Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

>> > For testing purposes try to deactivate (change to level 0) rule 1002 > and > >> > check if it is still generating these alerts. > >> > > >> > >> Don't do this. There's no reason to change that to 0. Even for > >> test

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

ule 1002 is? You sure you restarted the manger > right? > > Best > > On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray <dbra...@gmail.com > > wrote: > >> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) >> >> I've updated /var/oss

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: > > I'm waiting to see if it generates an alert. >> > > Nope, issue remains. Very confusing. -- --- You received this message because you are subscribed to the Google Groups "ossec-list"

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 8:51:45 AM UTC-5, dan (ddpbsd) wrote: > > Or are you sure the manager restarted? Most of the time when I've seen > this behavior on the list analysisd did not actually stop, so it > didn't pickup the new rules. Running `/var/ossec/bin/ossec-control > stop`, then

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 2:03:45 PM UTC-5, dan (ddpbsd) wrote: > > Try setting the rule to level 2 > > > Doing that results in: **Phase 3: Completed filtering (rules). Rule id: '17' Level: '2' Description: 'Ignore MIP Alerts' **Alert to be generated. -- ---

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Fri, Nov 13, 2015 at 2:16 PM, dan (ddp) wrote: > I was hoping it would help with the production use, but since it was > working for me I guess that doesn't matter. I'm pretty much stumped at > the moment. > I'm running this on CentOS 6 with

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 12:17:09 PM UTC-5, dan (ddpbsd) wrote: > > Ok, this information is working for me as well. I have tested it on a > local install and an agent/server install (changing the hostname as > appropriate). > > Is the agent name testserver? Do the hostname of the system

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 13, 2015 at 2:30:24 PM UTC-5, Pedro S. wrote: > > Okay try this: > > Temporaly remove "alert_by_email" from rule 1002 on > syslog_rules.xml. > Now add "alert_by_email" in your custom rule. > Restart OSSEC and generate the alert. > > What im trying here is to stop OSSEC from

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Monday, November 16, 2015 at 7:47:24 AM UTC-5, Daniel Bray wrote: > > OK, I'm a little lost as to what this is trying to prove, but the updated > settings are in place. I'm waiting for an alert to come through. > > With the updated alert_by_email settings, this has stopped th

[ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) I've updated /var/ossec/rules/local_rules.xml with the following rule: 1002 testserver1|testserver2 mip HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP segment frame Ignore MIP Alerts

[ossec-list] Ignoring multiple user logon or logoff checks

I am trying to ignore rule 18107 and 18149, but only for certain accounts (including the servers/machines). Server OS: CentOS 6 (latest patches) OSSEC: ossec-hids-server-2.8.2-49.el6.art.x86_64 Here is what I have in my /var/ossec/rules/local_rules.xml file. 18107 Account Name:

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Tuesday, December 1, 2015 at 9:38:30 AM UTC-5, Daniel Bray wrote: > > On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > >> >> Is this the only rule in your local_rules.xml that isn't working, or are >> all rules in your local_rules.xml not working? >> &

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Wednesday, November 25, 2015 at 1:46:15 PM UTC-5, LostInThe Tubez wrote: > > On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for > rule 1002, right there towards the top. Note the options element, which > contains alert_by_email. That option tells OSSEC to ignore your >

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

the exact alert message when/if you get one. Be very > careful not to replace white space if you are sanitizing the data. It will > allow us to corroborate what you are seeing. > > > From: ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] On Behalf Of Daniel Bra

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

ant that the alert your looking to be send via email > actually be present on alerts.log file. > > Good luck! Keep us up to date. > > > El lunes, 23 de noviembre de 2015, 5:03:18 (UTC-8), Daniel Bray escribió: >> >> >> On Monday, November 16, 2015 at 8:28:27 AM UTC

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Friday, November 27, 2015 at 8:16:39 AM UTC-5, dan (ddpbsd) wrote: > > And strangely enough, this works just fine for me (ignored when fed > through logger). > > Can you update to the latest OSSEC source from github and try that? > Updated to latest github update, and issue remains. Logtest

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 11:26 AM, dan (ddp) wrote: > > > Last idea at the moment: > Copy archives.log. Open the copy in a text editor. Find an entry you > want to test against and delete everything else. > Delete the archives.log header from your chosen entry. > Run that through

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote: > > Is this the only rule in your local_rules.xml that isn't working, or are > all rules in your local_rules.xml not working? > > So far, this is the only rule that I just can't seem to stop emailing. I have other rules, and

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

On Monday, November 16, 2015 at 8:28:27 AM UTC-5, Daniel Bray wrote: > > With the updated alert_by_email settings, this has stopped the email > alerts. I see it hitting the WebUI as alert level 2, but no emails are > coming in. > Unfortunately, with everything put back

[ossec-list] Syscheck not alerting on realtime scans

Can someone verify that all the proper settings are in place to allow for realtime scans on some directories? We are running CentOS 6 servers (manager and agents/clients), and we use the Atomic install method. Here is the latest available Atomic version installed (also noted inotify is

Re: [ossec-list] Re: Syscheck not alerting on realtime scans

day > > I tested that configuration and Syscheck appears to work properly. > > Hope it helps. > > Best regards. > > > On Monday, August 1, 2016 at 7:32:13 AM UTC-7, Daniel Bray wrote: >> >> Can someone verify that all the proper settings are in place to allow

Re: [ossec-list] Syscheck not alerting on realtime scans

, 2016 at 8:47 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Aug 1, 2016 at 10:32 AM, Daniel Bray <dbray...@gmail.com> wrote: > > Can someone verify that all the proper settings are in place to allow for > > realtime scans on some directories? We are running

Re: [ossec-list] Syscheck not alerting on realtime scans

(ddp) <ddp...@gmail.com> wrote: > On Tue, Aug 2, 2016 at 8:55 AM, Daniel Bray <dbray...@gmail.com> wrote: > > OK, I think that is the issue. With the settings like this: > > > > 1am > > 82800 > > no > > yes > > no > > > &