Hi all,
Maybe it is a stupid question but, is it on the ossec's roadmap to
develop ossec agent or minimal-local-server for android devices??
Thanks
Hi all,
I have a really strange problem with ossec-csyslog process in one
server. I have two ossec servers that trigger all alerts to a central
splunk server. From serverA all works ok, ossec-csyslog connects to
splunk server and send all alerts to it. But with the other server I
have problems.
On Tue, Feb 28, 2012 at 9:34 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have a really strange problem with ossec-csyslog process in one
server. I have two ossec servers that trigger all alerts to a central
splunk server. From serverA all works ok, ossec-csyslog connects
Hi all,
I am wrong, or do not exists rules and decoder to process CheckPoint
Firewall-1 logs??
Thanks.
On Tue, Feb 28, 2012 at 3:27 PM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I am wrong, or do not exists rules and decoder to process CheckPoint
Firewall-1 logs??
Thanks.
Oops ... Sorry, my mistake. I see it. But I need to parse CHKP logs
from an export log and not from syslog
On Wed, Feb 29, 2012 at 11:58 AM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Feb 29, 2012 at 5:05 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Feb 28, 2012 at 3:27 PM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I am wrong, or do not exists rules and decoder to process
I am trying to write this decoder, without luck. My sample log:
Number Date Time Interface Origin Type Action Service
Source Port Source Destination Protocol Rule Rule Name
Current Rule Number User Information Product Source Machine
Name Source User Name
2 26Feb2012 23:58:58 Lan2 CHCKPNT1
On Wed, Feb 29, 2012 at 12:40 PM, C. L. Martinez carlopm...@gmail.com wrote:
I am trying to write this decoder, without luck. My sample log:
Number Date Time Interface Origin Type Action Service
Source Port Source Destination Protocol Rule Rule Name
Current Rule Number User Information
On Wed, Feb 29, 2012 at 4:52 PM, Viktor Gazdag woodsp...@gmail.com wrote:
Hi!
I made quickly this decoder and after that, you can see the ossec-logtest
output! The interface is not there, i know. :/
I hope it is good for you or help something! :) If you have any question,
feel free to ask!
Hi all,
I have a log generated by a win program that includes this:
some info
How can I escape these quotes to extract only some info??
Thanks.
On Thu, Mar 1, 2012 at 12:18 PM, dan (ddp) ddp...@gmail.com wrote:
It must be nice to have people do your work for you.
Sorry, but that is not my intention. I am trying to resolve this
problem since this morning.
I'm not sure how it can match the decoder without matching everything.
Are you
On Thu, Mar 1, 2012 at 3:02 PM, Viktor Gazdag woodsp...@gmail.com wrote:
Hi!
Here is the new decoder! This log file record is a little bit different,
that's why it didn't work. But with my new decoder, it works well with both
record! ;)
I write you a quick basic ossec decoder tutorial! If
On Thu, Mar 1, 2012 at 3:13 PM, Viktor Gazdag woodsp...@gmail.com wrote:
Hi!
It depends on what the some info is!
\w+\s\w+
some info
If it ie.: some info to extract, then it
won't work! Read about ossec regex and decoder writeing tutorials and ask if
you
Hi all,
I am trying to report all actions made by some CheckPoint Firewall's.
After adjust my decoder, I am trying to write some rules to match all
logged firewall actions like: Drop, Accept, Session Auth, etc...
For example to report all drops, I have write this rule:
group name=cpfirewall,
On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote:
I should probably mention that I think the -a flag for ossec-logtest
will give you OSSEC alert log output. Redirect that to a file or
possibly to ossec-reportd, and you should probably get what you're
after.
Thanks Dan. It is
On Mon, Mar 5, 2012 at 1:04 PM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote:
I should probably mention that I think the -a flag for ossec-logtest
will give you
On Mon, Mar 5, 2012 at 1:18 PM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Mar 5, 2012 at 1:04 PM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Mar 5, 2012 at 6:09 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Mar 5, 2012 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote:
I should
Hi all,
Is it possible to add more than one option in decoded_as param under
a rule?? For example, I have several rules defined against dshield
blacklist like this:
group name=dshield,
rule id=120007 level=14
decoded_asfirst_decoder/decoded_as
if_sid100200/if_sid
Hi all,
I have configured this decoder:
decoder name=custom-decoder
prematch^\w+ \d+ \d+:\d+:\d+ RT_FLOW: /prematch
/decoder
decoder name=custom-decoder-action
parentcustom-decoder/parent
typefirewall/type
prematch offset=after_parent^RT_FLOW_SESSION_CLOSE: /prematch
regex
Please, any help?
On Thursday, March 15, 2012, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured this decoder:
decoder name=custom-decoder
prematch^\w+ \d+ \d+:\d+:\d+ RT_FLOW: /prematch
/decoder
decoder name=custom-decoder-action
parentcustom-decoder/parent
On Fri, Mar 16, 2012 at 1:43 PM, dan (ddp) ddp...@gmail.com wrote:
On Thu, Mar 15, 2012 at 6:58 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured this decoder:
decoder name=custom-decoder
prematch^\w+ \d+ \d+:\d+:\d+ RT_FLOW: /prematch
/decoder
decoder name
Hi all,
Is it possible to generate an alert when two or one or more
conditions conditions are matched in a rule and/or group of rules??
For example, using my previous rule:
group name=custfw,
rule id=100200 level=0
decoded_ascustom-decoder/decoded_as
/rule
rule id=100201 level=14
On Fri, Mar 16, 2012 at 3:24 PM, dan (ddp) ddp...@gmail.com wrote:
On Fri, Mar 16, 2012 at 9:58 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Fri, Mar 16, 2012 at 1:43 PM, dan (ddp) ddp...@gmail.com wrote:
On Thu, Mar 15, 2012 at 6:58 AM, C. L. Martinez carlopm...@gmail.com
wrote:
Hi all
Please, any help?
On Thursday, March 15, 2012, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured this decoder:
decoder name=custom-decoder
prematch^\w+ \d+ \d+:\d+:\d+ RT_FLOW: /prematch
/decoder
decoder name=custom-decoder-action
parentcustom-decoder/parent
On Saturday, March 17, 2012, dan (ddp) ddp...@gmail.com wrote:
Tour last message said everything was working as expected. Is this a
glitch in the Matrix or is it still not working?
It is working ... Maybe my android device is doing something wrong.
On Mar 17, 2012 7:40 AM, C. L. Martinez
Hi all,
I have configured an ossec server to forward data to a third party
device via syslog. But instead to forward all log data I would like to
forward only the alert description. Is it possible to do this with
ossec??
Thanks.
Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
rule id=110008 level=14
if_sid100202,100203,100201/if_sid
srcip108.60.159.33/srcip
descriptionConnection from RBN
On Mon, Apr 2, 2012 at 9:56 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
rule id=110008 level=14
-rootcheck(1210): ERROR: Queue
'/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
Is this a bug??
On Tue, Apr 3, 2012 at 8:30 AM, C. L. Martinez carlopm...@gmail.com wrote:
Doesn't shows nothing strange:
[root@srvtest bin]# /data/ossec/bin/ossec-logtest -t
2012/04/03 06:29:28
the issue.
On Apr 2, 2012 6:31 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have an strange problem. I have defined a custom rule to trigger an
alert when a RBN IP comes as a srcip in my logs file. For example:
group name=rbn,
rule id=110008 level=14
if_sid100202,100203,100201
, have you tried removing the new rule to see if that fixes it?
On Apr 3, 2012 8:44 AM, C. L. Martinez carlopm...@gmail.com wrote:
It seems that exists some type of limit when ip lists are used ... I
have recreated my custom rule file using only one sid inside in if_sid
option, and doesn't works
these RBN IP's ...
On Tue, Apr 3, 2012 at 3:34 PM, dan (ddp) ddp...@gmail.com wrote:
Check the documentation. I thought CIDRs were represented differently.
Are you using address_match_key?
On Apr 3, 2012 9:27 AM, C. L. Martinez carlopm...@gmail.com wrote:
Yes I have tried but I don't see where
Hi all,
Is it possible to monitor files and directories using cdb lists when
a user tries to access?? For example: user1 has access to dir
c:\temp\somedir and user2 has access to c:\somdir\somefile.txt. If it
is possible to trigger and alert if user3 tries to access to
c:\temp\somedir or
logged? Do you have a log sample for user3
trying to access c:\temp\somedir?
Also, I think the : in c: might mess with the cdb list...
On Wed, Apr 18, 2012 at 8:38 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Is it possible to monitor files and directories using cdb lists when
Uhmm I see .. But can monitor these access using localfile directive
in agent.conf??
On Wed, Apr 18, 2012 at 2:58 PM, dan (ddp) ddp...@gmail.com wrote:
It all depends on the log message.
On Wed, Apr 18, 2012 at 8:54 AM, C. L. Martinez carlopm...@gmail.com wrote:
Still I haven't access log
it that information? (assuming there are no kernel hooks
or anything to grab that info off the wire)
On Wed, Apr 18, 2012 at 9:07 AM, C. L. Martinez carlopm...@gmail.com wrote:
Uhmm I see .. But can monitor these access using localfile directive
in agent.conf??
On Wed, Apr 18, 2012 at 2:58 PM, dan (ddp) ddp
Do I need to activate audit files in event viewer only??
On Wed, Apr 18, 2012 at 4:01 PM, dan (ddp) ddp...@gmail.com wrote:
Ok?
On Wed, Apr 18, 2012 at 9:30 AM, C. L. Martinez carlopm...@gmail.com wrote:
I am using windows osec agent on the windows server side
On Wed, Apr 18, 2012
Hi all,
I have detected a strange problem with my daily reports. In all of
them, only root is showed as a top Username, like this:
Report completed. ==
-Processed alerts: 1695
-Post-filtering alerts: 1695
-First alert: 2012 Apr 19 00:01:32
-Last
My previous example is running report manually ...
On Thu, Apr 19, 2012 at 3:02 PM, dan (ddp) ddp...@gmail.com wrote:
What happens if you run the report manually?
On Thu, Apr 19, 2012 at 3:59 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have detected a strange problem with my
cat /data/ossec/logs/alerts/alerts.log | /data/ossec/bin/ossec-reportd
On Thu, Apr 19, 2012 at 3:35 PM, dan (ddp) ddp...@gmail.com wrote:
Oh, I thought it was a daily report. What did you run exactly?
On Thu, Apr 19, 2012 at 9:13 AM, C. L. Martinez carlopm...@gmail.com wrote:
My previous
) ddp...@gmail.com wrote:
It works for me. Did you check to make sure the User field was
populated with something other than root in your logs?
On Thu, Apr 19, 2012 at 10:17 AM, C. L. Martinez carlopm...@gmail.com wrote:
cat /data/ossec/logs/alerts/alerts.log | /data/ossec/bin/ossec-reportd
Hi all,
Is it possible to launch an action or script when an alert rule is
triggered?? Like occurs with active response but using rules. For
example: using netstat sample in OSSEC manual:
localfile
log_formatfull_command/log_format
commandnetstat -tan |grep LISTEN|grep -v
for this?
On Mon, Apr 23, 2012 at 5:19 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Is it possible to launch an action or script when an alert rule is
triggered?? Like occurs with active response but using rules. For
example: using netstat sample in OSSEC manual:
localfile
On Mon, Apr 23, 2012 at 3:02 PM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez carlopm...@gmail.com wrote:
Because for example for the sample that I have exposed... How can I
use active response to block access to certain port that has been
started
:08 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Apr 23, 2012 at 3:02 PM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Apr 23, 2012 at 8:52 AM, C. L. Martinez carlopm...@gmail.com
wrote:
Because for example for the sample that I have exposed... How can I
use active response to block
Hi all,
Sometimes ossec sends several alerts in only one email. Is it
possible to configure ossec to send one email per alert?? (I am using
a local mta in ossec server to send these email alerts).
Thanks.
Many thanks dan.
On Wed, Apr 25, 2012 at 3:11 PM, dan (ddp) ddp...@gmail.com wrote:
http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping
On Wed, Apr 25, 2012 at 9:08 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Sometimes ossec sends several
On Tue, May 1, 2012 at 7:10 AM, carlopmart carlopm...@gmail.com wrote:
On 05/01/2012 02:14 AM, dan (ddp) wrote:
On Apr 30, 2012 4:11 PM, carlopmart carlopm...@gmail.com
mailto:carlopm...@gmail.com wrote:
Hi all,
I have several problems with ossec-remoted process and ossec's
Hi all,
For what reason an ossec server can not send an email when an alert
is triggered?? After 15 days working ok, my ossec server doesn't sent
alerts after several minutes or hours when an alert is triggered. I
have configured do_not_delay / and
email_maxperhour1000/email_maxperhour in
in debug mode.
ossec-maild?? or another??
On Thu, May 3, 2012 at 8:43 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
For what reason an ossec server can not send an email when an alert
is triggered?? After 15 days working ok, my ossec server doesn't sent
alerts after several minutes
?
No, nothing.
Try running the ossec processes in debug mode.
ossec-maild?? or another??
On Thu, May 3, 2012 at 8:43 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
For what reason an ossec server can not send an email when an alert
is triggered?? After 15 days working ok, my ossec
Uhmm .. strange, this problem is too close to me ... But I have
configured email_to option in global and email_alerts sections ...
On Thu, May 3, 2012 at 3:13 PM, Florian Crouzat
gen...@floriancrouzat.net wrote:
Le 03/05/2012 15:11, dan (ddp) a écrit :
Oh, also run tcpdump to look at port 25
?
What is your configuration exactly?
On Thu, May 3, 2012 at 9:14 AM, C. L. Martinez carlopm...@gmail.com wrote:
I have do it and no traffic appears when an alert is triggered,
according to alerts.log ...
On Thu, May 3, 2012 at 3:11 PM, dan (ddp) ddp...@gmail.com wrote:
Oh, also run tcpdump
server side ...
Thanks to all.
On Thu, May 3, 2012 at 9:38 AM, C. L. Martinez carlopm...@gmail.com wrote:
According to last statistic from smtp server, ossec server have sended
675 emails ...
Config:
ossec_config
global
email_notificationyes/email_notification
On Mon, Apr 30, 2012 at 1:06 PM, carlopmart carlopm...@gmail.com wrote:
Hi all,
Somebody have a sample script to generate a weekly report?
Thanks.
Please any sample to launch a weekly report from cron??
On Fri, May 4, 2012 at 2:35 PM, dan (ddp) ddp...@gmail.com wrote:
On Fri, May 4, 2012 at 3:04 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Apr 30, 2012 at 1:06 PM, carlopmart carlopm...@gmail.com wrote:
Hi all,
Somebody have a sample script to generate a weekly report?
Thanks
Hi all,
How can I do decode this time format: 2012-06-09T03:43:06.304?
I have tried \d+\p\d+\p\d+\w\d+\p\d+\p\d+\p\d+ and
\d+-\d+-\d+\w\d+:\d+:\d+.\d+ ...
Thanks
On Tue, Jun 12, 2012 at 2:16 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Jun 12, 2012 at 5:50 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
How can I do decode this time format: 2012-06-09T03:43:06.304?
I have tried \d+\p\d+\p\d+\w\d+\p\d+\p\d+\p\d+ and
\d+-\d+-\d+\w\d+:\d+:\d
On Tue, Jun 12, 2012 at 2:51 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Jun 12, 2012 at 8:34 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Jun 12, 2012 at 2:16 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Jun 12, 2012 at 5:50 AM, C. L. Martinez carlopm...@gmail.com
wrote:
Hi all
Hi all,
Somebody knows some confident reputation lists to use with OSSEC like
for example
http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/download-ip-reputation-database??
Thanks.
Hi all,
Can somebody explains me what advantages exists when a database is
used to store logs?? For me, the real advantage is when ossec-report
is launched. I have a lot of logs to manage daily that comes from a
alerts (arround 4 GiB in plain text every day), and it is very
difficult to launch
On Wed, Jun 27, 2012 at 2:48 PM, dan (ddp) ddp...@gmail.com wrote:
On Fri, Jun 15, 2012 at 7:08 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Somebody knows some confident reputation lists to use with OSSEC like
for example
http://labs.alienvault.com/labs/index.php/projects/open
On Wed, Jun 27, 2012 at 2:29 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Jun 27, 2012 at 2:38 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Can somebody explains me what advantages exists when a database is
used to store logs?? For me, the real advantage is when ossec-report
Hi all,
Due to a restructuring that I make in our infrastructure, I need to
modify the time zone of all OSSEC components: manager and agents.
Apart of modifying the localtime file under /var/ossec, should I
perform some other action?
Thanks.
On Sat, Jul 7, 2012 at 5:28 PM, carlopmart carlopm...@gmail.com wrote:
On 07/07/2012 04:31 PM, carlopmart wrote:
After updating my ossec server to a latest release in bitbucket, I see
this error on manager side:
ossec-logcollector(2301): ERROR: Definition not found for:
What does No contact with the server. mean exactly? Any useful error
messages? Any error messages on the server? Are the processes running?
Windows agents can't contact to OSSEC manager (but unix agents can)
... All processes are running. The only error that appears is in agent
side: Can't
On Sun, Aug 26, 2012 at 3:28 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 08/26/2012 03:16 AM, carlopmart wrote:
Hi all,
recntlly I have update two OSSEC servers to latest version stored in
bitbucket:
Glad to hear you are testing this. Just for the record, I don't think this
Hi all,
Active response needs to be configured in server an agent to work?? I
am trying to activate for agents only, but doesn't seems to work ...
Do I need to configure in ossec.conf's server config file, in
agent.conf file or in both sides??
Thanks.
On Mon, Aug 27, 2012 at 5:55 PM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Aug 27, 2012 at 1:45 PM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Active response needs to be configured in server an agent to work?? I
am trying to activate for agents only, but doesn't seems to work
On Mon, Aug 27, 2012 at 6:00 PM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Aug 27, 2012 at 1:57 PM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Aug 27, 2012 at 5:55 PM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Aug 27, 2012 at 1:45 PM, C. L. Martinez carlopm...@gmail.com
wrote:
Hi all
On Tue, Aug 28, 2012 at 9:14 AM, ant's t-aravi...@juspay.in wrote:
Hi all. I'm very new to OSSEC. I use a server-agent model. I wish to
generate alert for the following actions ( in agent side ):
1) Sample Alert for delation of logs
I added the rules for these in agent's ossec.conf using
Hi all,
Is it possible to know an aprox. date about 2.7 release?
Thanks.
Thanks Dan.
On Tue, Sep 4, 2012 at 1:10 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Sep 4, 2012 at 8:53 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Is it possible to know an aprox. date about 2.7 release?
Thanks.
This isn't really an answer, but we're hoping to release
On Fri, Sep 7, 2012 at 1:42 PM, dan (ddp) ddp...@gmail.com wrote:
On Fri, Sep 7, 2012 at 9:12 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
What is the correct option to define multiple groups in syslog_output
section??
a)
syslog_output
server172.17.22.3/server
On Sat, Sep 8, 2012 at 6:55 PM, carlopmart carlopm...@gmail.com wrote:
On 09/08/2012 02:24 AM, JB wrote:
There may be an option (c), using regular expression:
groupaa|bb|cc/group
Good. Previous, configurations exposed doesn't works. I will try this.
Perfect!!! .. works!!!.
Many thanks.
On Monday, September 10, 2012, dan (ddp) ddp...@gmail.com wrote:
On Sat, Sep 8, 2012 at 6:55 PM, carlopmart carlopm...@gmail.com wrote:
Hi all,
Recently, I have setup a custom decoder to decode OpenBSD packet filter
logs. All works ok, except when certain packet filter logs arrives to
ossec
Hi all,
I see new feature under src/Makefile, GeoIP to use with 2.7-beta0.
What libraries and binaries do I need to compile ossec with this
feature??
Thanks.
On Thu, Sep 13, 2012 at 12:34 PM, dan (ddp) ddp...@gmail.com wrote:
On Thu, Sep 13, 2012 at 7:35 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I see new feature under src/Makefile, GeoIP to use with 2.7-beta0.
What libraries and binaries do I need to compile ossec with this
feature
Hi all,
I think GeoIP feature it is working ok, almost with my config:
OSSEC HIDS Notification.
2012 Sep 13 13:25:52
Received From: (ossecag023) 10.196.0.104-/data/logs/ossec/fw.log
Rule: 110003 fired (level 14) - Connection to RBN IP blacklist
detected !!!. Please, review your logs
Dst
Hi all,
Somebody have tried to configure OSSEC to extract alerts from a
McAfee ePO server that uses a sql express a database repositories for
events?? I am trying to extract some info from ePO database like
events, virus detected, etc and then parse with OSSEC.
Thanks.
On Wed, Sep 19, 2012 at 2:27 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 19.09.2012 05:22, C. L. Martinez wrote:
Hi all,
Somebody have tried to configure OSSEC to extract alerts from a
McAfee ePO server that uses a sql express a database repositories for
events?? I am trying
Hi all,
I have configured a new decoder to decode fortinet firewall logs. I
have defined some rules to catch srcip and dstip in these, but when an
alert is triggered, inside message alert I only can see srcip. Is it
possible to see both in this alert message: srcip and dstip??
Thanks.
On Fri, Oct 19, 2012 at 12:36 PM, dan (ddp) ddp...@gmail.com wrote:
On Fri, Oct 19, 2012 at 7:56 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have configured a new decoder to decode fortinet firewall logs. I
have defined some rules to catch srcip and dstip in these, but when
Hi all,
I have a strange problem with one of my ossec servers. After 48 hours
working, some ossec processes stops. Active process at this moment:
24346 ?S 0:07 /data/ossec/bin/ossec-csyslogd
24350 ?S 0:05 /data/ossec/bin/ossec-maild
24354 ?S 0:00
On Tue, Oct 23, 2012 at 5:54 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have a strange problem with one of my ossec servers. After 48 hours
working, some ossec processes stops. Active process at this moment:
24346 ?S 0:07 /data/ossec/bin/ossec-csyslogd
24350
On Tue, Oct 23, 2012 at 12:49 PM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Oct 23, 2012 at 1:54 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have a strange problem with one of my ossec servers. After 48 hours
working, some ossec processes stops. Active process at this moment
/ossec-logtest and have
not run into issues with hanging since.
Hope this helps.
Scott
On Oct 23, 2012, at 11:31 PM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Oct 23, 2012 at 5:00 PM, Scott Klauminzer sklaumin...@gmail.com
wrote:
If I remember right my issue was solved by a fixing
Hi all,
I am using same active response options in one 2.6 ossec server and
in another 2.7 ossec server. In version 2.6 all works ok as I expect,
but under 2.7 it doesn't works. In both servers I have configured only
this active response:
command
namefirewall-drop/name
On Mon, Dec 10, 2012 at 10:31 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I am using same active response options in one 2.6 ossec server and
in another 2.7 ossec server. In version 2.6 all works ok as I expect,
but under 2.7 it doesn't works. In both servers I have configured
On Mon, Dec 10, 2012 at 10:49 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Dec 10, 2012 at 10:31 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I am using same active response options in one 2.6 ossec server and
in another 2.7 ossec server. In version 2.6 all works ok as I
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org wrote:
On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm guilhem.march...@gmail.com
wrote:
Hi,
I had the same issue with Ossec 2.7 even with a server / agent fresh
install, i confirm.
Regards,
Guilhem
Weird, it's
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org
wrote:
On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm
guilhem.march...@gmail.com wrote:
Hi,
I had the same issue with Ossec 2.7 even
On Wed, Dec 12, 2012 at 7:38 AM, dan (ddp) ddp...@gmail.com wrote:
On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com
wrote:
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org
wrote
On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote:
On Dec 12, 2012 5:48 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Wed, Dec 12, 2012 at 7:38 AM, dan (ddp) ddp...@gmail.com wrote:
On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Dec 11
On Thu, Dec 13, 2012 at 2:43 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Dec 12, 2012 at 6:13 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote:
So I don't have to dig through the whining to find out:
Did you check permissions
On Thu, Dec 20, 2012 at 1:37 PM, dan (ddp) ddp...@gmail.com wrote:
On Thu, Dec 13, 2012 at 10:04 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Thu, Dec 13, 2012 at 2:43 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Dec 12, 2012 at 6:13 AM, C. L. Martinez carlopm...@gmail.com
wrote
Hi all,
Is it possible to know or debug why an active response is triggered??
Is it possible to generate a log file with all actions??
Thanks.
Hi all,
One of my ossec agents is a FreeBSD 8.3 server (release 2.7, same as
the ossec server). This FreeBSD server is a syslog central server and
I use ossec to monitor all syslog files received by several windows
and unix hosts. In the OSSEC server side, I have set up some alerts to
check that
On Thu, Jan 24, 2013 at 7:19 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
One of my ossec agents is a FreeBSD 8.3 server (release 2.7, same as
the ossec server). This FreeBSD server is a syslog central server and
I use ossec to monitor all syslog files received by several windows
On Fri, Jan 25, 2013 at 2:10 PM, dan (ddp) ddp...@gmail.com wrote:
I'm not seeing this with any of my systems. What syslog daemon are you
using? If you turn on logall, do you see the missing messages in
archives.log? I don't know what facilities there are on FreeBSD for
debugging things
1 - 100 of 161 matches
Mail list logo