Re: [ossec-list] Re: Hacker or configuration error ?

I don't know what's going on here but /proc is not a real directory and does not take up space on the disk. It is a virtual directory, maintained by the operating system, and the numbered directories directly within it will frequently change as they map to processes running on the system. On

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 9:59 AM, Daniel Bray wrote: > On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote: >> >> And strangely enough, this works just fine for me (ignored when fed >> through logger). >> >> Can you update to the latest OSSEC source from github

[ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible (again)

Thanks for the reply. Yes, I had thought of the permissions, should have mentioned that in the original post. Here they are: [root@ossec ossec]# ls -ld queue dr-xr-x--- 11 root ossec 4096 Nov 3 2011 queue [root@ossec ossec]# ls -ld queue/ossec drwxrwx--- 2 ossec ossec 4096 Nov 23 16:11

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Hi Dan! Here's a log from my archives.log file 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 WinEvtLog: Security: AUDIT_SUCCESS(4688): Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A new process has been created. Subject: Security ID:

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote: > > And strangely enough, this works just fine for me (ignored when fed > through logger). > > Can you update to the latest OSSEC source from github and try that? > Updated to latest github update, and issue remains. Logtest

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Also, thanks for the information about the groups On Monday, November 30, 2015 at 10:15:26 AM UTC-6, Phillipa Moorea wrote: > > Hi Dan! Here's a log from my archives.log file > > 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 > WinEvtLog: Security: AUDIT_SUCCESS(4688):

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Here's another example of a log file in which I'm actually interested in: 2015 Nov 30 13:02:39 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 13:02:39 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME_FQDN: Command "Get-Host" is Started. Details:

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) wrote: > > > Last idea at the moment: > Copy archives.log. Open the copy in a text editor. Find an entry you > want to test against and delete everything else. > Delete the archives.log header from your chosen entry. > Run that through

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On 11/30/2015 12:21 PM, Daniel Bray wrote: On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) > wrote: Last idea at the moment: Copy archives.log. Open the copy in a text editor. Find an entry you want to test against and delete everything else.

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

If anybody knows what I am doing wrong, any help would be great. Even just a documentation link or something or a question of clarification? I have posted this issue in the AlienVault forums as well. I've been keeping both forums updated. I think a lot of people will want to monitor any

Re: [ossec-list] Re: Hacker or configuration error ?

Ok, are the directories in /proc erased by the system when shutting down the computer ? I was watching the content of my SSD filled up on friday, and it comfirmed it's not due to OSSEC's config. I found that datas from my /home/antoine directory were copied to

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea wrote: > If anybody knows what I am doing wrong, any help would be great. Even just > a documentation link or something or a question of clarification? I have > posted this issue in the AlienVault forums as well. I've