So Phil,
I checked out your posting. What did you fix to make it work?
And Eric,
same_source_ip / is a legit tag for a composite rule.
See http://www.ossec.net/main/manual/configuration-options/#rules_options
Table 4.1
- Dave
Hi Dave
Sorry for the late reply as I was out of Office
I followed the steps, but still I am not receiving the logs , including
from CISCO router as well
Also can I search these logs via the web interface, or can I create any
queries
Kindly help
Muraleedaran Kanapathy| Linux/Unix System
Dan,
Upon reading the OSSEC book again it appears to confirm my suspicion
that all means all agents.
So, how do you include the server as well?
I tried locationserver,all/location as someone else's post
suggested but it doesn't work. The active response seems to work only
on the server if I
Running two of the logs through ossec-logtest shows a few differences:
May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure;
logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost=
user=root
**Phase 1: Completed pre-decoding.
full event: 'May 7 09:50:46 Server
Dear Sirs
We are in the process of installing the OSSEC for the log analyzing
purposes for the PCI DSS requirement
In windows I have installed the OSSEC agent, but I am unable to see any
Windows event logs such Application, System, except for the Security
logs ( Including CISCO logs)
Hi Dave
Sorry for the late reply as I was out of Office
I followed the steps, but still I am not receiving the logs , including
from CISCO router as well
Also can I search these logs via the web interface, or can I create any
queries
Kindly help
Muraleedaran Kanapathy| Linux/Unix System
Hi,
OSSEC by default will only generate alerts on events that have potential
security
value. Most events from the System and Application event log are just
informational
and OSSEC will not store them.
If you need to have all of them stored, go to your ossec.conf (on the
manager)
and set logall
Hi Muraleedaran,
You cannot browse all windows events from the web interface, you can only view
Windows Events that have been triggered by a rule to generate an alert. Take a
look in this file on the ossec server:
osse_path/rules/msauth_rules.xml
You could write your own rule to generate alerts
Sounds reasonable, but if accounts are indeed manually created, how is spam
getting into the wiki then?
From: Chris Buechler cbuech...@gmail.com
To: ossec-list@googlegroups.com
Sent: Fri, May 7, 2010 7:39:41 PM
Subject: Re: [ossec-list] Re: Comprehensive manual
Hello,
I have 3 checkpoint firewalls in windows. Is there any way to send the logs to
ossec?
Juan Jorge Cruces Fernández
Accelya
Hi Max
Thanks a lot for the reply
May I know what did you use to collect the logs from network devices?
(Router and switches)
And OSSEC did you use it only for File Integrity check, if so what is
the syslog and syslog viewer you implemented
Kindly advice
Muraleedaran
The two different sets of log entry samples came from two different versions
of Linux. The remote servers are using spitting out the first log entries
when the remote servers are RHEL v4 based (I have not tested RHEL v5.)
The local ossec management server, that all the agents talk to, is running
The logall option will save the logs in /var/ossec/logs/archives/
(after restarting the server of course). There probably aren't any
default rules for these logs, so you may have to write your own.
You should be able to forward the syslog data to a system that is
listening for syslog messages so
The ossec regex rules are in the wiki or the manual, can't remember which.
I prefer using matches where possible, regex if necessary. Ossec's
pretty fast though, so regex is probably ok.
On Mon, May 10, 2010 at 9:42 AM, Nicholas Ritter ritter6...@gmail.com wrote:
The two different sets of log
It looks like anonymous editting was allowed for a bit. Not positive though.
On Mon, May 10, 2010 at 1:34 PM, Alessandro Di Giuseppe
a_di_giuse...@yahoo.com wrote:
Sounds reasonable, but if accounts are indeed manually created, how is spam
getting into the wiki then?
15 matches
Mail list logo