Re: [ossec-list] OSSEC repeated messages and rootcheck start failure

On Thu, Sep 28, 2017 at 10:31 AM, Oh Ar wrote: > Something I forgot to put in the original email, this is an RHEL7 VM, Linux > xx.xx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat Sep 9 03:55:24 > EDT 2017 x86_64 x86_64 x86_64 GNU/Linux > > On Wednesday, September 27,

Re: [ossec-list] OSSEC repeated messages and rootcheck start failure

On Thursday, September 28, 2017 at 8:47:11 AM UTC-6, dan (ddpbsd) wrote: > > On Thu, Sep 28, 2017 at 10:31 AM, Oh Ar > wrote: > > Something I forgot to put in the original email, this is an RHEL7 VM, > Linux > > xx.xx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat

Re: [ossec-list] "New file" false positives on version 2.9.1

On Wed, Sep 27, 2017 at 5:25 PM, Leroy Tennison wrote: > I should have said that this was a new install, the start of the agent was > as a result of completing the installation. > So they weren't already in the syscheck db? If they were not in the db already, they're

[ossec-list] Not all alerts included in email

I'm running on CentOS 7.3.1611 and using the atomic repo which has ossec-hids-2.9.2-2082 and ossec-hids-server-2.9.2-2082. I have done debugging and I'm seeing some things I think are strange. If the condition I'm testing for has happened in the last 15 to 20 minutes before the email is sent,

Re: [ossec-list] How to alert on successful Windows authentication

I don't have a *local_rules.xml* file on my *Windows* boxes. Is this a file I need to create? You stated that these are 'default' rules. Where's the file that lists them? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe

Re: [ossec-list] How to alert on successful Windows authentication

So I found a file called *msauth_rules.xml* on my *Ossec Server*, which has many rules in there regarding windows logins. The log level is set to 0 on the rules I want enabled. What does each log level represent? I've browsed the Ossec online manual and I'm not seeing a list of log level

[ossec-list] Re: How to alert on successful Windows authentication

http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html So if I understand this correctly, based on the default 'alert levels' defined in the ossec.conf file on the Ossec server, I just need to edit individual rule levels in the xml rule files located in

Re: [ossec-list] sysmon decoder and rules not triggered

Hi dan (ddpbsd), thanks for noticing it,I add the decoder at local_decoder to avoid damaging default decoder. this is my custom decoder right now windows windows INFORMATION\(1\) Image:\s* (\S+) \.* CommandLine: \S+\s* CurrentDirectory:

[ossec-list] sysmon decoder and rules not triggered

hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows v2.9.0. sysmon installed and has been configured, and for example i tried to acces powershell, agent's log. so I tried to use ossec-logtest and have result : **Phase 1: Completed pre-decoding. full event: '2017 Sep 28