Hi all,
I am doing some tests sending checkpoint fw logs to ossec vi syslog
and the default checkpoint decoder provided by ossec 2.6 doesn't works.
For example using log explained in decoder.xml:
2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file.
2012/04/30 10:26:13
W dniu poniedziałek, 30 kwietnia 2012 09:52:29 UTC+2 użytkownik Mike
Sievers napisał:
Hi List,
I am always getting the following error:
agent_control -r -a
2012/04/30 09:44:19 agent_control(1210): ERROR: Queue '/queue/alerts/ar'
not accessible: 'Queue not found'.
2012/04/30 09:44:34
To start, your log message is missing the syslog header (timestamp and
hostname).
Then taking out the first \s+ in the prematch of the checkpoint
decoder makes this work.
In fact, changing the decoder to this made it work with one of your
examples and one of the examples in the decoder.conf:
I'm disappointed that Apple released a broken compiler by default. :(
On Sat, Apr 28, 2012 at 4:31 AM, Gappa gapp...@gmail.com wrote:
ahahah i can feel a little bit of disappointing in your answer.
My bad, i'm sorry, i didn't notice that i was using llvm compiler.
I have changed it with the
Oops ... You are right dan .. I have missed timestamp and hostname ...
Doing some adjustements, decoder works now ...
On 04/30/2012 02:59 PM, dan (ddp) wrote:
To start, your log message is missing the syslog header (timestamp and
hostname).
Then taking out the first \s+ in the prematch of the
Just learning OSSEC here using the documentation on ossec.net to
troubleshoot some problems.I am receiving excessive HIDS notifications
in a log for a windows machines(an agent) in my OSSEC environment.
When looking at the security log, it seems that too many events are
being added to the queue,
You can add custom rules to /var/ossec/rules/local_rules.xml. You can
use these rules to either look for something that isn't covered by the
default rules or to ignore something you don't want to see.
On Mon, Apr 30, 2012 at 1:59 PM, A-Dubbs arlendelcasti...@gmail.com wrote:
Just learning OSSEC
I'm looking for the rules file for adjusting what gets logged for
Microsoft Windows systems. Is msauth_rules.xml the correct file?
Modifying the default rules directly isn't encouraged. Your changes
will be overwritten on an upgrade. You should add custom rules to
/var/ossec/rules/local_rules.xml. You can create custom rules to look
for new things the default rules don't cover, or to ignore rules that
are already in place.
Hi all,
I have several problems with ossec-remoted process and ossec's syslog
remote options. My ossec server is configured to receive syslog messages
via tcp port.
The problem is the amount of syslog messages that ossec can receive,
not seem to be many.
Configuration is:
syslog
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com wrote:
Hi all,
I have several problems with ossec-remoted process and ossec's syslog
remote options. My ossec server is configured to receive syslog messages
via tcp port.
The problem is the amount of syslog messages that ossec can
11 matches
Mail list logo