the file has been pushed to the agents, you will have to restart them.
Agent_control -R is the easiest way.
Sent from my Nokia phone
-Original
The agents forward the logs to the server, the server decodes them. The rule
files don't exist on the agent, and I think all configurations that you
mentioned exist only on the server.
Sent from my Nokia phone
-Original Message-
From: tswmmeejs...@gmail.com
Sent: 04/27/2010 4:21:34 AM
: |
|
--|
|dan (ddp) ddp...@gmail.com
//regex
descriptionWindows update probes/description
/rule
/group
By the way, I'm running the latest version, and it was installed
fresh.
-Brian
On Apr 14, 8:34 pm, dan (ddp) ddp...@gmail.com wrote:
If rule 24 is your custom rule, it looks like it isn't being applied.
Try adding
For some reason the ossec serveris refusing the connection. Is a firewall
running on that host, or between the server and agent that may be blocking the
connection? Is sshd running on the server?
check the logs for sshd issues. On linux hosts it'll probably be in
/var/log/messages.
Sent from
Anything in the logs (server and agent)?
Sent from my Nokia phone
-Original Message-
From: Lucio
Sent: 03/23/2010 2:42:32 PM
Subject: [ossec-list] Down agents
Hello,
I´m using OSSEC agents version 2.3. I´m having an issue with
the state of the agents. Much of them appears in
Just write a script to use ufw instead of iptables. Then configure ossec to use
your script,
Sent from my Nokia phone
-Original Message-
From: Ian MacIntosh
Sent: 02/07/2010 6:38:40 PM
Subject: [ossec-list] Ubuntu and Ossec
Is there a way to have OSSEC active-response use ufw instead
I've considered setting up a github project for this, but haven't gone beyond
that.
Sent from my Nokia phone
-Original Message-
From: Nicholas Ritter
Sent: 02/05/2010 10:40:29 PM
Subject: [ossec-list] rule/decoder repository?
This question may have been asked before, but I was curious
Wouldn't you need to allow dport 587 (tcp) out? I may be misreading the
iptables commands though.
Sent from my Nokia phone
-Original Message-
From: Alekto Antarctica
Sent: 01/02/2010 10:51:02 AM
Subject: Re: [ossec-list] Re: Ossec V.2.3 - (g)mail problems
Hi once aganin!
I have
The name in the alert should tell you which agent it was. It looks like this
agent's name is dhcp? Make sureto give each system an unique identification
name when adding the agents, and each system should be added with it's own
unique entry.
Sent from my Nokia phone
-Original Message-
Everything should work just fine. When adding the agent make sure you specify
the dhcp range as the IP address.
Sent from my Nokia phone
-Original Message-
From: Dave S
Sent: 12/12/2009 7:00:13 PM
Subject: [ossec-list] Agents under DHCP
How does OSSEC handle agents running on systems
Of ddp...@gmail.com
Sent: Thursday, December 10, 2009 8:11 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Possible agent_control bug
Anything in the logs on the server or misbehaving agents? Is active reponse
enabled on the agents? Did agent 002 successfully connect to the server?
dan
Anything in the logs on the server or misbehaving agents? Is active reponse
enabled on the agents? Did agent 002 successfully connect to the server?
dan
Sent from my Nokia phone
-Original Message-
From: Kirk Frankovich
Sent: 12/10/2009 5:19:04 PM
Subject: [ossec-list] Possible
.
Craig
On Dec 5, 7:40 am, ddp...@gmail.com ddp...@gmail.com wrote:
Is ossec-remoted running? I think that is the process that listens for
connections (I don't have access to anything at the moment so I can't check).
If not try running it in debug mode.
dan
Sent from my Nokia phone
Is ossec-remoted running? I think that is the process that listens for
connections (I don't have access to anything at the moment so I can't check).
If not try running it in debug mode.
dan
Sent from my Nokia phone
-Original Message-
From: Mundus
Sent: 12/04/2009 9:15:59 PM
Subject:
You are correct. Ossec-wui does not use the database.
dan
Sent from my Nokia phone
-Original Message-
From: jaturley
Sent: 12/03/2009 2:32:30 PM
Subject: [ossec-list] What is database output used for
I have installed OSSEC with mysql database support enabled. I have
also setup the
52 matches
Mail list logo