Re: [ossec-list] Hello everybody, I just want to send my postfix logs (/var/log/mail.log) to my alienvault server. I inserted a record into /opt/ossec/etc/ossec.conf file ; localfile log_formatsys

Agree with Dan. As well a good way to know if ossec is reading the file is running the following command: lsof +d /var/log/ | grep mail On Friday, August 23, 2013 5:56:14 AM UTC-7, dan (ddpbsd) wrote: On Fri, Aug 23, 2013 at 4:02 AM, Mehmet Ali Büyükkarakaş mbuyuk...@gmail.com javascript:

[ossec-list] Re: Option to include a file of local directory definitions on a Windows client

Hi James, not sure if I understood this correctly. Are you trying to read those files remotely? How are those accessible? (samba?) If that is the case I guess those could probably be read as local. Best On Monday, August 26, 2013 7:46:15 PM UTC-7, James Whittington wrote: I am running a

Re: [ossec-list] ERROR: Queue '/queue/alerts/ar' not accessible

please check if ossec-analysis daemon is running. That's typically the cause of this message. Last week I got into a similar issue because my ossec-analysisd process was crashing. Couldn't find why, but reinstalling fixed it. I hope it helps On Tue, Aug 27, 2013 at 6:50 AM, Brian Dilley

Re: [ossec-list] Re: Option to include a file of local directory definitions on a Windows client

to the remote agents it would seem allowing the use of an external file for local customizations would make a lot of sense. ** ** James Whittington ** ** ** ** ** ** ** ** *From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On Behalf Of *Santiago Bassett

[ossec-list] OSSEC integration into Alienvault SIEM webinar

Hello everybody, I am preparing a webinar for next Tuesday (8:00am-9:00am PDT) where I plan to explain how OSSEC has been integrated into AlienVault/OSSIM SIEM. My idea is to show how OSSEC can be configured and managed from AlienVault GUI, as well as a few examples of OSSEC alerts correlation,

Re: [ossec-list] Re: OSSEC integration into Alienvault SIEM webinar

, 2013 2:06:22 AM UTC+1, Santiago Bassett wrote: Hello everybody, I am preparing a webinar for next Tuesday (8:00am-9:00am PDT) where I plan to explain how OSSEC has been integrated into AlienVault/OSSIM SIEM. My idea is to show how OSSEC can be configured and managed from AlienVault GUI

Re: [ossec-list] OSSEC not sending error.log

Hi, it seems that the agent may not be sending those logs to the server. Are you sure it is reading the right file? Try lsof +d /var/log/apache2/ | greperror to see if ossec-logcollector is reading that file If you can see ossec-logcollector reading the file, then try enabling the logall option

Re: [ossec-list] HIDS using OSSEC on Linux Server

Hi Dung, If this is for a Linux server I guess you would probably need to monitor the bin directories, using syscheck, for new files (/bin /sbin /usr/bin ...), so you can discover if a new service is installed. As well, if you know exactly what new files you are looking for, you may be able to

Re: [ossec-list] HIDS using OSSEC on Linux Server

package installed. Portion of the log(s): Nov 5 15:05:13 ip-10-xx-xx-xx yum[13394]: Installed: perl-Params-Validate-0.92-3.4.amzn1.x86_64 Thank you, Jared R. Greene (407) 414-4003 On Nov 8, 2013, at 12:02 PM, Santiago Bassett santiago.bass...@gmail.com wrote: Hi Dung

Re: [ossec-list] 转发：what 's the meaning about level 1 ?

Here there is some documentation: http://www.ossec.net/doc/manual/rules-decoders/rule-levels.html On Sun, Nov 10, 2013 at 6:30 PM, ‘Mr.W 519470...@qq.com wrote: Hi,all Sorry , I have missed some elements. As you know, Level 0: Ignored, no action taken. who can share the meaning with me

Re: [ossec-list] ossec agent unable to communicate with ossec server

Hi Devendra, does your system have multiple IP addresses? Is there any other agent connected to the server? I have experienced issues with systems running multiple IP addresses. If that is the case I would recommend to check with tcpdump which is the one that the agent uses to send data to the

Re: [ossec-list] ossec agent unable to communicate with ossec server

. There is no communication shown in the output of tcpdump on either IPs. In every case it fails, that server has NIC bonding (teaming) setup. I am wondering if I need to do anything else to configure ossec to accommodate NIC bonding. On Wednesday, 9 April 2014 21:26:15 UTC-4, Santiago Bassett

Re: [ossec-list] ossec agent unable to communicate with ossec server

and tcpdump does not show any communication between client and server. As soon as I install it on a server that doesn't have network bonding/teaming configured (even with multiple IPs), issue doesn't happen. On Thursday, 10 April 2014 11:29:39 UTC-4, Santiago Bassett wrote: Could you check

Re: [ossec-list] Prep for next release. (2.8.1)

Sure! For debian packages you will need the debian control files and the Makefiles. As well I created a script that uses pbuilder to build the packages for the different architectures and Debian distributions. Please give me a couple of days to clean up the script (since it contains some

Re: [ossec-list] apt-get install ossec-hids-agent

Hi Alex, are you using the repository below? http://ossec.alienvault.com/repos/apt/debian/pool/main/o/ If that is the case, OSSEC would automatically install in /var/ossec directory. It doesn't ask for an Install dir (we may include this for future packages maybe). I guess you could probably

Re: [ossec-list] debian agent install via repository issue

Hi Jelle, ossec-hids-agent package should be the only one you need. Not sure why you are getting these errors. The process to connect an agent to a server requires you to: - Run /var/ossec/bin/manage_agents and import the key from the server. - Edit /var/ossec/etc/ossec.conf and set the

Re: [ossec-list] debian agent install via repository issue

-syscheckd root@ip-10-0-0-242:/home/admin# cat /etc/debian_version 7.2 On Sat, Aug 2, 2014 at 8:23 AM, Santiago Bassett santiago.bass...@gmail.com wrote: Hi Jelle, ossec-hids-agent package should be the only one you need. Not sure why you are getting these errors. The process to connect

Re: [ossec-list] debian agent install via repository issue

. Thanks for your help On Saturday, August 2, 2014 5:25:49 PM UTC+2, Santiago Bassett wrote: As well, in case it helps, these is what I got in a new agent installation (which is working as I would expect). root@ip-10-0-0-242:/home/admin# dpkg -l | grep ossec ii ossec-hids-agent

[ossec-list] OSSEC CON 2014 - Malware detection with OSSEC, video and slides available

In case anyone is interested here you can find my presentation at OSSEC CON: http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html I think we will publish all presentations at ossec.net sometime soon as well. Best -- --- You received this message because you

Re: [ossec-list] Capturing Window Event ID's

Hi Brian, I see you refer to alienvault documentation. Are you using Alienvault USM or OSSIM with OSSEC? If that is the case you should be able to grab the event ID from the raw log modifying the plugin used to parse OSSEC alerts output. As well, as Ivars mentioned it seems there is a typo in

Re: [ossec-list] Microsoft Azure Multi-Factor Decode and Rules.

Great stuff, thanks for sharing. On Fri, Dec 5, 2014 at 11:51 AM, Brent Morris brent.mor...@gmail.com wrote: Not exactly sure if this is the right place to post this, but it took me some time to get working decodes for Microsoft's Azure Multi-Factor Authentication (PhoneFactor.net). It's

Re: [ossec-list] how to forward agent.conf through a hybrid-server

Hi Chris, Not sure if this would work, but what about setting up a little cron task to copy the file over SSH to the hybrid server so it can propagate it to the agents? Best On Sat, Nov 15, 2014 at 5:35 AM, dan (ddp) ddp...@gmail.com wrote: On Nov 15, 2014 7:14 AM, Chris An

Re: [ossec-list] Getting integrity checksum changed alerts for .bin/kill and /etc/profile, has the server been hacked?

virustotal.com might help too. On Thu, Jan 15, 2015 at 7:17 AM, dan (ddp) ddp...@gmail.com wrote: On Wed, Jan 14, 2015 at 10:50 PM, notify.s...@gmail.com wrote: Hi List, I recently tried to install a web based billing application on a CentOS server that serves multiple roles. its also

Re: [ossec-list] Rule ID: in the 18200's

Are you sure your windows event is being generated? Check your audit policy. Santiago Bassett @santiagobassett On Jan 19, 2015, at 12:26 PM, Semperfi ke...@myschatz.net wrote: I am new to OSSEC. I have it running and it's collecting data.. However, So far I've noticed that anything

Re: [ossec-list] Rule to block specific user-agent connection

I think you can do this with modsecurity or .htaccess files but not sure how to do it with ossec. Can you ella orate a little bit more on the use case? Do you have a list of user agents you want to block? Santiago Bassett @santiagobassett On Jan 19, 2015, at 8:25 AM, Leomar Viegas Junior

Re: [ossec-list] Weird issue on ossec-remoted

Good link from an old email of this mailing list (sent by Michael Starks) http://www.ivankuznetsov.com/2010/02/no-space-left-on-device-running-out-of-inodes.html On Tue, Mar 10, 2015 at 2:36 PM, Santiago Bassett santiago.bass...@gmail.com wrote: Check if you have any available Inode. You can

Re: [ossec-list] Weird issue on ossec-remoted

Check if you have any available Inode. You can do that with df -i On Tue, Mar 10, 2015 at 1:14 AM, Cagri Ersen cagri.er...@gmail.com wrote: Hi all, I have a weird problem with ossec-remoted and logcollector daemons. When I start the ossec services as normaly, everyting seems to OK, all

Re: [ossec-list] Weird issue on ossec-remoted

Any output when running agent_control -r -a Could you share your syscheck config? Best On Tue, Mar 10, 2015 at 6:48 PM, Cagri Ersen cagri.er...@gmail.com wrote: No it's not related inodes. There is tone of free inodes on the system. On Tuesday, March 10, 2015 at 3:36:59 PM UTC+2, Santiago

Re: [ossec-list] collect all logs and add OpenVPN logs

OSSEC supports centralized configuration management: http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html Thousands of Open Source solutions are used daily in production environments, so I assume Open Source is ready for business, but maybe not for people that doesn't

Re: [ossec-list] no ossec.service file for debian/jessie

Hi Alex, did you install from sources or using the deb installers? Santiago Bassett @santiagobassett On Feb 28, 2015, at 10:35 PM, Alex Kuklin alex.kuk...@gmail.com wrote: Hi, i just found that ossec does not start (even install) on debian/jessie Looks like [Unit] Description

Re: [ossec-list] no ossec.service file for debian/jessie

Ok let me check it, i'll be back soon Santiago Bassett @santiagobassett On Mar 1, 2015, at 1:26 AM, Alex Kuklin a...@kuklin.ru wrote: Hi, i use .deb # cat /etc/apt/sources.list.d/oss.list deb http://ossec.alienvault.com/repos/apt/debian jessie main On 01.03.2015 02:22, Santiago

Re: [ossec-list] no ossec.service file for debian/jessie

Is it the agent or server package? Thanks Santiago Bassett @santiagobassett On Mar 1, 2015, at 1:26 AM, Alex Kuklin a...@kuklin.ru wrote: Hi, i use .deb # cat /etc/apt/sources.list.d/oss.list deb http://ossec.alienvault.com/repos/apt/debian jessie main On 01.03.2015 02:22

Re: [ossec-list] no ossec.service file for debian/jessie

Hi Alex, I got to install ossec-hids deb package in debian jessie with no problem. It actually doesn't use systemd to install the init script, but instead installs it directly using this file included in the ossec source: https://github.com/santiago-bassett/ossec-hids/blob/master/src/init/ossec

[ossec-list] Re: building .deb packages

://github.com/santiago-bassett/ossec-debian After doing a few obvious tweaks to try and make them work for ubuntu codenames instead of debian codenames, I tried to run generate_ossec.sh and it complained because the ossec-hids directory is a git repository, not something that containst a source tarball

Re: [ossec-list] Re: building .deb packages

, rsyslog-pkg-debian has the debian codenames David Lang On Fri, 24 Apr 2015, David Lang wrote: Date: Fri, 24 Apr 2015 16:45:01 -0700 (PDT) From: David Lang da...@lang.hm Reply-To: ossec-list@googlegroups.com To: Santiago Bassett santiago.bass...@gmail.com Cc: ossec-list@googlegroups.com ossec

Re: [ossec-list] Re: Can anyone explain the syntax of the file /opt/ossec/queue/syscheck?

Hi, this is what I figured out by having a look at the code. Explaining the next line as an example (including some spaces to make it easier to read): !++ 1486 : 33188 : 0 : 1 : a465a2fd02717050ca44d6cc24c5d458 : bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335

Re: [ossec-list] Ossec bandwidth expectations for client on WAN link

Hi David, some comments inline. On Sun, May 3, 2015 at 8:03 AM, David Ruschinek dav...@recoverycorp.com wrote: Hi I know there some are other posts on this: http://marc.info/?l=ossec-listm=141528107703617w=2 http://marc.info/?l=ossec-listm=139601760905968w=2

Re: [ossec-list] force ossec to use one IP not working

Yep, I've done this in the past setting up source routing. Best On Mon, May 4, 2015 at 4:43 AM, dan (ddp) ddp...@gmail.com wrote: On Fri, May 1, 2015 at 10:44 AM, dp...@realtruck.com wrote: I just have deployed ossec. I am having troubles with my linux boxes using the wrong interface.

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

, so firewalls aren't the issue. The server is, for some reason, not responding. On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote: Hi Steve, do you use DHCP or fixed IP addresses in your environment? Do your servers have one or more than one IP? When you added the agents

Re: [ossec-list] archive.log

ossec-monitord process does the rotation automatically daily. Afaik, there is no configuration option to change this. You could probably disable it by creating a little patch and commenting out or modifying the function manage_files in monitord.c file. My preferred choice would be to do a little

Re: [ossec-list] Agent vs. Agentless Monitoring

Hi James, OSSEC runs a a service so no user interaction is needed. The GUI just provides a few features to be able to see agent status, key, configuration and logs. Then for a large deployment I would suggest to use Puppet, Chef, CFEngine or something similar. Most important part is the client

Re: [ossec-list] OSSEC agents frequently alternating between active and disconnected

Hi Steve, do you use DHCP or fixed IP addresses in your environment? Do your servers have one or more than one IP? When you added the agents, did you used fixed IPs for each one? Is tcpdump output showing the same IP you used when adding those? Best On Mon, May 11, 2015 at 8:54 AM, Steve

Re: [ossec-list] host specific rules

You could probably use CDB lists in the rules On Tue, May 12, 2015 at 8:34 AM, skotthof sebastian.kotth...@rz.uni-mannheim.de wrote: Hi, okay thanks. I have tested this by changing a rule for ssh login: rule id=5710 level=5 if_sid5700/if_sid matchillegal user|invalid

Re: [ossec-list] host specific rules

is located under /opt/ossec and yes, I have a hybrid server (server + local-agent + on_remote_agent) if this is important. The ssh tests I run with the remote-agent. I restarted Ossec on both machines several times. Sebastian On Tue, May 12, 2015 at 10:26:21AM -0700, Santiago Bassett wrote

Re: [ossec-list] Re: whitelist and logging

Do you have alerts showing up in alerts.log file? On Apr 15, 2015, at 3:49 PM, ri...@amcoonline.net wrote: Thanks @Brent. I added the logall option and temporarily removed the whitelist. ossec_config global email_notificationyes/email_notification

Re: [ossec-list] Wheezy/x86 : installation does not creates startup script

Hi Franck, did you have the opportunity to test the solution I sent, I really would appreciate your feedback. Thanks! Santiago. On Fri, Apr 3, 2015 at 11:29 PM, Santiago Bassett santiago.bass...@gmail.com wrote: HI Franck, I've been working on it, and it looks like this is an issue

Re: [ossec-list] OSSEC HIDS 2.8.1 Installtion issue on HPUX

Hi Sudhir, do you have gcc compiler installed? if so, what version are you running? It looks to me that you are using cc instead of gcc, and that could be causing the issue. Best, Santiago. On Mon, Apr 6, 2015 at 9:53 PM, sudhir ojha sudhir.k.o...@gmail.com wrote: Hi, I am getting some

Re: [ossec-list] Wheezy/x86 : installation does not creates startup script

::Options::=--force-confmiss install --reinstall ossec-hids Let me know if that fixes the issue. On my side, I'll see if there is a way to avoid this by modifying the package. Best, Santiago. On Thu, Apr 2, 2015 at 10:34 AM, Santiago Bassett santiago.bass...@gmail.com wrote: Ok, I actually had some

Re: [ossec-list] log rotation problem

Hi, I would rely on logrotate application to configure the log rotation according to your preferences. Best On Wed, Apr 8, 2015 at 12:48 AM, Holger Glaess holgergla...@gmail.com wrote: hi it ist possible that ossec compress the rotated logs files once per month ? can i change this to

Re: [ossec-list] (*.exe) file monitoring

Hi, sysmon can be used to log processes creation. More info at: https://technet.microsoft.com/en-us/sysinternals/dn798348 Also check this great document from Josh: http://defensivedepth.com/2015/03/27/using-sysmon -to-enrich-security-onions-host-level-capabilities/ and the link to decoders and

Re: [ossec-list] Wheezy/x86 : installation does not creates startup script

Hi Frank, I am the installers maintainer, sorry for the inconvenience. Not sure yet what is causing this problem, but will work on it right away. Hopefully I can have new packages ready in a few hours. I know the file is in the package but somehow doesn't get installed correctly. Please tell me

Re: [ossec-list] Wheezy/x86 : installation does not creates startup script

Ok, I actually had some work urgencies yesterday and couldn't troubleshoot the issue. Will be back to you soon with an update. Best On Thu, Apr 2, 2015 at 6:14 AM, inexte...@kbicetre.com wrote: Thanks Santiago! I'm working on 32 bits virtual machines, and have installed both ossec-hids and

Re: [ossec-list] Where are file integrity file permissions stored?

You might want to check this thread: https://groups.google.com/forum/m/#!topic/ossec-list/UuhauWUCxkU On Jun 4, 2015, at 1:11 AM, R Brandt blind.gray.squir...@gmail.com wrote: Thanks. Didn't have time to look at the file until today. So how do you decode the syscheck entries? On

Re: [ossec-list] Re: OSSEC.NET site down?

It was actually down for everyone for a little while but its now up and running. I think Vic fixed it. Santiago Bassett @santiagobassett On Jun 4, 2015, at 12:35 AM, Brent Morris brent.mor...@gmail.com wrote: it works for me... http://downforeveryoneorjustme.com/ On Wednesday, June

Re: [ossec-list] Login/Logout events excluding system accounts

Hi, I would try modifying ossec-single-line plugin (/etc/ossim/agent/plugins/ossec-single-line.cfg) regular expressions not to match alerts when they include the $ sign. You can use regexp.py tool to identify the rule, in the plugin, matching your alerts (you can find it here:

Re: [ossec-list] Active-Response on server for remote alerts?

, May 22, 2015 at 3:22 AM, Santiago Bassett santiago.bass...@gmail.com wrote: Not sure if this is of any help, but try to run ossec-execd in debug mode and use -t to test the configuration. Maybe that way you can figure out what is causing the issue. On Thu, May 21, 2015 at 8:01 AM, Xavier

Re: [ossec-list] Re: OSSEC is making AWS EC2 instance w/ Centos 7 become unresponsive

Hi Caleb, I am interested in replicating the issue to see if I can find what is causing the problem. Here are some questions: What AMI did you use to launch the AWS instance? How did you install the agent (from rpm, source code)? What version of ossec-hids are you running? Did you modify the

Re: [ossec-list] running ossec-execd as nonroot working

Thanks for sharing Sebastian. On Thu, May 21, 2015 at 5:32 AM, skotthof sebastian.kotth...@rz.uni-mannheim.de wrote: Hi, I having ossec-execd running as (new) user ossece. For the Latest Stable Release (2.8.1) On agent: # ps aux | grep ossec ossece 21669 0.0 0.0 12564 504 ?

[ossec-list] Re: Updated deb packages for Debian/Ubuntu

Forgot to mention, in case there is any doubt, all those changes are already available in RPM packages provided by Atomicorp, so there is no need for an update there. On Tue, Aug 11, 2015 at 4:37 PM, Santiago Bassett santiago.bass...@gmail.com wrote: Just published new improved packages

Re: [ossec-list] my problem with rootcheck / CIS checks

2015 00:48:49 UTC+2 schrieb Santiago Bassett: The file looks good to me. Is the segfault happening only with agent 000 or with all of them? If it is only 000 I would try completely deleting rootcheck file and running the check again. If you still have the segfault try compiling 2.9 version. I

Re: [ossec-list] Monitoring windows or Linux partitions

Hi, you can use full_command option (fdisk or similar) with check_diff. Here is the documentation: http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html Best On Fri, Aug 14, 2015 at 2:38 AM, sebastien.quegui...@gmail.com wrote: Hello, I am trying to monitor

Re: [ossec-list] Filter Windows Event at client

Durkee On 08/18/2015 01:24 PM, Santiago Bassett wrote: Could you share your ossec.conf settings (from the agent) and also the shared/agent.conf ones. Those are probably located in C:\Program Files/ossec-agent I am guessing, but I think you probably are reading all Security events in some

Re: [ossec-list] Filter Windows Event at client

Durkee On 08/18/2015 01:10 PM, Ralph Durkee wrote: I've restarted ossec on the server several times. Are you refering to the Windows agent? -- Ralph Durkee On 08/18/2015 11:46 AM, Santiago Bassett wrote: Try restarting it manually and see if that works. On Tue, Aug 18, 2015 at 7:23 AM

Re: [ossec-list] Filter Windows Event at client

this working? Thanks, -- Ralph Durkee On 08/08/2015 01:32 PM, Santiago Bassett wrote: Hi, try using this configuration: localfile locationSecurity/location log_formateventchannel/log_format queryEvent/System[EventID=4624]/query /localfile Best regards On Thu, Aug 6, 2015

Re: [ossec-list] CIS checks via OSSEC

events, great :) best, theresa Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett: Hi Theresa, have a look at this doc: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf I was also curious and found the explanation

Re: [ossec-list] Filter Windows Event at client

Hi, try using this configuration: localfile locationSecurity/location log_formateventchannel/log_format queryEvent/System[EventID=4624]/query /localfile Best regards On Thu, Aug 6, 2015 at 3:18 AM, Swati swati@gmail.com wrote: Hi, I have installed the new version of OSSEC

[ossec-list] Monitoring system processes with OSSEC

Hi, just in case anyone is interested, I published a little article about it a few days ago. Basically describes how to run remote commands to list remote processes and write rules to alert one important ones are not running.

Re: [ossec-list] my problem with rootcheck / CIS checks

Segmentation fault I called strace with the following parameter strace -C bin/rootcheck_control -L -i 000 was this sufficient or do I need something else? thanks, theresa Am Montag, 10. August 2015 23:11:59 UTC+2 schrieb Santiago Bassett: Hi Theresa, did the process crash already? We need

Re: [ossec-list] Re: OSSEC Agent Connectivity status not changing immeditly on OSSEC master

Is there any error message in ossec.log? I would suggest to edit /var/ossec/etc/internal_options and set remoted.verify_msg_id=0 (in case there is a problem with the counters, specially since possibly packets are being lost) On Mon, Aug 10, 2015 at 5:38 AM, Harish P hpnair...@gmail.com wrote:

Re: [ossec-list] my problem with rootcheck / CIS checks

Haven't seen that before. Try running rootcheck_control with strace to debug that segfault Best On Mon, Aug 10, 2015 at 9:54 AM, theresa mic-snare rockprinz...@gmail.com wrote: hi all, as you may have noticed I've been playing around with the rootcheck module, e.g for the CIS checks. what

Re: [ossec-list] my problem with rootcheck / CIS checks

-- --- --- - - 100.000.00 103 5 total Segmentation fault Am Montag, 10. August 2015 20:28:20 UTC+2 schrieb Santiago Bassett: Haven't seen that before. Try running rootcheck_control with strace to debug

[ossec-list] Updated deb packages for Debian/Ubuntu

ossec users home to /var/ossec/ * Added linux-libc-dev build dependency to Debian control file More details at and Debian files at: https://github.com/santiago-bassett/ossec-debian/commit/8b677163d423b43b9b4eba159f731205caf9b231 Packages available at: http://ossec.wazuh.com/repos/apt/ Can

Re: [ossec-list] shared agent.conf

Hi Chinguun, sure thing, you just need to edit shared/agent.conf in the manager. Best On Sat, Jul 18, 2015 at 3:21 AM, Chinguun Bayar chingiin...@gmail.com wrote: Hello . guys how can i push same conf to all agent(there is 7 agent) ? thanks -- --- You received this message because you

Re: [ossec-list] Re: Get list of files Ossec is monitoring

Hi Andries, I would suggest to use lsof tool and see if files are being read by ossec-logcollector process. Best On Sun, Jul 19, 2015 at 10:44 AM, Andries Jansen andr...@jansen-cws.nl wrote: Hello, Yes I've configured the log files for both log analysis and syscheck in the ossec.conf and

Re: [ossec-list] httpd logs (possible attacks/intrusions)

/reputation.generic |\ egrep ^[0-9] | cut -d, -f1 | sed 's/ # /:/' } ip_blacklist On 7/24/2015 7:46 PM, Santiago Bassett wrote: Hi Theresa, my guess is that you are probably victim of web crawlers more than anything else. In any case it would be interesting to search those source IPs info

Re: [ossec-list] Re: 2.8.2 and WUI in ossec channel repositories?

Hi James, I didn't have time last week to work on this. Will let you know as soon as those are ready. The rpms are maintained by Atomicorp. Best On Thu, Jul 16, 2015 at 3:08 AM, James Le Cuirot ch...@aura-online.co.uk wrote: On Monday, 13 July 2015 00:19:22 UTC+1, Santiago Bassett wrote

Re: [ossec-list] CIS checks via OSSEC

system passed all the tests... Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett: I think this is the latest version of those rules: https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare

Re: [ossec-list] UEKr3 and OSSEC

Sorry not me, please share if you found issues. On Fri, Jul 24, 2015 at 11:56 AM, Jamey B jbeard...@gmail.com wrote: Does anyone run OSSEC on UEK release 3? Curious to hear of any problems, if any. -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] httpd logs (possible attacks/intrusions)

Hi Theresa, my guess is that you are probably victim of web crawlers more than anything else. In any case it would be interesting to search those source IPs info in IP reputation databases to see if those are well known attackers. Has anyone in this list use an IP reputation database in a CDB

Re: [ossec-list] Display user info during filechange

I haven't test it but for unix systems maybe you can create rules to read stat command output On Tue, Jul 14, 2015 at 9:24 AM, theresa mic-snare rockprinz...@gmail.com wrote: Hi, i'm not sure if I understood the request/question completely...but it does sound a bit complicated to me. how

Re: [ossec-list] Re: New Debian and Ubuntu installers

wrote: On Thursday, 16 July 2015 16:27:03 UTC+1, James Le Cuirot wrote: On Monday, 13 July 2015 00:21:37 UTC+1, Santiago Bassett wrote: FYI. Just released those, version 2.8.2 with several fixes. Thanks again for these. I've been working on the cookbook and found that the RPMs include ossec

Re: [ossec-list] Re: New Debian and Ubuntu installers

:15:17 UTC+1, Santiago Bassett wrote: Happy to include ossec-batch-manager.pl in the package. Great! Regarding ossec users, they do not have a home directory. What user/s are used by the cookbook to drop the ssh key? I will modify the installer to make /var/ossec their home. I see

Re: [ossec-list] Re: New Debian and Ubuntu installers

Just published the debian files too, here you can see what has been changed: https://github.com/santiago-bassett/ossec-debian/commit/9bbb5131623a9b50a0abce18024bee07eef90833 On Mon, Jul 13, 2015 at 2:38 AM, Wforum Wforum wfor...@gmail.com wrote: TXS Is there a way to see what has changed

Re: [ossec-list] Re: disable ossec-remoted

Hi Theresa, client.keys file is automatically created the first time you add a remote agent. Remoted is triggering those errors because it is suppose to talk to remote agents and it looks like there are no external agents configured yet. The other error non remote connection configured is caused

Re: [ossec-list] CIS checks via OSSEC

I think this is the latest version of those rules: https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare rockprinz...@gmail.com wrote: also, I'd like to update this page to something more up-to-date (RHEL 6

Re: [ossec-list] Hybrid mode automated install

Hi Daniel, I havent' tested it but maybe you can set USER_INSTALL_TYPE to "hybrid" in the preloaded-vars.conf file. Find it here: https://github.com/ossec/ossec-hids/blob/master/etc/preloaded-vars.conf.example What OSSEC version are you trying to build? Also remember that OSSIM plugin needs to

Re: [ossec-list] Will app get blocked on heavy mysql queries?

ome this issue? In my older version I saw this >> error too >> ossec-execd: INFO: Active response command not present: >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this >> system. >> >> This is my worry on the new machine using 2.8.1 the app might ge

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

Hi Regis, yes, this version of the deb packages has not been compiled with mysql support. I am actually working on a new one right now, to include systemd support. Will look to include mysql support too. Hopefully I can publish it today. Best On Sun, Nov 8, 2015 at 5:57 AM, Régis Houssin

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

Compiling packages, should be up in the repo in about an hour. Those will be version 2.8.3-2. Please don't hesitate to let me know if you still find issues. Best On Sun, Nov 8, 2015 at 7:50 AM, Santiago Bassett <santiago.bass...@gmail.com > wrote: > Hi Regis, > > yes, this ver

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

Are you using scan_on_start option? Remember realtime won't work until first syscheck is done. I also recommend to use alert_new_files and set auto_ignore to "no" (this goes on the manager). Useful trobleshooting tip is to enable debug for syscheck on the agent (internal_options.conf file) Best

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Hi Daniel, not sure if that matters but is your local rule in the same , as rule 1002 is? You sure you restarted the manger right? Best On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray wrote: > I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) > > I've

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

Just uploaded the new packages. The issues should be fixed now. On Mon, Nov 9, 2015 at 5:04 PM, Santiago Bassett <santiago.bass...@gmail.com > wrote: > Thank you Regis for the feedback. Really appreciate it. > > Will work on those issues and generate new packages as soon as I can

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

Thanks to you for the feedback! On Fri, Nov 13, 2015 at 12:28 AM, Régis Houssin <regis.hous...@gmail.com> wrote: > Hi, > > it's ok !! :-) > thank you very much > > > Le 13/11/2015 03:20, Santiago Bassett a écrit : > > Just uploaded the new packages. The issue

Re: [ossec-list] Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

R2 boxes, and both > installations were successful. > > On Monday, November 9, 2015 at 6:51:41 PM UTC-8, Santiago Bassett wrote: >> >> Looks like the Windows agent file in ossec.net is corrupted. The file is >> only 207K, and Sha256 checksum doesn't match. >> &

Re: [ossec-list] Windows OSSEC Agent 2.8.3 – cannot install on Windows server 2012 R2

Looks like the Windows agent file in ossec.net is corrupted. The file is only 207K, and Sha256 checksum doesn't match. We have a pre-compiled Windows agent at http://ossec.wazuh.com/windows/ This one is 1.1MB and works fine for us. I'll reach Vic so he can upload a new one to ossec.net Best

Re: [ossec-list] Package Debian Jessie 2.8.3 + Mysql

ILE=`mktemp /var/ossec/ossec-hosts.XX` > > > > and replace : > > TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' > | fold -w 32 | head -1 `" > > by > > TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z

Re: [ossec-list] Will app get blocked on heavy mysql queries?

Are you running an agent or the manager? I don't think OSSEC would block access to your mysql db. On Mon, Nov 9, 2015 at 8:19 AM, frwa onto wrote: > Hi, > I have centos server. I have managed to install ossec 2.8.1. It mainly > runs a socket programming app. For every

Re: [ossec-list] Ossec logrotate

Afaik ossec-monitord rotates and compresses the logs (archives.log, alerts.log, ossec.log) every day (exactly at midnight). There are some monitord options at /var/ossec/etc/internal_options.conf No option to delete those logs automatically though. A cron task would be my way to go. On Mon,

Re: [ossec-list] Re: 2.8.2 and WUI in ossec channel repositories?

Hi James, just released new Debian and Ubuntu packages version 2.8.2 with several fixes. You can find them here: http://ossec.wazuh.com/repos/apt/debian/pool/main/o/ http://ossec.wazuh.com/repos/apt/ubuntu/pool/main/o/ I've tested them several times myself, but if you find any issue or problem

[ossec-list] New Debian and Ubuntu installers

FYI. Just released those, version 2.8.2 with several fixes. You can find those here: http://ossec.wazuh.com/repos/apt/debian/pool/main/o/ http://ossec.wazuh.com/repos/apt/ubuntu/pool/main/o/ Or install those following the instructions in OSSEC website: http://www.ossec.net/?page_id=19 I've

  1   2   3   >