Hi all,
Ossec does not seem to work when my VPN connection is active on my
Ubuntu 11.04 local installation.
It makes sense to me since all the traffic is routed to a ppp0
connection with my remote VPN server.
Shall I go for an agent installation? if yes, I really dont know how
to specify the ip
how to run it manually in cronjob?
On 2月7日, 上午2時05分, BP9906 crazi...@gmail.com wrote:
I found that my reports in ossec server 2.5.1 dont run because of a
race condition where log rollover happens before the reports generate
so there's no file and thus no results. ossec.log file will show
Ok Dan,
I will try to find a way to do it .
Thank you
On Feb 6, 1:50 pm, dan (ddp) ddp...@gmail.com wrote:
On Fri, Feb 3, 2012 at 6:50 AM, alsdks als...@gmail.com wrote:
Hi Dan,
I do not know if that is possible but turning off message repeated
messages would probably affect other
Hello list,
I have a question about OSSEC log file monitoring . I have configured
OSSEC to monitor a file log which I populate with the output of a
script. I have also created accompanying decoder and alert rules.
Every configuration works as expected , but there is a strange
problem, that OSSEC
Hi Dan,
rule 100109 is the rule to raise the severity for certain files .
For example (I haven't got my configuration available right now but it
looks like this):
rule id=100109 level=10
if_sid550/if_sid
matchfor: '/etc/hosts|for: '/etc/services/match
descriptionImportant Unix file
Hi Dan,
That's really strange. It seems like something may be amiss in your
config. Is the report_changes option set anywhere?
Well I tried to play with it but it didn't work so I changed it back.
I also cleared the database for that agent on OSSEC server.
What do you mean by unstable behavior?
On Tue, Feb 7, 2012 at 3:16 AM, Macus macu...@gmail.com wrote:
how to run it manually in cronjob?
It's similar to this example:
http://devio.us/~ddp/ossec/docs/programs/ossec-reportd.html#example-1-show-successful-logins
On 2月7日, 上午2時05分, BP9906 crazi...@gmail.com wrote:
I found that my
On Tue, Feb 7, 2012 at 5:50 AM, alsdks als...@gmail.com wrote:
Hi Dan,
rule 100109 is the rule to raise the severity for certain files .
For example (I haven't got my configuration available right now but it
looks like this):
rule id=100109 level=10
if_sid550/if_sid
Instead of making
On Tue, Feb 7, 2012 at 5:40 AM, alsdks als...@gmail.com wrote:
Hello list,
I have a question about OSSEC log file monitoring . I have configured
OSSEC to monitor a file log which I populate with the output of a
script. I have also created accompanying decoder and alert rules.
How does the
Yes sorry this is the way I have it , just could not remember it now .
So this triggers for 1st time correctly but when the same file changes 2nd
and 3rd , the syscheck rules 551 and 552 trigger .
On Tue, Feb 7, 2012 at 1:24 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Feb 7, 2012 at 5:50
It appends the processed diff output of two files to the log I monitor
with OSSEC. So if the diff output is 20 lines , then the script
appends 20 lines at once to the monitored log .
What I did to test and saw that the interval between each entry seems
to matter is do a simple
#echo
Try with this:
\d+-\d+-\d+\w\d+:\d+:\d+\+\d+:\d+ CRIT Not valid template file\:
Best regards
woodspeed
Sorry woodspeed but your regex did not do the trick. I think you can
not write \+ because it gives configuration error.
Hi Daniel,
I am trying to decode this log:
2011-12-28T08:30:59+00:00
On Tue, Feb 7, 2012 at 8:39 AM, Peter M Abraham
peter.abra...@dynamicnet.net wrote:
Hi Dan:
Thank you for your time and input.
The ignore is not working; I get paged on all RDP logins.
Here is the Windows event log.
** Alert 1328621405.259824: mail - windows,authentication_success,
2012
Yes, the srcip is not decoded there. Try to use:
matchSource Network Address: (tab here)24.229.66.131/match
Just make sure you add a tab or whatever is in the original format.
As Dan said, it is best to try with ossec-logtest...
Thanks,
--
Daniel B. Cid
On Tue, Feb 7, 2012 at 9:39 AM, Peter
I would like to do that, BUT that just doesn't work. I asked for that feature
in previous mails and the recommendation was to override rules.
Check out:
http://groups.google.com/group/ossec-list/browse_thread/thread/c48f0017cd131ea2/1def88460fe1f637?lnk=gstq=ogmueller#1def88460fe1f637
On
I would like to help you on that one, but I don't have gdb running nor
experiences with it…
On 06.02.2012, at 12:52, dan (ddp) wrote:
On Sat, Feb 4, 2012 at 4:01 AM, Oliver Müller ogmuel...@gmail.com wrote:
I definitely get a segfault though and I clear out my local rules. There was
Dear community,
I am working on deploying ossec 2.6 with puppet.
Using /var/ossec/bin/agent-auth command to declare clients to the server I
encounter a small issue.
/var/ossec/bin/agent-auth command return code 1 if the command is
successfull. This cause a warning when puppet execute the
Hi Hugo,
It should be very easy to modify the source code to exit 0 instead of
1. However, I just
checked and it only seems to return 1 on errors...
The code is at: src/os_auth/main-client.c
Thanks,
--
Daniel B. Cid
http://dcid.me
On Tue, Feb 7, 2012 at 10:47 AM, Hugo Deprez
Hi all,
I am successfully using ossec and puppet together and I can confirm agent-auth
always return 1. I worked around it using:
command = /var/ossec/bin/agent-auth ... || true
as the command associated to the puppet exec to add a new agent. Not very tidy
but effective :-P
Best regards,
Hello,
yes always returning 1 see the command I used to check :
None working command :
# /var/ossec/bin/agent-auth -m 192.168.0.1 -p 1515; echo $?
2012/02/07 17:08:23 ossec-authd: INFO: Started (pid: 20536).
2012/02/07 17:08:44 ossec-authd: Unable to connect to 192.168.0.1:1515
1
Working
Ah, I see the issue. Fixed in the repository:
https://bitbucket.org/dcid/ossec-hids/
thanks,
On Tue, Feb 7, 2012 at 12:13 PM, Hugo Deprez hugo.dep...@gmail.com wrote:
Hello,
yes always returning 1 see the command I used to check :
None working command :
# /var/ossec/bin/agent-auth -m
Assuming this is a 64 bit version of Windows
Can you create the following file:
C:\WINDOWS\SysWOW64\telnet.exe
It can just be empty and restart ossec and see if the message
goes away?
Jeff
On Feb 3, 8:04 am, alsdks als...@gmail.com wrote:
Hello list,
Windows Ossec agent ,
Good day:
Thank you Dan and Daniel.
The following did the trick.
rule id=180001 level=0
if_sid18/if_sid
matchSource Network Address: 24.229.66.131/match
descriptionValid system admin IP - igore/description
/rule
Thank you again.
Good day, Ralphy:
There are several options.
The rule in question is
rule id=18152 level=10 frequency=$MS_FREQ timeframe=240
if_matched_groupwin_authentication_failed/if_matched_group
descriptionMultiple Windows Logon Failures./description
groupauthentication_failures,/group
24 matches
Mail list logo