[ossec-list] Re: Unexpected FIM behavior

Realtime monitoring seems to be working now that I've adjusted the scan frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now 20 minutes and realtime now seems to work. I don't claim it makes sense, it's just what I'm observing. Ok I've discovered that the config doesn't

[ossec-list] Re: Simultaneous Events at 25 EPS, but Missing Alerts

Hi Jon, OSSEC connects through UDP protocol, that doesn't guarantee that messages arrive in the same order they were delivered. In order to prevent replay attacks, OSSEC verifies the counter from every message. I think there is a network issue, perhaps congestion, so messages arrive

[ossec-list] Re: Teamviewer logs not consistant

Hi, this could be a good starting point: ^\d+\t+\.+\d\d-\d\d-\d\d\d\d teamviewer ^\d+\t\t ^\d+\t+\s*(\.+)\t+(\.+)\t+(\.+)\t+RemoteControl\t+{(\.+)} extra_data,status,srcuser,id teamviewer ^\d+\t

[ossec-list] Re: Can you explain remoted.recv_counter_flush and remoted.comp_average_printout?

Hi Jon, these settings belong to arriving messages management. When agents delivery messages to the manager, Remoted decrypts, decompress and checks the counter from every message. OSSEC saves the counters on files at /var/ossec/queue/rids in order to reload them when the manager is

[ossec-list] Re: Unexpected FIM behavior

I've changed the scan frequency to 40 minutes, and realtime isn't working. I've edited files 2 times, nothing. Hopefully it at least fires off when the next scan happens. On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: > Hello, > > I just installed OSSEC in the Azure space,

Re: [ossec-list] Agent Duplicate Folders Message

Hi there. I'm still getting one alert e-mail type 2 eventhough I modified/created some files under /etc am I missing something else in the configuration? This is the server coniguration. yes m...@company.com localhost oss...@server.com 100 yes 4096

Re: [ossec-list] Agent Duplicate Folders Message

Taking a look in /var/ossec/logs/alerts I can see there are lots of things registered, no related to the files I modified, but related to ssh login failures, sudo stuff and the like but never get an e-mail with that report. Thank you very much for your time and support Regards El jueves, 13

Re: [ossec-list] Agent Duplicate Folders Message

On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic wrote: > Taking a look in /var/ossec/logs/alerts I can see there are lots of things > registered, no related to the files I modified, but related to ssh login > failures, sudo stuff and the like but never get an e-mail with

[ossec-list] Re: Question:Edit/change agent's IP Address

On Tuesday, 28 September 2010 22:48:23 UTC-5, Mike Smith wrote: > > Hello, > > Can you edit or change an Agent's IP Address if it has changed. > Either Windows or Linux? > > Can you use OSSEC on a DHCP client or only Static IP Addressed Servers? > > Thanks, > > Mike > Hi Mike. I work on Datto

[ossec-list] Unexpected FIM behavior

Hello, I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't behaving consistently. First realtime monitoring simply isn't working. FIM only seem to work when the scan runs, which I have set to 10 minutes for testing. Second I only seem to get a fraction of the changes I've

[ossec-list] Re: Teamviewer logs not consistant

will try ty I think my regex foo was off a bit On Tuesday, October 11, 2016 at 6:41:56 PM UTC-5, Jacob Mcgrath wrote: > > I am looking at logging on a windows agent Teamviewer logs. The issue is > the irregular output like soo. > > 673915615 Support Team20-05-2016 19:37:51

Re: [ossec-list] Agent Duplicate Folders Message

The server I'm using for testing went down, as soon as I get it back I'm gonna review it. Thank you very much for your help, relly appreciated Regards El viernes, 14 de octubre de 2016, 10:26:53 (UTC-3), dan (ddpbsd) escribió: > > On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic