Hello,
Just set up a VM with Ossec from the Virtual Appliance template and
encountered a problem with monitoring Windows event logs.
I set up a security audit for shares under Windows 2008 Server and when
Ossec gets the log message i get the following output in Kibana -
2015 Mar 27 12:50:42
Hey Everyone,
Huge fan of OSSEC, just got my first implementation up and operational. I
have a few rules that I want to right, just for testing sake.
What we are looking to do, is to write two separate rules that achieve
similar results, and more specifically we want to know when any change
On Thu, May 14, 2015 at 10:59 AM, HMath h.i.youss...@gmail.com wrote:
First , sorry for my English
I am new to OSSEC
what happened is I was trying some attacks on iis on windows machine and
alerts are generated in ossec server , I have supposed that ossec will
block the attacking ip for 600
On Tue, May 12, 2015 at 6:57 PM, autodidactic theoriginalg...@gmail.com wrote:
Are there any updates to this feature or documentation about it? I see vary
raw documentation in the sample CIS benchark policy audit files, but leaves
me guessing about some of it? I want to write the policy for the
It should be enough sir
Each agent needs their own key, but once the agent has the key and checks
in with the server, it will pick up any custom configurations
All the best
On Thursday, May 14, 2015 at 7:02:32 PM UTC-4, Daniil Svetlov wrote:
Hi!
I'm trying update ossec-agent key on windows
Have you run a tcdpump or ngrep on the server to ensure packets are
arriving on UDP port 1514?
When the agent is initially restarted it begins a new dialog with the
server and you should be able to see that on the wire
On Thursday, May 14, 2015 at 5:31:28 PM UTC-4, Andy Theuninck wrote:
I
You'll want to test this yourself
But you can manage what files are monitored and what registry entries are
monitored in the host's config file for the Syscheck. Run the Agent Manger
on the host and go to view config. Then you can just change the
configuration file and save it, restart
On May 15, 2015 5:27 PM, The O.G. theoriginalg...@gmail.com wrote:
So, does that mean the best way to understand how the system policy audit
works is to basically read the source code in rootcheck system?
It simply means I cannot answer many questions about it. Reading the aource
is one way to
Hi Sebastian,
not sure what could be the problem here. Did you figure it out?
Best
On Wed, May 13, 2015 at 7:21 AM, skotthof
sebastian.kotth...@rz.uni-mannheim.de wrote:
OK, thank you.
I checked how to use CDBs now, seems this is really what I need. Really
cool!
Nevertheless, now I ran
Hi Brent,
I appreciate the response, and it seems like the way forward for the
Registry Monitoring portion. I will test it out, and let you know how it
works. I understand it is going to generate a lot of stuff, but I am just
testing it right now, and need to figure out a few things, and it
Syscheck only runs on intervals, and will have some limitations in a 64 bit
environment. Please see the issue below.
https://github.com/ossec/ossec-hids/issues/301
Another way to accomplish your goal would be to turn on auditing on the
Windows computer. This is either done through Group
Close. Firewall logging on the client side helped. The OSSEC server has two
IPs on the same network. It was receiving messages from the agent on one IP
but sending the response back on the other IP. The agent's firewall was
then dropping the response as unrelated. Specifying a local_ip in the
I have ossec server(CentOS) and ossec agent(win7).
-On server-
ossec.conf:
command
nameeject_usb/name
executableevent.cmd/executable
expectsrcip/expect
timeout_allowedyes/timeout_allowed
/command
active-response
commandeject_usb/command
locationlocal/location
So, does that mean the best way to understand how the system policy audit
works is to basically read the source code in rootcheck system?
On Fri, May 15, 2015 at 5:04 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, May 12, 2015 at 6:57 PM, autodidactic theoriginalg...@gmail.com
wrote:
Are
14 matches
Mail list logo
