Yes, I have done that. It appears to read all of the rules and I don't get
any errors. I have removed almost all customization of the tool in hopes
that the problem was mine. So this error seems to be coming from a stock
OSSEC install.
Greg
On Monday, November 23, 2015 at 4:35:09 PM UTC-5,
Very weird, no errors on ossec.log either right? Not even with -d -d option?
I would try to compile it again from scratch and see if that is still
happening.
Best
On Tue, Dec 1, 2015 at 12:10 PM, Greg Nowicki wrote:
> Yes, I have done that. It appears to read all of the
Could the problem (of not creating alerts) be caused because PowerShell
events are INFORMATIONAL?
Informational Event Codes generated by PowerShell: 400, 403, 500, 501, 600
On Monday, November 30, 2015 at 1:05:35 PM UTC-6, Phillipa Moorea wrote:
>
> Here's another example of a log file in
I had before restarted only OSSEC, but now I tried restarting the server,
but no fixes yet.
Could the issue be caused by the use of OSSEC on an AlienVault OSSIM server?
On Tuesday, December 1, 2015 at 5:40:19 PM UTC-6, Phillipa Moorea wrote:
>
> Could the problem (of not creating alerts) be
I haven't have time to go through the whole email thread, but I don't think
using OSSEC in AlienVault OSSIM would cause this. The only modification
AlienVault does to OSSEC is the format used for alerts output (at
alerts.log), so it can easily be parsed by the AlienVault plugin.
Regarding your
Thanks Santiago for the information about OSSIM.
I do not have conditions for "if_sid" in the rules. I'm not sure what I
would even put there since this is the first rule for PowerShell events. I
currently have set the alert level on the rule to 2. I tried other values,
but nothing was
Yeah, I finally got the alerts working. This post helped me out
alot:
https://groups.google.com/forum/#!searchin/ossec-list/alert$20to$20be$20generated/ossec-list/SWJe7nm2cbU/pKc8HSfDXCEJ
It shows exactly a log inside of the archive.log, and what you should paste
into the ossec-logtest. I
On Tuesday, December 1, 2015 at 9:38:30 AM UTC-5, Daniel Bray wrote:
>
> On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote:
>
>>
>> Is this the only rule in your local_rules.xml that isn't working, or are
>> all rules in your local_rules.xml not working?
>>
>>
> So far, this is the only rule
Hi,
a little late, but have you tried running it manually to check if it is a
configuration issue?
/var/ossec/bin/ossec-analysisd -t
Best
On Mon, Nov 30, 2015 at 9:18 AM, Greg Nowicki wrote:
> Thanks for the reply. Yes, I had thought of the permissions, should have
>
Below is an excerpt of the syslog around the time of the crash.
I'm not clear on how to get a gdb backtrace, that may be a bit over my head
without a guide.
root@pd-vsl-log-01:/var/log# tail syslog.2
Nov 29 22:17:01 pd-vsl-log-01 CRON[26852]: (root) CMD ( cd / && run-parts
--re
Done that, and still not getting any alerts on c:\temp or
On Tuesday, 1 December 2015 14:34:04 UTC, dan (ddpbsd) wrote:
>
> On Tue, Dec 1, 2015 at 9:30 AM, Jorge Pinto > wrote:
> > Hi all,
> >
> > I've searched all the answers here but I can't find anything related to
Weird, done that, but still don't have any alerts on c:\temp.
On Tuesday, 1 December 2015 14:34:04 UTC, dan (ddpbsd) wrote:
>
> On Tue, Dec 1, 2015 at 9:30 AM, Jorge Pinto > wrote:
> > Hi all,
> >
> > I've searched all the answers here but I can't find anything related
On Tue, Dec 1, 2015 at 12:35 PM, Jorge Pinto wrote:
> Weird, done that, but still don't have any alerts on c:\temp.
>
Did you restart the OSSEC processes on the server and bump the level of 554?
> On Tuesday, 1 December 2015 14:34:04 UTC, dan (ddpbsd) wrote:
>>
>> On Tue,
Never tried it, but OSSEC support CEF format. You might be able to use it
to send alerts to your Arcsight device.
More info at:
http://ossec-docs.readthedocs.org/en/latest/manual/output/syslog-output.html
Best
On Mon, Nov 23, 2015 at 11:46 PM, wrote:
> Hi,
>
> We are using HP
OSSEC log files are rotated by ossec-monitord process every day at
midnight. I don't think you would need to use logrotate for this. Did you
check ossec-monitord process is running?
If this is a test environement you can do a quick check changing the system
timestamp.
On Mon, Nov 30, 2015 at
On Tue, 1 Dec 2015, Santiago Bassett wrote:
OSSEC log files are rotated by ossec-monitord process every day at
midnight. I don't think you would need to use logrotate for this. Did you
check ossec-monitord process is running?
Monitord only touches the alerts, archives, and firewall logs. The
Hi,
Can anyone send me the proper link for downloading the 2.8.3 version with
the checksum files to ensure the source files are not corrupted.
I even tried using the YUM packages but i am getting the Forbidden messages.
The below link doesn't have the checksum files.
I would say it is good to use the latest stable (2.8.3) It include several
fixes specially for windows agent.
Regarding the checksum I think you need to install the GPG key of the yum
repo. Then you can verify installed packages with rpm -vK option. See
example below:
[root@vpc-agent-centos ~]#
I have configured logrotate to rotate the log file
/var/ossec/logs/ossec.log on a CentOS 7 system, since this file is not
rotated by OSSEC itself. Rotation worked for a while, but in early October
2015, SELinux started denying the rotation of this particular log file. I
suspect this change was
Hi all,
I've searched all the answers here but I can't find anything related to
windows.
I'm running ossec 2.8.3 with the default ossec.conf, I've edited agent.conf
with:
21600
no
yes
yes
C:\temp
c:\windows
and enabled active response.
However, whenever
On Tue, Dec 1, 2015 at 9:30 AM, Jorge Pinto wrote:
> Hi all,
>
> I've searched all the answers here but I can't find anything related to
> windows.
>
> I'm running ossec 2.8.3 with the default ossec.conf, I've edited agent.conf
> with:
>
>
>
>
> 21600
> no
>
On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote:
>
> Is this the only rule in your local_rules.xml that isn't working, or are
> all rules in your local_rules.xml not working?
>
>
So far, this is the only rule that I just can't seem to stop emailing. I
have other rules, and
hello Dan,
thank you for your quick reply.
Yes I did restart the ossec server and didnt receive any errors.
It's been now 1 hour and I still have seen this message, maybe it is
working?
Will wait a bit more and see
just wondering if the " 531" is correct?
On Tuesday, December 1, 2015
On Tue, Dec 1, 2015 at 10:01 AM, Edward wrote:
> hello Dan,
>
> thank you for your quick reply.
> Yes I did restart the ossec server and didnt receive any errors.
> It's been now 1 hour and I still have seen this message, maybe it is
> working?
> Will wait a bit more and see
we are getting /mnt full space alerts and this is correct, because images
are on that server.
I created a rule in local_rules.xml , but still the error comes back,
here is the original message:
OSSEC HIDS Notification.
2015 Dec 01 14:28:32
Received From: (10.161.241.202) 10.161.241.202->df
Hello,
I'm running OSSEC (cloned from Git mid-September) with the ELK on an Ubuntu
14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64) virtual machine.
November and December first, I found OSSEC crashed, with the following
output from service ossec status:
On Tue, Dec 1, 2015 at 11:27 AM, Dan Burns wrote:
> Hello,
>
> I'm running OSSEC (cloned from Git mid-September) with the ELK on an Ubuntu
> 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64) virtual machine.
>
> November and December first, I found OSSEC crashed, with the
Thank you for the quick response! Unfortunately I am not clear on how to
gather either of those items, but I will do my best and post back what I
find.
On Tuesday, December 1, 2015 at 11:30:29 AM UTC-5, dan (ddpbsd) wrote:
>
> On Tue, Dec 1, 2015 at 11:27 AM, Dan Burns >
On Tue, Dec 1, 2015 at 11:33 AM, Dan Burns wrote:
> Thank you for the quick response! Unfortunately I am not clear on how to
> gather either of those items, but I will do my best and post back what I
> find.
>
I don't have a reference handy, but greping for "segfault" in
29 matches
Mail list logo