[ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible (again)

Yes, I have done that. It appears to read all of the rules and I don't get any errors. I have removed almost all customization of the tool in hopes that the problem was mine. So this error seems to be coming from a stock OSSEC install. Greg On Monday, November 23, 2015 at 4:35:09 PM UTC-5,

Re: [ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible (again)

Very weird, no errors on ossec.log either right? Not even with -d -d option? I would try to compile it again from scratch and see if that is still happening. Best On Tue, Dec 1, 2015 at 12:10 PM, Greg Nowicki wrote: > Yes, I have done that. It appears to read all of the

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Could the problem (of not creating alerts) be caused because PowerShell events are INFORMATIONAL? Informational Event Codes generated by PowerShell: 400, 403, 500, 501, 600 On Monday, November 30, 2015 at 1:05:35 PM UTC-6, Phillipa Moorea wrote: > > Here's another example of a log file in

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I had before restarted only OSSEC, but now I tried restarting the server, but no fixes yet. Could the issue be caused by the use of OSSEC on an AlienVault OSSIM server? On Tuesday, December 1, 2015 at 5:40:19 PM UTC-6, Phillipa Moorea wrote: > > Could the problem (of not creating alerts) be

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I haven't have time to go through the whole email thread, but I don't think using OSSEC in AlienVault OSSIM would cause this. The only modification AlienVault does to OSSEC is the format used for alerts output (at alerts.log), so it can easily be parsed by the AlienVault plugin. Regarding your

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks Santiago for the information about OSSIM. I do not have conditions for "if_sid" in the rules. I'm not sure what I would even put there since this is the first rule for PowerShell events. I currently have set the alert level on the rule to 2. I tried other values, but nothing was

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Yeah, I finally got the alerts working. This post helped me out alot: https://groups.google.com/forum/#!searchin/ossec-list/alert$20to$20be$20generated/ossec-list/SWJe7nm2cbU/pKc8HSfDXCEJ It shows exactly a log inside of the archive.log, and what you should paste into the ossec-logtest. I

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Tuesday, December 1, 2015 at 9:38:30 AM UTC-5, Daniel Bray wrote: > > On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > >> >> Is this the only rule in your local_rules.xml that isn't working, or are >> all rules in your local_rules.xml not working? >> >> > So far, this is the only rule

Re: [ossec-list] Re: ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible (again)

Hi, a little late, but have you tried running it manually to check if it is a configuration issue? /var/ossec/bin/ossec-analysisd -t Best On Mon, Nov 30, 2015 at 9:18 AM, Greg Nowicki wrote: > Thanks for the reply. Yes, I had thought of the permissions, should have >

Re: [ossec-list] OSSEC crashing on first of month

Below is an excerpt of the syslog around the time of the crash. I'm not clear on how to get a gdb backtrace, that may be a bit over my head without a guide. root@pd-vsl-log-01:/var/log# tail syslog.2 Nov 29 22:17:01 pd-vsl-log-01 CRON[26852]: (root) CMD ( cd / && run-parts --re

Re: [ossec-list] Agent.conf windows

Done that, and still not getting any alerts on c:\temp or On Tuesday, 1 December 2015 14:34:04 UTC, dan (ddpbsd) wrote: > > On Tue, Dec 1, 2015 at 9:30 AM, Jorge Pinto > wrote: > > Hi all, > > > > I've searched all the answers here but I can't find anything related to

Re: [ossec-list] Agent.conf windows

Weird, done that, but still don't have any alerts on c:\temp. On Tuesday, 1 December 2015 14:34:04 UTC, dan (ddpbsd) wrote: > > On Tue, Dec 1, 2015 at 9:30 AM, Jorge Pinto > wrote: > > Hi all, > > > > I've searched all the answers here but I can't find anything related

Re: [ossec-list] Agent.conf windows

On Tue, Dec 1, 2015 at 12:35 PM, Jorge Pinto wrote: > Weird, done that, but still don't have any alerts on c:\temp. > Did you restart the OSSEC processes on the server and bump the level of 554? > On Tuesday, 1 December 2015 14:34:04 UTC, dan (ddpbsd) wrote: >> >> On Tue,

Re: [ossec-list] OSSEC Server Integration with SIEM

Never tried it, but OSSEC support CEF format. You might be able to use it to send alerts to your Arcsight device. More info at: http://ossec-docs.readthedocs.org/en/latest/manual/output/syslog-output.html Best On Mon, Nov 23, 2015 at 11:46 PM, wrote: > Hi, > > We are using HP

Re: [ossec-list] SELinux context for ossec.log to allow log rotation

OSSEC log files are rotated by ossec-monitord process every day at midnight. I don't think you would need to use logrotate for this. Did you check ossec-monitord process is running? If this is a test environement you can do a quick check changing the system timestamp. On Mon, Nov 30, 2015 at

Re: [ossec-list] SELinux context for ossec.log to allow log rotation

On Tue, 1 Dec 2015, Santiago Bassett wrote: OSSEC log files are rotated by ossec-monitord process every day at midnight. I don't think you would need to use logrotate for this. Did you check ossec-monitord process is running? Monitord only touches the alerts, archives, and firewall logs. The

[ossec-list] 2.8.3 Installation

Hi, Can anyone send me the proper link for downloading the 2.8.3 version with the checksum files to ensure the source files are not corrupted. I even tried using the YUM packages but i am getting the Forbidden messages. The below link doesn't have the checksum files.

Re: [ossec-list] 2.8.3 Installation

I would say it is good to use the latest stable (2.8.3) It include several fixes specially for windows agent. Regarding the checksum I think you need to install the GPG key of the yum repo. Then you can verify installed packages with rpm -vK option. See example below: [root@vpc-agent-centos ~]#

[ossec-list] SELinux context for ossec.log to allow log rotation

I have configured logrotate to rotate the log file /var/ossec/logs/ossec.log on a CentOS 7 system, since this file is not rotated by OSSEC itself. Rotation worked for a while, but in early October 2015, SELinux started denying the rotation of this particular log file. I suspect this change was

[ossec-list] Agent.conf windows

Hi all, I've searched all the answers here but I can't find anything related to windows. I'm running ossec 2.8.3 with the default ossec.conf, I've edited agent.conf with: 21600 no yes yes C:\temp c:\windows and enabled active response. However, whenever

Re: [ossec-list] Agent.conf windows

On Tue, Dec 1, 2015 at 9:30 AM, Jorge Pinto wrote: > Hi all, > > I've searched all the answers here but I can't find anything related to > windows. > > I'm running ossec 2.8.3 with the default ossec.conf, I've edited agent.conf > with: > > > > > 21600 > no >

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > > Is this the only rule in your local_rules.xml that isn't working, or are > all rules in your local_rules.xml not working? > > So far, this is the only rule that I just can't seem to stop emailing. I have other rules, and

Re: [ossec-list] ignore certain alerts

hello Dan, thank you for your quick reply. Yes I did restart the ossec server and didnt receive any errors. It's been now 1 hour and I still have seen this message, maybe it is working? Will wait a bit more and see just wondering if the " 531" is correct? On Tuesday, December 1, 2015

Re: [ossec-list] ignore certain alerts

On Tue, Dec 1, 2015 at 10:01 AM, Edward wrote: > hello Dan, > > thank you for your quick reply. > Yes I did restart the ossec server and didnt receive any errors. > It's been now 1 hour and I still have seen this message, maybe it is > working? > Will wait a bit more and see

[ossec-list] ignore certain alerts

we are getting /mnt full space alerts and this is correct, because images are on that server. I created a rule in local_rules.xml , but still the error comes back, here is the original message: OSSEC HIDS Notification. 2015 Dec 01 14:28:32 Received From: (10.161.241.202) 10.161.241.202->df

[ossec-list] OSSEC crashing on first of month

Hello, I'm running OSSEC (cloned from Git mid-September) with the ELK on an Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64) virtual machine. November and December first, I found OSSEC crashed, with the following output from service ossec status:

Re: [ossec-list] OSSEC crashing on first of month

On Tue, Dec 1, 2015 at 11:27 AM, Dan Burns wrote: > Hello, > > I'm running OSSEC (cloned from Git mid-September) with the ELK on an Ubuntu > 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64) virtual machine. > > November and December first, I found OSSEC crashed, with the

Re: [ossec-list] OSSEC crashing on first of month

Thank you for the quick response! Unfortunately I am not clear on how to gather either of those items, but I will do my best and post back what I find. On Tuesday, December 1, 2015 at 11:30:29 AM UTC-5, dan (ddpbsd) wrote: > > On Tue, Dec 1, 2015 at 11:27 AM, Dan Burns >

Re: [ossec-list] OSSEC crashing on first of month

On Tue, Dec 1, 2015 at 11:33 AM, Dan Burns wrote: > Thank you for the quick response! Unfortunately I am not clear on how to > gather either of those items, but I will do my best and post back what I > find. > I don't have a reference handy, but greping for "segfault" in