Hi Jesus,
Yeah, I think I submitted a pull request into OSSEC some time back on
this... If memory serves, the other IDs are because I used the existing MS
ID schema for OSSEC. The odd IDs are just because these live in my
local_rules.xml in production. Sadly, I haven't had the time to
How are you configuring those white listed subnets in the config - as a series
of individual addresses?
Sent from my iPad
> On May 19, 2016, at 06:42, James Siegel wrote:
>
> I have a set of subnets that are whitelisted.
> The server and agents were installed quite
James,
please check the active-responses.log on the respective agent/device.
and you might want to consider upgrading to a new version, because maybe
there was indeed a bug in active response that has been addressed and fixed
with a more recent version. Current Stable Version is 2.8.3 but if
Have you checked the active responses log on the respective agent/device?
/var/ossec/logs/active-responses.log
or on Windows systems C:\Program Files
(x86)\ossec-agent\active-response\active-responses.log
Am Donnerstag, 19. Mai 2016 18:42:04 UTC+2 schrieb James Siegel:
>
> I have a set of
Hi Maxim,
what was the problem with logstash? How is your configuration?.
A typical configuration is Manager + Logstash forwarder and other machine
with ELK. So you should debug if each part is receiving the logs.
Quick debug guide:
Logstash forwarder:
-
Hi Jesus,
It worked much better! Kicking out offenders more and more now :-)
My Google-fu was also better yesterday and I found this blog post:
https://mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
/x
On Thu, May 19, 2016 at 10:11 AM, Xavier Mertens