Re: [ossec-list] Another logtest works but not getting alerts...

2015-11-27 Thread Phillipa Moorea
I think this is my same issue, but I am not sure what this means? Is there anyway you can expand a little further on how you got your alert to work? I'm having this same issue for trying to get alerts for PowerShell commands. On Thursday, November 26, 2015 at 8:52:28 AM UTC-6,

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

2015-11-27 Thread Phillipa Moorea
Well, I updated both the server and client OSSEC HIDS to 2.8.3, but still no luck. The PowerShell logs in archive.log are still multi-line logs, and I am getting the same results. On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea wrote: > > Ok, I think I know what's going on

Re: [ossec-list] active-responses not running for ipv6 addresses?

2015-11-27 Thread dan (ddp)
On Thu, Nov 26, 2015 at 6:44 PM, Graeme Coates wrote: > Hi, > > Am running OSSEC 2.8.3-3jessie (from the alientvault.com repo) > > I'm trying to test active-response rules for a Wordpress install - > specifically to add source IPs as DROP rules in iptables where they

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

2015-11-27 Thread dan (ddp)
On Wed, Nov 25, 2015 at 2:19 PM, Daniel Bray wrote: > On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: >> >> On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for >> rule 1002, right there towards the top. Note the options element,

Re: [ossec-list] ossec alert

2015-11-27 Thread dan (ddp)
On Fri, Nov 27, 2015 at 2:43 AM, wrote: > > hi ~ help~~~ Is there another alert way for OSSEC ( exclude e-mail > )??? such as Wechat Etc :) > Thanks~~~!!! > OSSEC can output in syslog, and some similar formats (CEF, Splunk). It can also

Re: [ossec-list] ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible (again)

2015-11-27 Thread dan (ddp)
On Mon, Nov 23, 2015 at 4:29 PM, Greg Nowicki wrote: > Hello, > > Hoping someone can help me. > > New server install on RHEL 6 using source file ossec-hids-2.8.3.tar.gz, it > appears the very important daemon, ossec-analysisd, does not fully start, > thus preventing other

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

2015-11-27 Thread Phillipa Moorea
A little further, I changed the logformat from eventlog to eventchannel, and now the archive.log has taken out all of the multiple lines. I still do not have a generated alert yet even though ossec-logtest says it generates an alert and it matches my custom rule. I set the level to level 6.