Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread lemuelcrandall via ossec-list
On Fri, 12/9/16, marquitarickman via ossec-list wrote: Subject: Re: [ossec-list] remoted Dropping Events To: ossec-list@googlegroups.com Date: Friday, December 9, 2016, 9:29 PM

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread marquitarickman via ossec-list
On Fri, 12/9/16, stephanmabe via ossec-list wrote: Subject: Re: [ossec-list] remoted Dropping Events To: ossec-list@googlegroups.com Date: Friday, December 9, 2016, 9:03 PM

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread cammiekuykendall via ossec-list
On Fri, 12/9/16, stephanmabe via ossec-list wrote: Subject: Re: [ossec-list] remoted Dropping Events To: ossec-list@googlegroups.com Date: Friday, December 9, 2016, 9:03 PM

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread stephanmabe via ossec-list
On Fri, 12/9/16, Chris Decker wrote: Subject: Re: [ossec-list] remoted Dropping Events To: "ossec-list" Date: Friday, December 9, 2016, 6:24 PM Dan, Thanks for your help. Is

Re: [ossec-list] Is/will journalctl supported

2016-12-09 Thread dan (ddp)
On Dec 9, 2016 11:56 AM, "Bill Price" wrote: We monitor a large variety of sites using ossec. We were asked to monitor a Centos 7.2 site that is using journalctl. Does Ossec 2.8.1 support log monitoring on a system using journalctl? If not, will 2.9 or any later

[ossec-list] Is/will journalctl supported

2016-12-09 Thread Bill Price
We monitor a large variety of sites using ossec. We were asked to monitor a Centos 7.2 site that is using journalctl. Does Ossec 2.8.1 support log monitoring on a system using journalctl? If not, will 2.9 or any later version at sometime support it? -- --- You received this message because

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread Chris Decker
Dan, Thanks for your help. Is ossec-remoted listed in the DAEMONS variable in the script? > It was *not*, but I added it after noticing it wasn't in there. If I tell ossec-control to stop, remoted stops as expected: [root@logger01 limits.d]# /var/ossec/bin/ossec-control stop Killing

[ossec-list] Re: remoted Dropping Events

2016-12-09 Thread Chris Decker
Dave, Thanks for your suggestions. If I start remoted manually it doesn't complain that the port is already in use. I am also starting it in debug mode and its starts cleanly AND works when I start it manually. I *do* have remoted configured to accept both tcp and udp logs on port 514, but

Re: [ossec-list] Firewall appliance : netasq/stormshield

2016-12-09 Thread dan (ddp)
On Dec 9, 2016 5:51 AM, "Bertrand Danos" wrote: Hello Dan, Thank you very much for your help. I've a problem with the following decoder and sample. Its generates a segfault in ossec-logtest : netasq logtype="filter" ^id=(\S+) time=\.+ fw="(\w+)" \.+

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread dan (ddp)
On Dec 9, 2016 9:17 AM, "Chris Decker" wrote: Victor, On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: > > Hi, > > Agents should send a keepalive each 10 minutes (600 seconds) by default, > and this should be enough. But you can go down that time

[ossec-list] Re: remoted Dropping Events

2016-12-09 Thread Dave Stoddard
If remoted is failing, it is likely you have another program running on that port that remoted is trying to bind to. For example, syslog is a common application on UNIX/BSD/Linux systems, and uses port 514. If you also attempt to use port 514 for remoted, you will get a conflict and remoted

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread Chris Decker
Victor, On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: > > Hi, > > Agents should send a keepalive each 10 minutes (600 seconds) by default, > and this should be enough. But you can go down that time at the agent's > ossec.conf: > > > > > 1.2.3.4 > *60*

Re: [ossec-list] Firewall appliance : netasq/stormshield

2016-12-09 Thread Bertrand Danos
ossec-logtest -V reports v2.8 Regards 2016-12-09 12:50 GMT+01:00 Jesus Linares : > Hi, > > what OSSEC version are you running?. > > Regards. > > On Friday, December 9, 2016 at 11:51:09 AM UTC+1, 1kn0 wrote: >> >> Hello Dan, >> >> Thank you very much for your help. >> >> I've a

Re: [ossec-list] Firewall appliance : netasq/stormshield

2016-12-09 Thread Jesus Linares
Hi, what OSSEC version are you running?. Regards. On Friday, December 9, 2016 at 11:51:09 AM UTC+1, 1kn0 wrote: > > Hello Dan, > > Thank you very much for your help. > > I've a problem with the following decoder and sample. Its generates a > segfault in ossec-logtest : > > > > >

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread Victor Fernandez
Hi, Agents should send a keepalive each 10 minutes (600 seconds) by default, and this should be enough. But you can go down that time at the agent's ossec.conf: 1.2.3.4 *60* If you see any agent disconnected, check its ossec.log file. On the other hand, as Dan says,

Re: [ossec-list] Re: important questions on CDB lists

2016-12-09 Thread Jesus Linares
Hi Omar, if you don't mind, please share your decoders, rules and CDB list and I can test it in my lab. Thanks. On Wednesday, December 7, 2016 at 9:01:18 PM UTC+1, Omar M wrote: > > Hi Dan, > Thanks for the quick response. > > The objective is to create a rule that will trigger if a restricted

Re: [ossec-list] Firewall appliance : netasq/stormshield

2016-12-09 Thread Bertrand Danos
Hello Dan, Thank you very much for your help. I've a problem with the following decoder and sample. Its generates a segfault in ossec-logtest : netasq logtype="filter" ^id=(\S+) time=\.+ fw="(\w+)" \.+ srcifname="(\w+)" ipproto=(\S+) proto=(\S+) src=(\S+) srcport=(\d+) \.+ dst=(\S+)

[ossec-list] Re: regex in agent id field

2016-12-09 Thread Jesus Linares
Hi Sean, it seems that agent_config name is checked by the function OS_Match2 which only matches strings with *^*, *$* or *|* special characters. So,