Hi all,
This is my first contribution. I'm adding the patch to
os_lib_alerts.php.
/ossec-wui-0.3/lib/os_lib_alerts.php(361) : Deprecated - Function
ereg_replace() is deprecated
/ossec-wui-0.3/lib/os_lib_alerts.php(362) : Deprecated - Function
ereg_replace() is deprecate
Hi all,
I have configured this decoder:
decoder name=custom-decoder
prematch^\w+ \d+ \d+:\d+:\d+ RT_FLOW: /prematch
/decoder
decoder name=custom-decoder-action
parentcustom-decoder/parent
typefirewall/type
prematch offset=after_parent^RT_FLOW_SESSION_CLOSE: /prematch
regex
Hi Karl,
The keys are just simple text files inside client.keys. You just need
one of each file for each
agent, which you can mass deploy via AD... That would be the simplest approach.
thanks,
--
Daniel B. Cid
http://dcid.me
On Wed, Mar 14, 2012 at 6:38 PM, karl_h...@ohionational.com wrote:
Hey,
Can you send this patch with -U (unified diff?) If there are other
patches for the UI, I will
add them, since it seems people still like to use it :)
Thanks,
On Thu, Mar 15, 2012 at 5:19 AM, k001 k001.opera...@gmail.com wrote:
Hi all,
This is my first contribution. I'm adding the patch
I have a bitbucket with some of the offered patches so far. I haven't
had time to do much else though (including actually testing the
changes).
https://bitbucket.org/ddpbsd/ossec-wui
On Thu, Mar 15, 2012 at 9:40 AM, Daniel Cid daniel@gmail.com wrote:
Hey,
Can you send this patch with -U
If I open the client.keys files it shows me the ID Name IP address Key, but
the key listed is much different than the key that is exported via the
command line. Are you saying that I should just drop the client.keys file
on each system?
Karl
From: Daniel Cid daniel@gmail.com
To:
The exported key is encoded (base64?), the client.keys entries are
raw. If you look at the keys file on a configured agent it will look
more like the client.keys entries than the exported version.
On Thu, Mar 15, 2012 at 9:55 AM, karl_h...@ohionational.com wrote:
If I open the client.keys files
Thanks, I will give it another try. I was using the scripts provided in
the Windows Automated Installation document and the information is not
being imported into the agent properly. Will review the script and the
test system to see if I can find where the problem may be.
Thanks for your help
Is there a way to configure the ossec
agent to ignore specific windows events? I have an application that
is mis-behaving and its creating ossec alerts for multiple windows events
Rule: 18154 (level 10) - 'Multiple Windows error events.'
Can I configure OSSEC agent to eliminate rule 18154?
You can generally create rules to ignore logs you don't care about. In
the case of 18154, you should look at the collected log messages and
create rules to ignore the individual ones you don't want to see. If
you keep them from firing 18103 alerts, then 18154 won't be triggered.
On Thu, Mar 15,
Hi Michael
I have a rule limiting alerts on 18154 events inside my local_rules.xml file
rule id=101013 level=7 frequency=4 timeframe=1600
if_matched_sid18154/if_matched_sid
matchWinEvtLog: System: ERROR(13): NPS:/match
descriptionturn down the noise on this
Hey Daniel,
Here is the -U patch
Regards
El Mar 15, 2012, a las 7:40 AM, Daniel Cid escribió:
Hey,
Can you send this patch with -U (unified diff?) If there are other
patches for the UI, I will
add them, since it seems people still like to use it :)
Thanks,
On Thu, Mar 15, 2012 at
12 matches
Mail list logo