Re: [ossec-list] Re: ERROR: Unable to Bind port '1514'
Hello dan, I killed the instance but anything happend, i had that start the process manualy because de services get down. =S Regards... El viernes, 25 de agosto de 2017, 11:01:25 (UTC-5), dan (ddpbsd) escribió: > > > > On Aug 25, 2017 11:32 AM, "Carlos Islas"> wrote: > > Hi dan, > > Sorry, im newbie in that kind of commands. How can i kill the instance? > > > I usually use `pkill ossec-remoted` > You can also use `ps` to get the pid (or look for the pid in /var/ossec > somewhere) and kill it that way. > > > Regards... > > > > El jueves, 24 de agosto de 2017, 16:19:57 (UTC-5), Carlos Islas escribió: >> >> Hello, >> >> I am having this issue when i execute the command ./ossec-remoted >> >> ossec.log: >> >> 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350). >> 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514' >> >> Somebody could help me to examine that error? >> >> Regards... >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec-keepalive
Thanks for the answer, that clarifies my understanding. Sounds like you would like to see the alert details so here they are ("our-demo" below is an agent, not the server): OSSEC HIDS Notification. 2017 Aug 27 08:20:39 Received From: (our-demo) 10.nnn.nnn.nnn->ossec-keepalive Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): --MARK--: dh7GKhV3D=9_tT9mi+oFulZk!/aTDX2_mDueL^7wo;Y-[Bccq4-;^Pcb]Qcyh5n7QH@JrN5))x9$Y#6p835rYqu-@HdN=LsBknO.bu7%A]Yf)#8dJHvbfPGzEJ#vC/eMmb;1vhJdcQi+!&'o623tZdS.]#6xt@sFuYO.5=a7+Xe0+LwVV'xoLxlGe(lxfDkz]Ywi.!x)BCN5v98*k??VxZ]^LVg/;4@CwP;7tqUdaP8v6KU*;c_31yMU)aatm@d-u,XNm0/0joDj?I.2RvWfWef&4y)US^lNJtMdDiH1p$sop3y6'Ct._#$Se1UWKodCH.Fsg#)9TTGqr4-YPjV*+DEH/;.-UPs,[YoO(Qs_dYeu!J(taITE@=@rx9h(s%w0_Kj6[BU/'hslQT)Q]G_o@0FQ*[CRqgleRutLdv=KCkWAlJ*g^n8UvhegP+fo]rs['L_.7@HRDL(O_lUlywnc*6W^d2.MB3H8Xv5yaVxEaj(D8+OPZkR')rnzayo9+JI1;L'!MQext'@8b+t[n%kOO@wOdK5HCWcubJ/][Qs1KMD'^eB.A''w4p@p0;e,OhqQ/2'GmmbegEL+-#Ar5u]*JoPRhTNV0lfhvNNIZP[5BGc60*FATAl,Pi,W2Jl!d5*ymzotwjGf.I@X --END OF NOTIFICATION On Monday, August 28, 2017 at 10:53:55 AM UTC-5, Leroy Tennison wrote: > > Just FYI, not sure if a resolution to > https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ > has been put in place or not but it is occurring in v2.9.2 - I received an > email alert (can post the text if it would be helpful). > > Related to this, I noticed that the alert level is 2, it appears that the > only place to set alert levels is in ossec.conf on the server or 'local' > (it is configured on the server as the > default: 7). > > I seem to remember seeing somewhere that a local install was one where the > server managed only itself but can't find that reference now, is that > correct? > > The other option is to configure the system as hybrid, if that would allow > the notification to be suppressed (and the implications of the change > weren't too great), I would be glad to configure it that way if someone > could point me to instructions on how to do so. > > Thanks for the help, my learning curve at this point is pretty steep. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: OSSEC regular expression example for agent.conf
On Aug 28, 2017 2:46 PM, "Leroy Tennison"wrote: I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? Rules and decoders are the only places that come to mind at the moment. On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote: > > I'm having trouble getting an ignore expression to actually ignore a > change and suspect it's due to not understanding how OSSEC regular > expressions work. When I searched for examples I found very little so I'm > hoping someone can reply with examples or explanations. What I tried was: > > /var/lib/postgresql/9.5/main/base/\d+/\d+$ > /var/lib/postgresql/9.5/main/pg_xlog/\d+$ > /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\ > w$ > /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\ > w\w$ > > > I'm still getting alerts such as the following: > > Integrity checksum changed for: '/var/lib/postgresql/9.5/main/ > base/16387/1259' > Integrity checksum changed for: '/var/lib/postgresql/9.5/main/ > pg_xlog/00010026' > New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the > file system. (I configured new file alerting and am glad to see it's > working but just not this directory). > > Thanks for the help. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC regular expression example for agent.conf
I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote: > > I'm having trouble getting an ignore expression to actually ignore a > change and suspect it's due to not understanding how OSSEC regular > expressions work. When I searched for examples I found very little so I'm > hoping someone can reply with examples or explanations. What I tried was: > > /var/lib/postgresql/9.5/main/base/\d+/\d+$ > /var/lib/postgresql/9.5/main/pg_xlog/\d+$ > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$ > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$ > > > I'm still getting alerts such as the following: > > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/base/16387/1259' > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/pg_xlog/00010026' > New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file > system. (I configured new file alerting and am glad to see it's working > but just not this directory). > > Thanks for the help. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC regular expression example for agent.conf
I'm pretty sure ignores are available in agent.conf Sean On Mon, Aug 28, 2017 at 10:57 AM, dan (ddp)wrote: > On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison > wrote: > > I'm having trouble getting an ignore expression to actually ignore a > change > > and suspect it's due to not understanding how OSSEC regular expressions > > work. When I searched for examples I found very little so I'm hoping > > someone can reply with examples or explanations. What I tried was: > > > > /var/lib/postgresql/9.5/main/base/\d+/\d+$ > > /var/lib/postgresql/9.5/main/pg_xlog/\d+$ > > > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$ > > > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$ > > > > According to the documentation, > (https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html) > sregex is what's available here. This is a VERY limited regex subset > as documented here: > https://ossec.github.io/docs/syntax/regex.html#os-match-sregex-syntax > Also, I'm not sure ignores can be used in agent.conf. It's possible > I'm mis-remembering this though. > > > > > I'm still getting alerts such as the following: > > > > Integrity checksum changed for: > > '/var/lib/postgresql/9.5/main/base/16387/1259' > > Integrity checksum changed for: > > '/var/lib/postgresql/9.5/main/pg_xlog/00010026' > > New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the > file > > system. (I configured new file alerting and am glad to see it's working > but > > just not this directory). > > > > Thanks for the help. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC regular expression example for agent.conf
On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennisonwrote: > I'm having trouble getting an ignore expression to actually ignore a change > and suspect it's due to not understanding how OSSEC regular expressions > work. When I searched for examples I found very little so I'm hoping > someone can reply with examples or explanations. What I tried was: > > /var/lib/postgresql/9.5/main/base/\d+/\d+$ > /var/lib/postgresql/9.5/main/pg_xlog/\d+$ > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$ > type="regex">/var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$ > According to the documentation, (https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html) sregex is what's available here. This is a VERY limited regex subset as documented here: https://ossec.github.io/docs/syntax/regex.html#os-match-sregex-syntax Also, I'm not sure ignores can be used in agent.conf. It's possible I'm mis-remembering this though. > > I'm still getting alerts such as the following: > > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/base/16387/1259' > Integrity checksum changed for: > '/var/lib/postgresql/9.5/main/pg_xlog/00010026' > New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file > system. (I configured new file alerting and am glad to see it's working but > just not this directory). > > Thanks for the help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent
On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Sirikiwrote: > Email levels are at enough priority, I am getting emails now after stopping > alerting from RDP. I have multiple RDP where agent is installed and I get > lot of false alerts from RDPs, for Authentication failure and Account locked > out. > If you're seeing false positives, it would be great if you reported them. We could fix them (or they have been fixed in recent versions of OSSEC). > On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Aug 24, 2017 8:31 AM, "Tirumala Raja Siriki" >> wrote: >> >> Hi Everyone, >> >> I am running Ossec 2.8.3 version on Server as well as agents. I am not >> getting any email alerts from Ossec Server(Suse Linux) for one of the agent >> which is also running on Suse Linux. >> I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log file >> but no emails triggered. Other agents are working fine. >> I noticed Ossec Server has rsyslog running while Agent has syslog-ng. Is >> there any changes needs to be done for logging. >> >> Any help is appreciated. >> >> >> Are the alerts that this agent triggers high enough level to be semt via >> email? Are the alerts grouped with other alerts in a single email? >> >> >> >> Many Thanks >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Testing OSSEC
On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soniwrote: >>> hey, > > I have added the rule in local_rules.xml file in way as in the > attached image.. > After adding the rule, i have restarted OSSEC services. But I get > the following errors: > Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)... > Started ossec-dbd... > 2017/08/28 09:40:55 ossec-config(1501): ERROR: Invalid SMTP > Server: alt1.gmail-smtp-in.l.google.com. > 2017/08/28 09:40:55 ossec-config(1202): ERROR: Configuration error > at '/var/ossec/etc/ossec.conf'. Exiting. > 2017/08/28 09:40:55 ossec-maild(1202): ERROR: Configuration error > at '/var/ossec/etc/ossec.conf'. Exiting. > ossec-maild did not start correctly. > Did i miss anything? or any other command should have been used to > make that rule work? Please guide me to solve this problem. That error has nothing to do with the rule you added. I think there's an issue with name resolution for maild, but I haven't looked into it yet. >> >> >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-keepalive
Just FYI, not sure if a resolution to https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ has been put in place or not but it is occurring in v2.9.2 - I received an email alert (can post the text if it would be helpful). Related to this, I noticed that the alert level is 2, it appears that the only place to set alert levels is in ossec.conf on the server or 'local' (it is configured on the server as the default: 7). I seem to remember seeing somewhere that a local install was one where the server managed only itself but can't find that reference now, is that correct? The other option is to configure the system as hybrid, if that would allow the notification to be suppressed (and the implications of the change weren't too great), I would be glad to configure it that way if someone could point me to instructions on how to do so. Thanks for the help, my learning curve at this point is pretty steep. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC regular expression example for agent.conf
I'm having trouble getting an ignore expression to actually ignore a change and suspect it's due to not understanding how OSSEC regular expressions work. When I searched for examples I found very little so I'm hoping someone can reply with examples or explanations. What I tried was: /var/lib/postgresql/9.5/main/base/\d+/\d+$ /var/lib/postgresql/9.5/main/pg_xlog/\d+$ /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w$ /var/lib/postgresql/9.5/main/pg_subtrans/\d\d\w\w$ I'm still getting alerts such as the following: Integrity checksum changed for: '/var/lib/postgresql/9.5/main/base/16387/1259' Integrity checksum changed for: '/var/lib/postgresql/9.5/main/pg_xlog/00010026' New file '/var/lib/postgresql/9.5/main/pg_subtrans/0019' added to the file system. (I configured new file alerting and am glad to see it's working but just not this directory). Thanks for the help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent
Email levels are at enough priority, I am getting emails now after stopping alerting from RDP. I have multiple RDP where agent is installed and I get lot of false alerts from RDPs, for Authentication failure and Account locked out. On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan (ddpbsd) wrote: > > > > On Aug 24, 2017 8:31 AM, "Tirumala Raja Siriki"> wrote: > > Hi Everyone, > > I am running Ossec 2.8.3 version on Server as well as agents. I am not > getting any email alerts from Ossec Server(Suse Linux) for one of the agent > which is also running on Suse Linux. > I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log file > but no emails triggered. Other agents are working fine. > I noticed Ossec Server has rsyslog running while Agent has syslog-ng. Is > there any changes needs to be done for logging. > > Any help is appreciated. > > > Are the alerts that this agent triggers high enough level to be semt via > email? Are the alerts grouped with other alerts in a single email? > > > > Many Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.