On Thu, Sep 28, 2017 at 10:31 AM, Oh Ar wrote:
> Something I forgot to put in the original email, this is an RHEL7 VM, Linux
> xx.xx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat Sep 9 03:55:24
> EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> On Wednesday, September 27,
On Thursday, September 28, 2017 at 8:47:11 AM UTC-6, dan (ddpbsd) wrote:
>
> On Thu, Sep 28, 2017 at 10:31 AM, Oh Ar
> wrote:
> > Something I forgot to put in the original email, this is an RHEL7 VM,
> Linux
> > xx.xx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat
On Wed, Sep 27, 2017 at 5:25 PM, Leroy Tennison
wrote:
> I should have said that this was a new install, the start of the agent was
> as a result of completing the installation.
>
So they weren't already in the syscheck db? If they were not in the db
already, they're
I'm running on CentOS 7.3.1611 and using the atomic repo which has
ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082.
I have done debugging and I'm seeing some things I think are strange.
If the condition I'm testing for has happened in the last 15 to 20 minutes
before the
email is sent,
I don't have a *local_rules.xml* file on my *Windows* boxes. Is this a
file I need to create? You stated that these are 'default' rules. Where's
the file that lists them?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe
So I found a file called *msauth_rules.xml* on my *Ossec Server*, which has
many rules in there regarding windows logins. The log level is set to 0 on
the rules I want enabled. What does each log level represent? I've
browsed the Ossec online manual and I'm not seeing a list of log level
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html
So if I understand this correctly, based on the default 'alert levels'
defined in the ossec.conf file on the Ossec server, I just need to edit
individual rule levels in the xml rule files located in
Hi dan (ddpbsd),
thanks for noticing it,I add the decoder at local_decoder to avoid damaging
default decoder. this is my custom decoder right now
windows
windows
INFORMATION\(1\)
Image:\s* (\S+) \.* CommandLine: \S+\s*
CurrentDirectory:
hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows v2.9.0.
sysmon installed and has been configured, and for example i tried to acces
powershell, agent's log.
so I tried to use ossec-logtest and have result :
**Phase 1: Completed pre-decoding.
full event: '2017 Sep 28