I dont know how it is determined by OSSEC, but you can see what OS is
running on an agent by running /var/ossec/bin/agent_control -i [agent id].
It will among other information output the agent's OS.
On Mon, Mar 8, 2010 at 2:59 PM, Jason s9u...@gmail.com wrote:
I have a question about the
Hi,
Can you post the alert you are trying to ignore? Your hostname syntax is correct
and should have worked.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Mar 5, 2010 at 2:47 PM, Jefferson, Shawn
shawn.jeffer...@bcferries.com wrote:
Thanks, that helps!
I guess I still have the
On Monday 08 March 2010 13:49:34 Daniel Cid wrote:
Hi Ivan,
Hello Daniel,
What distribution are you using? Can you run the followng command:
I run Arch Linux
# strings /bin/du |grep -E '/dev|w0rm|/prof|file\.h'
i...@sega:/home/ilj % strings /bin/du |grep -E '/dev|w0rm|/prof|file\.h'
Hi Doug,
I have no clue to what might be going on... syscheckd taking long
doesn't matter,
because it sleeps in the middle to save some CPU. All normal..
For analysisd and log-test to take that long, there must be something in your
rules or environment that's causing all that delay. I never had
Maybe you could write your rule like this:
rule id=“
...
hostnamesnort01/hostname
hostnamesnort02/hostname
...
/rule
I'm not sure if it is going to work, but it doesn't hurt to try.
Best regards,
Branimir
From:
It seems you didn`t install it as a server. I`d remove and do the
installation from the start.
Özgür Özdemircili
http://www.acikkod.org
Code so clean you could eat off it
On Mon, Mar 8, 2010 at 12:44 PM, Daniel Cid daniel@gmail.com wrote:
Hi Mike,
How did you install ossec? For some
Hi Dave,
When you use the overwrite option you should do that on the local_rules.xml,
not on the rule file itself. So whenever you upgrade your rules will
remain intact.
As far as when to use which, I go with the overwrite whenever I am
doing a small
change, like modifying the frequency, level,
Hey,
What version of OSSEC are you using? If you are getting this alerts is
because the
manager didn't see any event from the agent for a while. If the agent
wasn't shut down
and starts sending events back again, the manager will not report that the agent
has been reconnected...
*if you are on
Hi,
Did anyone had the chance to monitor apache tomcat logs with ossec? Which
log format should we use? Decoder.xml entries?
Thanks.
Özgür Özdemircili
http://www.acikkod.org
Code so clean you could eat off it
*Hi,
Did anyone had the chance to monitor apache tomcat logs with ossec? Which
log format should we use? Decoder.xml entries?
Thanks.*
*
*Özgür Özdemircili
http://www.acikkod.org
Code so clean you could eat off it
I have a few more questions regarding admin triggered updates of files
monitored by syscheck.
What would be the correct procedure to update the syscheck database
without getting alerts?
Does syscheck_update create alerts or is it a tool that is designed for
updating the syscheck db without
Hi,
Sure, it's this:
group name=local,snort
rule id=100100 level=0 noalert=1
if_sid20100/if_sid
hostnamesnort01|snort02/hostname
descriptionIgnoring snort events/description
/rule
/group
--
Thanks,
Shawn
-Original Message-
From: ossec-list@googlegroups.com
Hi Daniel,
Thanks for your response. We're running OSSEC 2.3 on CentOS 5.4.
Nothing unusual in ossec.conf or local_rules.xml (I sent you a direct
email with a copy of my local rules). We have 33 agents total (24
Windows, 9 Linux). All agents are running 2.3 as well. ossec-logtest
is
Hi,
I want to know the syntax for auto_ignore and alert_new_files option. I
tried the following and restarted the agent services but it doesn't alert as
expected. I also have realtime check enabled.
syscheck
!-- Frequency that syscheck is executed - default to every 22 hours --
Looks like permissions aren't set properly. These are just guesses, I
don't use wui (and that this relates to wui is also a guess).
Is there a /tmp directory (either the system's /tmp or a /tmp inside
of an apache chroot)?
Can the web server process write to it?
Maybe you could add a line to print
The !-- and -- designate anything in between them as commented
out. Remove them
and things may work a bit more like you'd expect.
On Tue, Mar 9, 2010 at 2:26 PM, Devendra Agrawal
devendra.agra...@gmail.com wrote:
Hi,
I want to know the syntax for auto_ignore and alert_new_files option. I
That was my mistake when posting the issue. I commented out when it was not
working. Do I need to set those parameters on the agent host or the manager
host ? Do I need to restart both manager and agent? My manager is Red Hat
kernel 2.4 but agent is 2.6.
Thanks
On Tue, Mar 9, 2010 at 2:53 PM,
17 matches
Mail list logo
