Re: [ossec-list] ossec-remoted high CPU utlization

On Fri, Apr 28, 2017 at 3:07 PM, Nikki S wrote: > With tcpdump, I do see traffic getting to the server. Since the syscheck is > only enabled every 22 hours, I was wondering what the other traffic is! > > How can I verify if log monitoring has been turned off? > Check

[ossec-list] Unable to restart OSSEC 2.8.3

No changes have been to the configuration file! # ./ossec-control restart cat: /var/ossec/var/start-script-lock/pid: No such file or directory cat: /var/ossec/var/start-script-lock/pid: No such file or directory cat: /var/ossec/var/start-script-lock/pid: No such file or directory cat:

Re: [ossec-list] ossec-remoted high CPU utlization

With tcpdump, I do see traffic getting to the server. Since the syscheck is only enabled every 22 hours, I was wondering what the other traffic is! How can I verify if log monitoring has been turned off? Thank you! On Thursday, April 27, 2017 at 5:42:34 PM UTC-4, dan (ddpbsd) wrote: > > On

[ossec-list] Re: Unable to restart OSSEC 2.8.3

DUH! I wasn't running the command as SU! Feel really stupid right now :D On Friday, April 28, 2017 at 3:55:35 PM UTC-4, Nikki S wrote: > > No changes have been to the configuration file! > > > # ./ossec-control restart > cat: /var/ossec/var/start-script-lock/pid: No such file or directory >

[ossec-list] Re: Unable to restart OSSEC 2.8.3

#df -i FilesystemInodes IUsedIFree IUse% Mounted on /dev/mapper/centos-root 18358272 89206 182690661% / devtmpfs 998801 349 9984521% /dev tmpfs1001403 1 10014021% /dev/shm tmpfs1001403 464 1000939

[ossec-list] detecting suspicious tcp forwarding with ossec

The new cool thing amongst evil hackers is to use ssh-forwarding with a stolen credentials to bounce connections. Has anyone done tracking of tcpforwarding to strange ports or just unreasonable many connections? The only way to track this I can think of is to fire an active response each time a

[ossec-list] Re: Unable to restart OSSEC 2.8.3

2017/04/28 15:54:58 ossec-analysisd(1103): ERROR: Unable to open file 'queue/fts/fts-queue'. 2017/04/28 15:54:58 ossec-testrule(1260): ERROR: Error initiating FTS list On Friday, April 28, 2017 at 3:55:35 PM UTC-4, Nikki S wrote: > > No changes have been to the configuration file! > > > #

Re: [ossec-list] Active Response not working at all

Hi, you are right Tony. The syntax for *ossec.conf* is not user-friendly. You must think in the following way: If it is a setting like yes/no, it will be overwritten if the parser found the same setting below. Example: yes no The final value will be 'no'. However, if the setting is