Agree with Dan. As well a good way to know if ossec is reading the file is
running the following command:
lsof +d /var/log/ | grep mail
On Friday, August 23, 2013 5:56:14 AM UTC-7, dan (ddpbsd) wrote:
On Fri, Aug 23, 2013 at 4:02 AM, Mehmet Ali Büyükkarakaş
mbuyuk...@gmail.com javascript:
Hi James,
not sure if I understood this correctly. Are you trying to read those files
remotely? How are those accessible? (samba?) If that is the case I guess
those could probably be read as local.
Best
On Monday, August 26, 2013 7:46:15 PM UTC-7, James Whittington wrote:
I am running a
please check if ossec-analysis daemon is running. That's typically the
cause of this message.
Last week I got into a similar issue because my ossec-analysisd process was
crashing. Couldn't find why, but reinstalling fixed it.
I hope it helps
On Tue, Aug 27, 2013 at 6:50 AM, Brian Dilley
to the remote agents it would seem allowing the use of an
external file for local customizations would make a lot of sense.
** **
James Whittington
** **
** **
** **
** **
*From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On
Behalf Of *Santiago Bassett
Hello everybody,
I am preparing a webinar for next Tuesday (8:00am-9:00am PDT) where I plan
to explain how OSSEC has been integrated into AlienVault/OSSIM SIEM.
My idea is to show how OSSEC can be configured and managed from
AlienVault GUI, as well as a few examples of OSSEC alerts correlation,
, 2013 2:06:22 AM UTC+1, Santiago Bassett wrote:
Hello everybody,
I am preparing a webinar for next Tuesday (8:00am-9:00am PDT) where I
plan to explain how OSSEC has been integrated into AlienVault/OSSIM SIEM.
My idea is to show how OSSEC can be configured and managed from
AlienVault GUI
Hi,
it seems that the agent may not be sending those logs to the server. Are
you sure it is reading the right file? Try lsof +d /var/log/apache2/
| greperror to see if
ossec-logcollector is reading that file
If you can see ossec-logcollector reading the file, then try enabling the
logall option
Hi Dung,
If this is for a Linux server I guess you would probably need to monitor
the bin directories, using syscheck, for new files (/bin /sbin /usr/bin
...), so you can discover if a new service is installed.
As well, if you know exactly what new files you are looking for, you may be
able to
package installed.
Portion of the log(s):
Nov 5 15:05:13 ip-10-xx-xx-xx yum[13394]: Installed:
perl-Params-Validate-0.92-3.4.amzn1.x86_64
Thank you,
Jared R. Greene
(407) 414-4003
On Nov 8, 2013, at 12:02 PM, Santiago Bassett santiago.bass...@gmail.com
wrote:
Hi Dung
Here there is some documentation:
http://www.ossec.net/doc/manual/rules-decoders/rule-levels.html
On Sun, Nov 10, 2013 at 6:30 PM, ‘Mr.W 519470...@qq.com wrote:
Hi,all
Sorry , I have missed some elements.
As you know, Level 0: Ignored, no action taken.
who can share the meaning with me
Hi Devendra,
does your system have multiple IP addresses? Is there any other agent
connected to the server?
I have experienced issues with systems running multiple IP addresses. If
that is the case I would recommend to check with tcpdump which is the one
that the agent uses to send data to the
. There is no communication shown in
the output of tcpdump on either IPs. In every case it fails, that server
has NIC bonding (teaming) setup. I am wondering if I need to do anything
else to configure ossec to accommodate NIC bonding.
On Wednesday, 9 April 2014 21:26:15 UTC-4, Santiago Bassett
and tcpdump does not show any
communication between client and server. As soon as I install it on a
server that doesn't have network bonding/teaming configured (even with
multiple IPs), issue doesn't happen.
On Thursday, 10 April 2014 11:29:39 UTC-4, Santiago Bassett wrote:
Could you check
Sure! For debian packages you will need the debian control files and the
Makefiles. As well I created a script that uses pbuilder to build the
packages for the different architectures and Debian distributions.
Please give me a couple of days to clean up the script (since it contains
some
Hi Alex,
are you using the repository below?
http://ossec.alienvault.com/repos/apt/debian/pool/main/o/
If that is the case, OSSEC would automatically install in /var/ossec
directory. It doesn't ask for an Install dir (we may include this for
future packages maybe).
I guess you could probably
Hi Jelle,
ossec-hids-agent package should be the only one you need. Not sure why you
are getting these errors.
The process to connect an agent to a server requires you to:
- Run /var/ossec/bin/manage_agents and import the key from the server.
- Edit /var/ossec/etc/ossec.conf and set the
-syscheckd
root@ip-10-0-0-242:/home/admin# cat /etc/debian_version
7.2
On Sat, Aug 2, 2014 at 8:23 AM, Santiago Bassett santiago.bass...@gmail.com
wrote:
Hi Jelle,
ossec-hids-agent package should be the only one you need. Not sure why you
are getting these errors.
The process to connect
.
Thanks for your help
On Saturday, August 2, 2014 5:25:49 PM UTC+2, Santiago Bassett wrote:
As well, in case it helps, these is what I got in a new agent
installation (which is working as I would expect).
root@ip-10-0-0-242:/home/admin# dpkg -l | grep ossec
ii ossec-hids-agent
In case anyone is interested here you can find my presentation at OSSEC CON:
http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html
I think we will publish all presentations at ossec.net sometime soon as
well.
Best
--
---
You received this message because you
Hi Brian,
I see you refer to alienvault documentation. Are you using Alienvault USM
or OSSIM with OSSEC? If that is the case you should be able to grab the
event ID from the raw log modifying the plugin used to parse OSSEC alerts
output.
As well, as Ivars mentioned it seems there is a typo in
Great stuff, thanks for sharing.
On Fri, Dec 5, 2014 at 11:51 AM, Brent Morris brent.mor...@gmail.com
wrote:
Not exactly sure if this is the right place to post this, but it took me
some time to get working decodes for Microsoft's Azure Multi-Factor
Authentication (PhoneFactor.net).
It's
Hi Chris,
Not sure if this would work, but what about setting up a little cron task
to copy the file over SSH to the hybrid server so it can propagate it to
the agents?
Best
On Sat, Nov 15, 2014 at 5:35 AM, dan (ddp) ddp...@gmail.com wrote:
On Nov 15, 2014 7:14 AM, Chris An
virustotal.com might help too.
On Thu, Jan 15, 2015 at 7:17 AM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Jan 14, 2015 at 10:50 PM, notify.s...@gmail.com wrote:
Hi List,
I recently tried to install a web based billing application on a CentOS
server that serves multiple roles. its also
Are you sure your windows event is being generated? Check your audit policy.
Santiago Bassett
@santiagobassett
On Jan 19, 2015, at 12:26 PM, Semperfi ke...@myschatz.net wrote:
I am new to OSSEC. I have it running and it's collecting data.. However,
So far I've noticed that anything
I think you can do this with modsecurity or .htaccess files but not sure how to
do it with ossec. Can you ella orate a little bit more on the use case? Do you
have a list of user agents you want to block?
Santiago Bassett
@santiagobassett
On Jan 19, 2015, at 8:25 AM, Leomar Viegas Junior
Good link from an old email of this mailing list (sent by Michael Starks)
http://www.ivankuznetsov.com/2010/02/no-space-left-on-device-running-out-of-inodes.html
On Tue, Mar 10, 2015 at 2:36 PM, Santiago Bassett
santiago.bass...@gmail.com wrote:
Check if you have any available Inode. You can
Check if you have any available Inode. You can do that with df -i
On Tue, Mar 10, 2015 at 1:14 AM, Cagri Ersen cagri.er...@gmail.com wrote:
Hi all,
I have a weird problem with ossec-remoted and logcollector daemons. When I
start the ossec services as normaly, everyting seems to OK, all
Any output when running agent_control -r -a
Could you share your syscheck config?
Best
On Tue, Mar 10, 2015 at 6:48 PM, Cagri Ersen cagri.er...@gmail.com wrote:
No it's not related inodes. There is tone of free inodes on the system.
On Tuesday, March 10, 2015 at 3:36:59 PM UTC+2, Santiago
OSSEC supports centralized configuration management:
http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html
Thousands of Open Source solutions are used daily in production
environments, so I assume Open Source is ready for business, but maybe not
for people that doesn't
Hi Alex,
did you install from sources or using the deb installers?
Santiago Bassett
@santiagobassett
On Feb 28, 2015, at 10:35 PM, Alex Kuklin alex.kuk...@gmail.com wrote:
Hi,
i just found that ossec does not start (even install) on debian/jessie
Looks like
[Unit]
Description
Ok let me check it, i'll be back soon
Santiago Bassett
@santiagobassett
On Mar 1, 2015, at 1:26 AM, Alex Kuklin a...@kuklin.ru wrote:
Hi,
i use .deb
# cat /etc/apt/sources.list.d/oss.list
deb http://ossec.alienvault.com/repos/apt/debian jessie main
On 01.03.2015 02:22, Santiago
Is it the agent or server package?
Thanks
Santiago Bassett
@santiagobassett
On Mar 1, 2015, at 1:26 AM, Alex Kuklin a...@kuklin.ru wrote:
Hi,
i use .deb
# cat /etc/apt/sources.list.d/oss.list
deb http://ossec.alienvault.com/repos/apt/debian jessie main
On 01.03.2015 02:22
Hi Alex,
I got to install ossec-hids deb package in debian jessie with no problem.
It actually doesn't use systemd to install the init script, but instead
installs it directly using this file included in the ossec source:
https://github.com/santiago-bassett/ossec-hids/blob/master/src/init/ossec
://github.com/santiago-bassett/ossec-debian
After doing a few obvious tweaks to try and make them work for ubuntu
codenames instead of debian codenames, I tried to run generate_ossec.sh and
it complained because the ossec-hids directory is a git repository, not
something that containst a source tarball
, rsyslog-pkg-debian has the debian codenames
David Lang
On Fri, 24 Apr 2015, David Lang wrote:
Date: Fri, 24 Apr 2015 16:45:01 -0700 (PDT)
From: David Lang da...@lang.hm
Reply-To: ossec-list@googlegroups.com
To: Santiago Bassett santiago.bass...@gmail.com
Cc: ossec-list@googlegroups.com ossec
Hi,
this is what I figured out by having a look at the code. Explaining the
next line as an example (including some spaces to make it easier to read):
!++ 1486 : 33188 : 0 : 1 : a465a2fd02717050ca44d6cc24c5d458 :
bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335
Hi David,
some comments inline.
On Sun, May 3, 2015 at 8:03 AM, David Ruschinek dav...@recoverycorp.com
wrote:
Hi
I know there some are other posts on this:
http://marc.info/?l=ossec-listm=141528107703617w=2
http://marc.info/?l=ossec-listm=139601760905968w=2
Yep, I've done this in the past setting up source routing.
Best
On Mon, May 4, 2015 at 4:43 AM, dan (ddp) ddp...@gmail.com wrote:
On Fri, May 1, 2015 at 10:44 AM, dp...@realtruck.com wrote:
I just have deployed ossec. I am having troubles with my linux boxes
using
the wrong interface.
, so firewalls aren't the issue.
The server is, for some reason, not responding.
On Monday, May 11, 2015 at 12:27:34 PM UTC-4, Santiago Bassett wrote:
Hi Steve,
do you use DHCP or fixed IP addresses in your environment? Do your
servers have one or more than one IP?
When you added the agents
ossec-monitord process does the rotation automatically daily. Afaik, there
is no configuration option to change this.
You could probably disable it by creating a little patch and commenting out
or modifying the function manage_files in monitord.c file.
My preferred choice would be to do a little
Hi James,
OSSEC runs a a service so no user interaction is needed. The GUI just
provides a few features to be able to see agent status, key, configuration
and logs.
Then for a large deployment I would suggest to use Puppet, Chef, CFEngine
or something similar. Most important part is the client
Hi Steve,
do you use DHCP or fixed IP addresses in your environment? Do your servers
have one or more than one IP?
When you added the agents, did you used fixed IPs for each one? Is tcpdump
output showing the same IP you used when adding those?
Best
On Mon, May 11, 2015 at 8:54 AM, Steve
You could probably use CDB lists in the rules
On Tue, May 12, 2015 at 8:34 AM, skotthof
sebastian.kotth...@rz.uni-mannheim.de wrote:
Hi,
okay thanks.
I have tested this by changing a rule for ssh login:
rule id=5710 level=5
if_sid5700/if_sid
matchillegal user|invalid
is located under /opt/ossec and yes, I have a hybrid server
(server + local-agent + on_remote_agent) if this is important.
The ssh tests I run with the remote-agent. I restarted Ossec on both
machines several times.
Sebastian
On Tue, May 12, 2015 at 10:26:21AM -0700, Santiago Bassett wrote
Do you have alerts showing up in alerts.log file?
On Apr 15, 2015, at 3:49 PM, ri...@amcoonline.net wrote:
Thanks @Brent. I added the logall option and temporarily removed the
whitelist.
ossec_config
global
email_notificationyes/email_notification
Hi Franck,
did you have the opportunity to test the solution I sent, I really would
appreciate your feedback. Thanks!
Santiago.
On Fri, Apr 3, 2015 at 11:29 PM, Santiago Bassett
santiago.bass...@gmail.com wrote:
HI Franck,
I've been working on it, and it looks like this is an issue
Hi Sudhir,
do you have gcc compiler installed? if so, what version are you running?
It looks to me that you are using cc instead of gcc, and that could be
causing the issue.
Best,
Santiago.
On Mon, Apr 6, 2015 at 9:53 PM, sudhir ojha sudhir.k.o...@gmail.com wrote:
Hi,
I am getting some
::Options::=--force-confmiss install --reinstall
ossec-hids
Let me know if that fixes the issue. On my side, I'll see if there is a way
to avoid this by modifying the package.
Best,
Santiago.
On Thu, Apr 2, 2015 at 10:34 AM, Santiago Bassett
santiago.bass...@gmail.com wrote:
Ok, I actually had some
Hi,
I would rely on logrotate application to configure the log rotation
according to your preferences.
Best
On Wed, Apr 8, 2015 at 12:48 AM, Holger Glaess holgergla...@gmail.com
wrote:
hi
it ist possible that ossec compress the rotated logs files once per month ?
can i change this to
Hi,
sysmon can be used to log processes creation. More info at:
https://technet.microsoft.com/en-us/sysinternals/dn798348
Also check this great document from Josh:
http://defensivedepth.com/2015/03/27/using-sysmon
-to-enrich-security-onions-host-level-capabilities/
and the link to decoders and
Hi Frank,
I am the installers maintainer, sorry for the inconvenience. Not sure yet
what is causing this problem, but will work on it right away. Hopefully I
can have new packages ready in a few hours.
I know the file is in the package but somehow doesn't get installed
correctly. Please tell me
Ok, I actually had some work urgencies yesterday and couldn't troubleshoot
the issue. Will be back to you soon with an update.
Best
On Thu, Apr 2, 2015 at 6:14 AM, inexte...@kbicetre.com wrote:
Thanks Santiago!
I'm working on 32 bits virtual machines, and have installed both
ossec-hids and
You might want to check this thread:
https://groups.google.com/forum/m/#!topic/ossec-list/UuhauWUCxkU
On Jun 4, 2015, at 1:11 AM, R Brandt blind.gray.squir...@gmail.com wrote:
Thanks.
Didn't have time to look at the file until today.
So how do you decode the syscheck entries?
On
It was actually down for everyone for a little while but its now up and
running. I think Vic fixed it.
Santiago Bassett
@santiagobassett
On Jun 4, 2015, at 12:35 AM, Brent Morris brent.mor...@gmail.com wrote:
it works for me...
http://downforeveryoneorjustme.com/
On Wednesday, June
Hi,
I would try modifying ossec-single-line plugin
(/etc/ossim/agent/plugins/ossec-single-line.cfg) regular expressions not to
match alerts when they include the $ sign.
You can use regexp.py tool to identify the rule, in the plugin, matching
your alerts (you can find it here:
, May 22, 2015 at 3:22 AM, Santiago Bassett
santiago.bass...@gmail.com wrote:
Not sure if this is of any help, but try to run ossec-execd in debug mode
and use -t to test the configuration. Maybe that way you can figure out
what is causing the issue.
On Thu, May 21, 2015 at 8:01 AM, Xavier
Hi Caleb,
I am interested in replicating the issue to see if I can find what is
causing the problem. Here are some questions:
What AMI did you use to launch the AWS instance?
How did you install the agent (from rpm, source code)?
What version of ossec-hids are you running?
Did you modify the
Thanks for sharing Sebastian.
On Thu, May 21, 2015 at 5:32 AM, skotthof
sebastian.kotth...@rz.uni-mannheim.de wrote:
Hi,
I having ossec-execd running as (new) user ossece.
For the Latest Stable Release (2.8.1)
On agent:
# ps aux | grep ossec
ossece 21669 0.0 0.0 12564 504 ?
Forgot to mention, in case there is any doubt, all those changes are
already available in RPM packages provided by Atomicorp, so there is no
need for an update there.
On Tue, Aug 11, 2015 at 4:37 PM, Santiago Bassett
santiago.bass...@gmail.com wrote:
Just published new improved packages
2015 00:48:49 UTC+2 schrieb Santiago Bassett:
The file looks good to me. Is the segfault happening only with agent 000
or with all of them? If it is only 000 I would try completely deleting
rootcheck file and running the check again. If you still have the segfault
try compiling 2.9 version. I
Hi,
you can use full_command option (fdisk or similar) with check_diff. Here is
the documentation:
http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html
Best
On Fri, Aug 14, 2015 at 2:38 AM, sebastien.quegui...@gmail.com wrote:
Hello,
I am trying to monitor
Durkee
On 08/18/2015 01:24 PM, Santiago Bassett wrote:
Could you share your ossec.conf settings (from the agent) and also the
shared/agent.conf ones. Those are probably located in C:\Program
Files/ossec-agent
I am guessing, but I think you probably are reading all Security events in
some
Durkee
On 08/18/2015 01:10 PM, Ralph Durkee wrote:
I've restarted ossec on the server several times. Are you refering to the
Windows agent?
-- Ralph Durkee
On 08/18/2015 11:46 AM, Santiago Bassett wrote:
Try restarting it manually and see if that works.
On Tue, Aug 18, 2015 at 7:23 AM
this working?
Thanks,
-- Ralph Durkee
On 08/08/2015 01:32 PM, Santiago Bassett wrote:
Hi,
try using this configuration:
localfile
locationSecurity/location
log_formateventchannel/log_format
queryEvent/System[EventID=4624]/query
/localfile
Best regards
On Thu, Aug 6, 2015
events, great :)
best,
theresa
Am Sonntag, 26. Juli 2015 00:54:38 UTC+2 schrieb Santiago Bassett:
Hi Theresa,
have a look at this doc:
https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf
I was also curious and found the explanation
Hi,
try using this configuration:
localfile
locationSecurity/location
log_formateventchannel/log_format
queryEvent/System[EventID=4624]/query
/localfile
Best regards
On Thu, Aug 6, 2015 at 3:18 AM, Swati swati@gmail.com wrote:
Hi,
I have installed the new version of OSSEC
Hi,
just in case anyone is interested, I published a little article about it a
few days ago. Basically describes how to run remote commands to list remote
processes and write rules to alert one important ones are not running.
Segmentation fault
I called strace with the following parameter strace -C bin/rootcheck_control
-L -i 000
was this sufficient or do I need something else?
thanks,
theresa
Am Montag, 10. August 2015 23:11:59 UTC+2 schrieb Santiago Bassett:
Hi Theresa,
did the process crash already? We need
Is there any error message in ossec.log?
I would suggest to edit /var/ossec/etc/internal_options and set
remoted.verify_msg_id=0 (in case there is a problem with the counters,
specially since possibly packets are being lost)
On Mon, Aug 10, 2015 at 5:38 AM, Harish P hpnair...@gmail.com wrote:
Haven't seen that before. Try running rootcheck_control with strace to
debug that segfault
Best
On Mon, Aug 10, 2015 at 9:54 AM, theresa mic-snare rockprinz...@gmail.com
wrote:
hi all,
as you may have noticed I've been playing around with the rootcheck
module, e.g for the CIS checks.
what
-- --- --- - -
100.000.00 103 5 total
Segmentation fault
Am Montag, 10. August 2015 20:28:20 UTC+2 schrieb Santiago Bassett:
Haven't seen that before. Try running rootcheck_control with strace to
debug
ossec users home to /var/ossec/
* Added linux-libc-dev build dependency to Debian control file
More details at and Debian files at:
https://github.com/santiago-bassett/ossec-debian/commit/8b677163d423b43b9b4eba159f731205caf9b231
Packages available at: http://ossec.wazuh.com/repos/apt/
Can
Hi Chinguun,
sure thing, you just need to edit shared/agent.conf in the manager.
Best
On Sat, Jul 18, 2015 at 3:21 AM, Chinguun Bayar chingiin...@gmail.com
wrote:
Hello . guys how can i push same conf to all agent(there is 7 agent) ?
thanks
--
---
You received this message because you
Hi Andries,
I would suggest to use lsof tool and see if files are being read by
ossec-logcollector process.
Best
On Sun, Jul 19, 2015 at 10:44 AM, Andries Jansen andr...@jansen-cws.nl
wrote:
Hello,
Yes I've configured the log files for both log analysis and syscheck in
the ossec.conf and
/reputation.generic |\
egrep ^[0-9] | cut -d, -f1 | sed 's/ # /:/'
} ip_blacklist
On 7/24/2015 7:46 PM, Santiago Bassett wrote:
Hi Theresa,
my guess is that you are probably victim of web crawlers more than
anything else. In any case it would be interesting to search those source
IPs info
Hi James,
I didn't have time last week to work on this. Will let you know as soon as
those are ready. The rpms are maintained by Atomicorp.
Best
On Thu, Jul 16, 2015 at 3:08 AM, James Le Cuirot ch...@aura-online.co.uk
wrote:
On Monday, 13 July 2015 00:19:22 UTC+1, Santiago Bassett wrote
system passed all the tests...
Am Dienstag, 14. Juli 2015 20:11:09 UTC+2 schrieb Santiago Bassett:
I think this is the latest version of those rules:
https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt
On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare
Sorry not me, please share if you found issues.
On Fri, Jul 24, 2015 at 11:56 AM, Jamey B jbeard...@gmail.com wrote:
Does anyone run OSSEC on UEK release 3? Curious to hear of any problems,
if any.
--
---
You received this message because you are subscribed to the Google Groups
Hi Theresa,
my guess is that you are probably victim of web crawlers more than anything
else. In any case it would be interesting to search those source IPs info
in IP reputation databases to see if those are well known attackers.
Has anyone in this list use an IP reputation database in a CDB
I haven't test it but for unix systems maybe you can create rules to read
stat command output
On Tue, Jul 14, 2015 at 9:24 AM, theresa mic-snare rockprinz...@gmail.com
wrote:
Hi,
i'm not sure if I understood the request/question completely...but it does
sound a bit complicated to me.
how
wrote:
On Thursday, 16 July 2015 16:27:03 UTC+1, James Le Cuirot wrote:
On Monday, 13 July 2015 00:21:37 UTC+1, Santiago Bassett wrote:
FYI. Just released those, version 2.8.2 with several fixes.
Thanks again for these. I've been working on the cookbook and found that
the RPMs include ossec
:15:17 UTC+1, Santiago Bassett wrote:
Happy to include ossec-batch-manager.pl in the package.
Great!
Regarding ossec users, they do not have a home directory. What user/s are
used by the cookbook to drop the ssh key? I will modify the installer to
make /var/ossec their home.
I see
Just published the debian files too, here you can see what has been changed:
https://github.com/santiago-bassett/ossec-debian/commit/9bbb5131623a9b50a0abce18024bee07eef90833
On Mon, Jul 13, 2015 at 2:38 AM, Wforum Wforum wfor...@gmail.com wrote:
TXS
Is there a way to see what has changed
Hi Theresa,
client.keys file is automatically created the first time you add a remote
agent. Remoted is triggering those errors because it is suppose to talk to
remote agents and it looks like there are no external agents configured yet.
The other error non remote connection configured is caused
I think this is the latest version of those rules:
https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt
On Tue, Jul 14, 2015 at 11:08 AM, theresa mic-snare rockprinz...@gmail.com
wrote:
also, I'd like to update this page to something more up-to-date (RHEL 6
Hi Daniel,
I havent' tested it but maybe you can set USER_INSTALL_TYPE to "hybrid" in
the preloaded-vars.conf file. Find it here:
https://github.com/ossec/ossec-hids/blob/master/etc/preloaded-vars.conf.example
What OSSEC version are you trying to build? Also remember that OSSIM plugin
needs to
ome this issue? In my older version I saw this
>> error too
>> ossec-execd: INFO: Active response command not present:
>> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
>> system.
>>
>> This is my worry on the new machine using 2.8.1 the app might ge
Hi Regis,
yes, this version of the deb packages has not been compiled with mysql
support.
I am actually working on a new one right now, to include systemd support.
Will look to include mysql support too. Hopefully I can publish it today.
Best
On Sun, Nov 8, 2015 at 5:57 AM, Régis Houssin
Compiling packages, should be up in the repo in about an hour. Those will
be version 2.8.3-2.
Please don't hesitate to let me know if you still find issues.
Best
On Sun, Nov 8, 2015 at 7:50 AM, Santiago Bassett <santiago.bass...@gmail.com
> wrote:
> Hi Regis,
>
> yes, this ver
Are you using scan_on_start option? Remember realtime won't work until
first syscheck is done.
I also recommend to use alert_new_files and set auto_ignore to "no" (this
goes on the manager).
Useful trobleshooting tip is to enable debug for syscheck on the agent
(internal_options.conf file)
Best
Hi Daniel,
not sure if that matters but is your local rule in the same , as rule 1002 is? You sure you restarted the manger right?
Best
On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray wrote:
> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)
>
> I've
Just uploaded the new packages. The issues should be fixed now.
On Mon, Nov 9, 2015 at 5:04 PM, Santiago Bassett <santiago.bass...@gmail.com
> wrote:
> Thank you Regis for the feedback. Really appreciate it.
>
> Will work on those issues and generate new packages as soon as I can
Thanks to you for the feedback!
On Fri, Nov 13, 2015 at 12:28 AM, Régis Houssin <regis.hous...@gmail.com>
wrote:
> Hi,
>
> it's ok !! :-)
> thank you very much
>
>
> Le 13/11/2015 03:20, Santiago Bassett a écrit :
>
> Just uploaded the new packages. The issue
R2 boxes, and both
> installations were successful.
>
> On Monday, November 9, 2015 at 6:51:41 PM UTC-8, Santiago Bassett wrote:
>>
>> Looks like the Windows agent file in ossec.net is corrupted. The file is
>> only 207K, and Sha256 checksum doesn't match.
>>
&
Looks like the Windows agent file in ossec.net is corrupted. The file is
only 207K, and Sha256 checksum doesn't match.
We have a pre-compiled Windows agent at http://ossec.wazuh.com/windows/
This one is 1.1MB and works fine for us.
I'll reach Vic so he can upload a new one to ossec.net
Best
ILE=`mktemp /var/ossec/ossec-hosts.XX`
>
>
>
> and replace :
>
> TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9'
> | fold -w 32 | head -1 `"
>
> by
>
> TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z
Are you running an agent or the manager? I don't think OSSEC would block
access to your mysql db.
On Mon, Nov 9, 2015 at 8:19 AM, frwa onto wrote:
> Hi,
> I have centos server. I have managed to install ossec 2.8.1. It mainly
> runs a socket programming app. For every
Afaik ossec-monitord rotates and compresses the logs (archives.log,
alerts.log, ossec.log) every day (exactly at midnight). There are some
monitord options at /var/ossec/etc/internal_options.conf
No option to delete those logs automatically though. A cron task would be
my way to go.
On Mon,
Hi James,
just released new Debian and Ubuntu packages version 2.8.2 with several
fixes. You can find them here:
http://ossec.wazuh.com/repos/apt/debian/pool/main/o/
http://ossec.wazuh.com/repos/apt/ubuntu/pool/main/o/
I've tested them several times myself, but if you find any issue or problem
FYI. Just released those, version 2.8.2 with several fixes.
You can find those here:
http://ossec.wazuh.com/repos/apt/debian/pool/main/o/
http://ossec.wazuh.com/repos/apt/ubuntu/pool/main/o/
Or install those following the instructions in OSSEC website:
http://www.ossec.net/?page_id=19
I've
1 - 100 of 219 matches
Mail list logo