ossec.log file as well..
Many Thanks!!
Kind regards,
D.J.
On Tue, May 7, 2013 at 1:40 PM, David Juarez djuar...@usfca.edu wrote:
np
Thanks for your help !!
Here is the ossec.conf file
On Tue, May 7, 2013 at 1:25 PM, dan (ddp) ddp...@gmail.com wrote:
On May 7, 2013 4:20
On Wed, May 8, 2013 at 9:36 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, May 7, 2013 at 6:22 PM, David Juarez djuar...@usfca.edu wrote:
Hi Dan,
I made a change to the ossec.conf file..
root@luke etc # head -5 ossec.conf
ossec_config
client
server-ip138.202.80.161/server-ip
name is
used, rather than the parent. I haven't tried it out yet, but coming from
dcid I assume it works!
Try it and report back. It's been a million years since I've tried
that option, but I feel like it never did what I expected it to do.
On Apr 8, 2013, at 11:12 AM, dan (ddp) ddp
On May 15, 2013 7:30 AM, Kyle Vorster kvors...@serve.co.za wrote:
Hey there,
I'm having issues getting a agent connected to the server, I've followed
all the docs in resolving this issue but just cant get it to work. Error I
get
2013/05/15 12:43:50 ossec-logcollector: INFO: Monitoring
On Tue, May 14, 2013 at 6:30 PM, OSSEC junkie ossec.jun...@gmail.com wrote:
Is there a way to ignore an alert from a particular user? We have an ESX
environment with a service account that is a bit buggy. It's sending
invalid login attempts by the thousands on a daily basis. Is it possible
?
Make sure your rule is inside of the group and /group tags.
On Wed, May 15, 2013 at 6:27 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, May 14, 2013 at 6:30 PM, OSSEC junkie ossec.jun...@gmail.com
wrote:
Is there a way to ignore an alert from a particular user? We have an
ESX
On Thu, May 16, 2013 at 2:42 PM, Ali man a.ali...@gmail.com wrote:
In my environment , I'm using OSSEC server running on ubuntu to send logs to
Qradar (siem), the server is currently monitoring events / logs from two
agents (1 windows , 1 linux machine).
Unknown to me, the ossec server has
On Wed, May 15, 2013 at 9:27 PM, netzerosp...@gmail.com wrote:
Hi guys,
I'm trying to install ossec with mysql support
But all the server_id field is having value 1
I'm confused how to do query with this
Can anyone help?
Powered by Telkomsel BlackBerry®
Are your alerts being inserted
On Thu, May 16, 2013 at 8:59 PM, frwa onto frwao...@gmail.com wrote:
I have visited this site http://www.ossec.net/?page_id=19 and it say
this method to install it # wget -q -O -
https://www.atomicorp.com/installers/atomic
|sh
# yum install ossec-hids ossec-hids-server (or ossec-hids-client
On Thu, May 16, 2013 at 8:34 PM, mntbighker mntbigh...@gmail.com wrote:
My rule in local_rules.xml on server:
rule id=100074 level=0
program_namepbs_mom/program_name
hostname^compute-0-/hostname
Does it work if you use the complete hostname?
descriptionNode job queue
On Thu, May 16, 2013 at 4:48 PM, Ali man a.ali...@gmail.com wrote:
I;m not sure about the version , it was configured by someone else in my
team, I don't remember checking on ossec-csyslogd ? tcpdump shows now 514
traffic generated though? Do i have to restart the service.
Find out if
On Fri, May 17, 2013 at 9:17 AM, frwa onto frwao...@gmail.com wrote:
Hi dan,
I followed this # wget -q -O -
https://www.atomicorp.com/installers/atomic . But I want just the local
installation I ran this only yum install ossec-hids can you verify if this
is correct? OR must I
On Fri, May 17, 2013 at 10:10 AM, Ali man a.ali...@gmail.com wrote:
The version I'm using is
Unix/Linux Version 2.7.1 Alpha-1. I have checked on csyslog service and
started it multiple times it doesn't seem to give any error.
Was the ossec-csyslogd process running when OSSEC stopped sending
On Fri, May 17, 2013 at 11:08 AM, Ali man a.ali...@gmail.com wrote:
For e.g Under the ossec.conf at agent side,
directories check_all=yes%WINDIR%/win.ini/directories
I just for testing purposes edit the win.ini file and add content to it, but
the ossec server doesn't not trigger any alert
On Fri, May 17, 2013 at 1:59 PM, Ali man a.ali...@gmail.com wrote:
Thanks for the update. I have checked in the dir and you are right there is
listed all the file there. On my
local_rules
rule id=554 level=7 overwrite=yes
categoryossec/category
decoded_assyscheck_new_entry/decoded_as
On Sun, May 19, 2013 at 5:22 PM, jjj092353 jjj092...@gmail.com wrote:
recently a server of mine was attacked using a sql injection hack and I
received no warning from ossec.
I have a new server installed now with ossec running again but is there wany
way to verify of the osec client on this
On Mon, May 20, 2013 at 9:27 PM, Lance Raymond la...@fld3v.com wrote:
ok, well I am looking forward to learning more how OSSEC can help, so I have
skimmed the doc's and have a local install on my home server (installed as
local) and then for work, on my admin server I have it installed as a
On Mon, May 20, 2013 at 9:25 AM, Anatoliy pudelto...@gmail.com wrote:
Hello,
I have a problem with configuration ossec server with windows agent.
I have a ossec server with standart predefined configuration. And in
(rules/50_msauth_rules.xml) a have string:
rule id=18153 level=10
On Tue, May 21, 2013 at 2:59 AM, Shakeel Ahmed shakeel...@gmail.com wrote:
Hi guys,
I am running OSSEC on windows XP. How can I add folders in the OSSEC config
file. I have an application and I want to add the application folder in
OSSEC config for monitoring.Any help will be greatly
On Sun, May 19, 2013 at 2:03 PM, jjj092353 jjj092...@gmail.com wrote:
I have a webserver behind a Netscreen-5GT with an internal ip address -
let's says it's : 192.168.1.57
and it's mapped address to the outside world is 12.34.56.42
I assume that on my ossec server that I would supply the ip
On Tue, May 21, 2013 at 12:32 PM, Adam thenakeda...@gmail.com wrote:
Hello,
I am new to using OSSEC, and am evaluating it for File Integrity Monitoring
purposes. I have installed v2.7.0 after a few tweeks which I found on this
forum, and now I am wondering how I can use it to perform
On Mon, May 20, 2013 at 2:07 AM, Ali man a.ali...@gmail.com wrote:
From ossec server to Q1radar(siem) Its sending log as
132May 17 13:32:08 ubuntu ossec: Alert Level: 5; Rule: 31101 - Web server
400 error code.; Location: (webserver)
w.x.y.z-/usr/local/apache2/logs/access_log; srcip: a.b.c.d;
On May 21, 2013 4:02 PM, gatessux gates...@gmail.com wrote:
Hi Guys,
Does anyone know if the ossec agent can be bound to a specific interface?
It seems to always use the highest numbered IP, which in my case is an
external int.
I would like it to be able to use an internal interface because
On Fri, May 31, 2013 at 1:36 AM, Dave Edwards dave.j.edwa...@gmail.com wrote:
Hi,
We were running ossec in server mode in a DMZ and we've switched it to
hybrid mode but now ossec-remoted is not started by ossec-control anymore..
Any clues for us?
We are currently running it up separately
On Tue, May 28, 2013 at 6:32 PM, Jeff Jennings jjj092...@gmail.com wrote:
I have a number of spammers showing up on my forum trying to register all
the time - dozens every day - we block 99% of them but they must have a
scruipts that throws a 500 server
I'd like to look for a partial string
On Thu, May 30, 2013 at 6:19 AM, Lukeh infosecl...@gmail.com wrote:
Hi List,
We have OSSEC setup internally using dynamic agent configuration
(http://www.ossec.net/doc/manual/agent/agent-dhcp-nat.html).
So agents are configured as follows:-
ID: 001, Name: Box1, IP: 192.168.0.0/24
ID: 002,
On Fri, May 31, 2013 at 3:36 AM, Lukeh infosecl...@gmail.com wrote:
Hi List,
We are trying to run the OSSEC 2.6 agent on a Solaris 10 box. However, each
time we try and start the agent the following error is shown (taken from
ossec.log):-
ossec-syscheckd(1211): ERROR: Unable to access
On Wed, May 29, 2013 at 9:03 AM, Robert Micallef robertm...@gmail.com wrote:
We have been using OSSEC for some time now and am very satisfied with it. I
was wondering if there was a way to make the server declare an agent
disconnected quicker. I ran some tests and it is about 28 minutes, Can I
On Wed, May 22, 2013 at 8:05 PM, Macus macu...@gmail.com wrote:
I have a cron job script to restart the ossec agent remotely. Some how the
script triggered the agent_control to restart the remote agent, but the
agent did not restart .
I have checked the cron job log and confirm the
On Mon, May 27, 2013 at 12:16 PM, md...@strongsecurity.com.br wrote:
Hi
I extracted ossec-wui-0.3 directory in / var / www
I created a User admin and everything was ok, but when
localhost/ossec-wui.0.3/index.php access all pages I access shows me the
message
Wui ossec 0.3 unable to access
On Sun, May 19, 2013 at 6:12 AM, frwa onto frwao...@gmail.com wrote:
Thank you dan. Once I installed Ossec is there any command to run to inspect
my current system for any possible intrusion signs?
On Friday, May 17, 2013 9:35:14 AM UTC+8, dan (ddpbsd) wrote:
On Thu, May 16, 2013 at 9:02 PM,
On Wed, May 22, 2013 at 6:25 AM, Adam thenakeda...@gmail.com wrote:
Hi, thanks for the quick response.
The only connection that I have really thought about for this problem is
SMB, although this unfortunately sends plain text login credentials.
I've not really played too much with OSSEC,
On Fri, May 31, 2013 at 10:59 AM, Lukeh infosecl...@gmail.com wrote:
Not too much else to go on unfortunately, here is the more detailed log
output on restart of OSSEC.
Is this from the ossec.log?
2013/05/09 10:17:22 ossec-execd(1350): INFO: Active response disabled.
Exiting.
2013/05/09
On Fri, May 31, 2013 at 10:50 AM, Lukeh infosecl...@gmail.com wrote:
Hi Dan,
Thanks for your reply.
Do you mean modify the ossec log file itself? Technically the dynamic agent
I'm sorry I didn't make that more clear, you would have to modify the
source code and recompile OSSEC.
could be
On Fri, May 31, 2013 at 3:09 PM, mntbighker mntbigh...@gmail.com wrote:
local_rules.xml
snippet:
rule id=100073 level=0
program_namekernel/program_name
hostname^compute-0-/hostname
descriptionNode job crashes/description
/rule
What is your goal? Are you really trying to
On Tue, Jun 4, 2013 at 3:44 PM, mntbighker mntbigh...@gmail.com wrote:
Yes, I pretty much want to ignore ALL traffic from compute-0-* since there
are over 100 of them and they are internal cluster compute nodes. With over
100 nodes using the complete hostname is not a very useful debug
On Tue, Jun 4, 2013 at 4:18 PM, mntbighker mntbigh...@gmail.com wrote:
Yes, we have 3 clusters and I used the truncated host name (not fqdn) as the
name.
Are you proposing I try separate rules for each of the 3 cluster agents? I
still need compute-0- obviously, so what would be added for
On Wed, Jun 5, 2013 at 6:46 AM, Iacob Alexandru isalexan...@gmail.com wrote:
Hi,
I have just started with OSSEC.
I have decided to install it on multiple servers (all Linux instances).
Basically I have a SERVER and, so far, 9 agents.
All was OK with the installation, adding new agents, etc..
On Mon, Jun 3, 2013 at 4:46 AM, Robert Micallef robertm...@gmail.com wrote:
Hi dan,
I found a post where you have to modify the code and rebuild it, which I
have no problem with. The problem is that this is a live system. I was
wondering if I do in fact rebuild and reinstall ossec, will I
On Mon, Jun 3, 2013 at 4:32 AM, John Doe nounour...@gmail.com wrote:
Hi list,
We have OSSEC setup using a server/agent configuration.
We log different files like /var/log/syslog, auth.log, kern.log, messages,
user.log...
All this files are in the configuration file (../ossec/etc/ossec.conf
On Wed, Jun 5, 2013 at 1:33 AM, Shakeel Ahmed shakeel...@gmail.com wrote:
Hi,
Can I install OSSEC on windows XP computers without a UNIX / LINUX server.
No. OSSEC currently requires a server for Windows based systems to be monitored.
I have installed OOSEC on widows XP computers in a
On Tue, Jun 4, 2013 at 11:17 PM, Oliveira Lima oliveiralim...@gmail.com wrote:
I have a problem.
how to change the port that sends email ossec?
You will have to modify the source. smtp is typically on port 25, so
there's isn't a way to configure a different port.
--
---
You received this
to /var/ossec/logs/alerts/alerts.log.
On Fri, May 31, 2013 at 11:36 PM, dan (ddp) ddp...@gmail.com wrote:
On Fri, May 31, 2013 at 11:29 AM, frwa onto frwao...@gmail.com wrote:
Dear Dan,
Sorry I am new into Ossec what command should I run once I
It should run by default.
have
On Tue, Jun 4, 2013 at 9:32 AM, Macaulay Dias Souza
md...@strongsecurity.com.br wrote:
I install agente on windows and imported a key, work. bbut when do I reset
the computer, I always get the warning unable to start ossec config, but I
did not edit anything, so I have to reinstall the agent to
On Wed, Jun 5, 2013 at 2:29 PM, mntbighker mntbigh...@gmail.com wrote:
Like this?:
rule id=100073 level=0
program_namekernel/program_name
hostnamebanyan/hostname
descriptionNode job crashes/description
/rule
Which will filter all kernel messages from the head node.
On Wed, Jun 5, 2013 at 10:06 PM, Dave Edwards dave.j.edwa...@gmail.com wrote:
Whoops, sorry. Been busy over the last week. Just getting back to it now.
Nope, ossec-remoted is not in the list of daemons in ossec-control after the
install.
I noticed that and tried adding it manually but it
On Wed, Jun 5, 2013 at 3:36 PM, David Blanton
david.blanton...@gmail.com wrote:
Okay just a quick update:
I'm getting error 1403: ERROR: Incorrectly formated message from 'ipAddress'
Is this a WUI error or an ossec agent error? If it's an ossec agent
error, make sure:
The agent in question
On Thu, Jun 6, 2013 at 10:14 AM, Jeff Neely jefflne...@gmail.com wrote:
We have a Windows system making many sftp connections to a Linux system in a
short period of time. It is 3rd party software that I am being told can't
be changed to use key exchange. The result is this is perceived as an
On Thu, Jun 6, 2013 at 9:04 AM, Andrew Sarver astromod...@gmail.com wrote:
I'm having trouble getting the active response agent on windows to work. I
can manually trigger the win_nullroute command by using ./agent_control -b
2.3.4.5 -f win_nullroute600 -u 010 on the ossec server, and the route
On Thu, Jun 6, 2013 at 1:02 PM, Andrew Sarver astromod...@gmail.com wrote:
Dan,
It seems like only the default active response scripts are being recognized.
In the ossec.log on the agent system, I have these three lines from testing
earlier today:
2013/06/06 12:03:27 ossec-agent: INFO:
On Fri, Jun 7, 2013 at 9:40 AM, Nalin Gupta na...@aadhaarup.com wrote:
Hi,
We have OSSEC setup using a server/agent configuration, which is configured
to log files like /var/log/auth.log, /var/log/nginx/access.log etc. All this
files are in the configuration file (/var/ossec/etc/ossec.conf)
.
On Wed, Jun 5, 2013 at 9:44 PM, dan (ddp) ddp...@gmail.com wrote:
On Sat, Jun 1, 2013 at 12:04 AM, frwa onto frwao...@gmail.com wrote:
Dear Dan,
In case it reports any thing where is best place to look
is
it into its particular log files which have been designated ? Which
On Thu, Jun 6, 2013 at 2:08 PM, Andrew Sarver astromod...@gmail.com wrote:
The active-response.log on the agents only shows the responses I manually
executed, e.g. 06/06/2013 10:48 active-response/bin/route-null.cmd add
- 2.3.4.5 (from_the_server) (no_rule_id)
Make sure the rules you are
On Mon, Jun 10, 2013 at 5:16 AM, Ubertino Da Casale
ubertinodacas...@gmail.com wrote:
Good morning,
OSSEC 2.7
Centos 6
Plesk 11
Trying to test active-response:
Rule created and working: 15, group spam, level 13
File /var/ossec/active-response/bin/test.sh duplicates restart-ossec.sh,
On Mon, Jun 10, 2013 at 3:58 AM, Jeroen Beerstra
jeroen.beers...@gmail.com wrote:
The problem is my e-mail gets flooded by certain syslog errors, so I wrote a
custom rule to ignore these errors:
rule id=11 level=0
if_sid1002/if_sid
matchMATCH/match
descriptionIgnore syslog
On Mon, Jun 10, 2013 at 10:29 AM, Mr Jibbles gog...@gmail.com wrote:
Hi,
I am try to configure OSSEC to log the Windows EventID 10 (type
INFORMATION), which shows which user printed what.
I believe that all the information in the Windows System logs are bein sent
to the OSSEC manager but I
On Mon, Jun 10, 2013 at 10:54 AM, Mr Jibbles gog...@gmail.com wrote:
Hi Dan,
Thanks for the quick response.
the following appeared in the archive.log after logging all:
2013 Jun 10 15:49:08 (PRINT) x.x.x.13-WinEvtLog WinEvtLog: System:
INFORMATION(10): Print: g: DOMAIN: PRINT: Document 21,
On Mon, Jun 10, 2013 at 12:18 PM, Adam thenakeda...@gmail.com wrote:
Can anyone please tell me how you disable the three changes and ignore rule
for the file integrity monitoring?
I found this thread from 2006:
On Thu, Jun 13, 2013 at 12:45 PM, Adam thenakeda...@gmail.com wrote:
Hello,
I was trying to reinstall OSSEC with database support (for postgreSQL) on
Solaris 10.
After making ./src/setdb I ran the install script and got the following
error:
*** Making os_dbd ***
Compiling DB support
On Wed, Jun 12, 2013 at 8:17 PM, Dave Edwards dave.j.edwa...@gmail.com wrote:
Thanks
Mine looks like this after I added remoted.
DAEMONS=ossec-monitord ossec-logcollector ossec-syscheckd ossec-analysisd
ossec-maild ossec-execd ossec-remoted ${DB_DAEMON} ${CSYSLOG_DAEMON}
${AGENTLESS_DAEMON}
On Mon, Jun 17, 2013 at 10:12 AM, David Blanton
blanton.davi...@gmail.com wrote:
Hi all,
I've been running OSSEC in a test enviornment for a company I work for. I've
been trying to get
the SMS function to work and send e-mail alerts to my cellphone however it
is not working. Any
On Mon, Jun 17, 2013 at 10:58 AM, David Blanton
blanton.davi...@gmail.com wrote:
Yes I am getting mail to root@ossec-server.
Could you please give me directions to tcpdump on port 25? I am not familiar
with that.
As root (or use sudo):
tcpdump port 25
If it doesn't automatically select
On Mon, Jun 17, 2013 at 11:01 AM, David Blanton
blanton.davi...@gmail.com wrote:
Which mailserver logs would you be referring to?
/var/log/maillog on ossec-server most likely. You've identified that
as your mail server, so it should be forwarding the messages to the
att address.
--
---
On Mon, Jun 17, 2013 at 11:31 AM, David Blanton
david.blanton...@gmail.com wrote:
when i gedit /var/log/maillog
I am not seeing any mail from ossecm@ossec-server.
Just ossec-server sendmail: X: fromr...@ossec-server.ect. size-XXX
ect.
Do you think this would be because I have Cacti
On Mon, Jun 17, 2013 at 11:27 AM, David Blanton
david.blanton...@gmail.com wrote:
so I am in the directory /var/log/
I can see maillog, maillog.1, maillog.2 ect.
How do I open it?
They should be plain text files, so more.
--
---
You received this message because you are subscribed to
On Mon, Jun 17, 2013 at 11:43 AM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Jun 17, 2013 at 11:41 AM, David Blanton
david.blanton...@gmail.com wrote:
Sorry - I am relatively new to Linux/RHLE5.
I read the page on tcpdump command and cannot figure out what they mean by
interface. What would I
On Mon, Jun 17, 2013 at 11:37 AM, David Blanton
blanton.davi...@gmail.com wrote:
Jun 17 11:05:52 ossec-server sendmail[28416]: r5HF5qov028416: to=ossecm,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay,
pri=30037, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent
On Mon, Jun 17, 2013 at 11:59 AM, David Blanton
david.blanton...@gmail.com wrote:
Nothing returned.
I do restart the ossec by doing /var/bin/ossec-control restart many times.
Is there a way to change which port ossecm (mail sender) uses? how do i add
my intranet dns resolver to ossec, i
On Mon, Jun 17, 2013 at 12:26 PM, David Blanton
david.blanton...@gmail.com wrote:
Just a quick update - within mail at the shell script (logged in as root)
I was able to send a text message to my cellphone via ##@txt.att.net
from the ossec-server.
So I believe the issue would not be
On Mon, Jun 17, 2013 at 12:56 PM, David Blanton
david.blanton...@gmail.com wrote:
Could the issue be that I am using an incorrect SMTP Server?
Daniel, should the SMTP Server tag be the same thing as my ossec-server? Or
should I list my internal DNS Server's IP Address?
I'm not Daniel, but I
On Mon, Jun 17, 2013 at 3:43 PM, David Blanton
david.blanton...@gmail.com wrote:
I've narrowed down a problem I've been having - SMTP Error in logs.
After running nslookup on my OSSEC-Server, I've discovered that my SMTP is
not using port 25, but 53.
Are you sure? udp 53 is typically what is
On Mon, Jun 17, 2013 at 1:47 PM, David Blanton
david.blanton...@gmail.com wrote:
maillog is now showing it!
ossec-server sendmail[2652: X: to=##@txt.att.net,
ctladdr=r...@ossec-server.ect.na.companyname.com (0,0), delay=00:00:06,
xdelay=00:00:06, mailer=esmtp, pri=120388,
On Tue, Jun 18, 2013 at 10:51 AM, bil h...@cs.unc.edu wrote:
Is there a place for people to share custom decoders/rules?
tia,
bil
Both here and the dev list are fine.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from
On Tue, Jun 18, 2013 at 3:45 PM, bil h...@cs.unc.edu wrote:
Ok, but that would make them kind of hard to find. I was thinking more along
the lines of a github space devoted to sharing rules and decoder. The nature
of the beast makes them hard to find by searching los internets.
bil
I believe
will test as best I can before implementing this on the live
system. Thanks a lot for your answers.
Robert
On Thursday, June 6, 2013 12:53:05 AM UTC+2, Michael Starks wrote:
On 05.06.2013 11:43, Michael Starks wrote:
On 05.06.2013 08:48, dan (ddp) wrote:
After modifying the code, run
On Tue, Jun 18, 2013 at 4:24 AM, jonaslis...@gmail.com wrote:
There are a number of articles (and even a section in the official ossec
documentation) on how to make ossec detect USB Storage connected to a
Windows system, but I've been unable to find a way to make it detect
connection of USB
On Wed, Jun 19, 2013 at 7:24 AM, Taher tahe...@gmail.com wrote:
If I am correct, the additional directories have to be added in
directories
syscheck
!-- Frequency that syscheck is executed - default to every 22 hours --
frequency79200/frequency
!-- Directories to check
On Mon, Jun 17, 2013 at 1:36 PM, Adam thenakeda...@gmail.com wrote:
Hi,
I tired to remove the -xstrconst and -mt. The MySQL libraries still wouldn't
compile as certain variables weren't defined.
I then removed mysql from PATH and recompiled with just postgres, and apart
from the mysql
On Wed, Jun 19, 2013 at 4:46 AM, ZaNN alosadagra...@gmail.com wrote:
Hi .*,
I am also interested in the same_url feature any news?
Nope.
2013/06/19 10:44:43 ossec-analysisd: Invalid option 'same_url' for rule
'15'.
2013/06/19 10:44:43 ossec-testrule(1220): ERROR: Error loading the
On Mon, Jun 17, 2013 at 4:57 PM, David Blanton
david.blanton...@gmail.com wrote:
It's working now... Finally.
So for anyone who ever stumbles upon this mess of a thread and has a similar
issue:
-Check to see if you even have SMTP sendmail services and it uses port 25
-For the smtp_server
On Wed, Jun 19, 2013 at 1:10 PM, George gioannou...@gmail.com wrote:
Noob alert!!
I need to make a match with the underlied string within the following log
entry (this is an MSSQL Audit event which captures a SELECT command upon a
specific table within a given database):
2013 Jun 18
On Jun 19, 2013 5:10 PM, David Blanton blanton.davi...@gmail.com wrote:
If I have a directories
check_all=yes/usr/local/bin,/sbin/directories
and ignore/opt/lampp/ignore within my ossec.conf file (for example),
does that mean that my agents will
not abide by these rules? Are they only local
On Wed, Jun 19, 2013 at 5:25 PM, David Blanton
blanton.davi...@gmail.com wrote:
Dan,
So could I get an example of a template for agent.conf? For example,
currently I have about 50 agents deployed on Solaris and RHEL5 servers.
In my ossec.conf file I have:
directories
On Wed, Jun 19, 2013 at 7:32 PM, AndiC an...@andic.co.nz wrote:
OK, so more experimentation and play than real production – yet
But, it would really help if I can get OSSEC running under Windows 2008 R2
Virtualisation is not an option – since this is already a VM
Has anyone tried
On Thu, Jun 20, 2013 at 7:42 AM, Taher tahe...@gmail.com wrote:
I found this documentation :
http://www.ossec.net/doc/manual/agent/agent-configuration.html
It says: First Create the file /var/ossec/etc/shared/agent.conf. so that
answers my previous question and give rise to another one :) :
On Thu, Jun 20, 2013 at 7:33 AM, jonaslis...@gmail.com wrote:
On Wednesday, June 19, 2013 3:25:46 PM UTC+2, dan (ddpbsd) wrote:
On Tue, Jun 18, 2013 at 4:24 AM, jonas...@gmail.com wrote:
I tried creating this in local_rules.xml:
rule id=100341 level=8
decoded_asiptables/decoded_as
On Thu, Jun 20, 2013 at 9:51 AM, David Blanton
blanton.davi...@gmail.com wrote:
Okay I'll give this a shot. Thanks Dan. I appreciate all the help.
So it seems the only reason someone would ever do this in agent.conf is if
they have different OS's to monitor and don't want to put false
On Thu, Jun 20, 2013 at 10:36 AM, David Blanton
blanton.davi...@gmail.com wrote:
Here is what my agent.conf file looks like:
agent_conf
localfile
log_formatsyslog/log_format
location/var/log/messages/location
/localfile
localfile
log_formatsyslog/log_format
On Thu, Jun 20, 2013 at 10:53 AM, David Blanton
blanton.davi...@gmail.com wrote:
The rootcheck files? Yes, they are. # pwd shows that all of them exist in
the /shared
I feel like I've seen those errors before, but I can't remember if
there was a solution. I was not able to recreate the errors
On Fri, Jun 21, 2013 at 4:15 AM, vanhien771354 vanhien771...@gmail.com wrote:
Im using audit to detect USB in file win_audit_rcl.txt:
[USB Storage Inserted] [any] []
r:HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum - Count - !0;
Im enable option logall.In file
On Fri, Jun 21, 2013 at 2:58 AM, Taher tahe...@gmail.com wrote:
Hello David and dan,
I think I am facing the same issue as David.
So David, does this configuration in agent.conf on the OSSEC server, work? :
agent_conf
syscheck
directories
On Thu, Jun 20, 2013 at 11:41 AM, David Blanton
blanton.davi...@gmail.com wrote:
Could you remind me the command to check permissions/owner/group?
`ls -l`
Also I just noticed ossec.conf file; agent side. I noticed that the
agent.conf file's updates are not being applied here - is this
On Fri, Jun 21, 2013 at 2:01 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
I have an ossec agent with two networks interfaces:
- eth0: a.a.a.a
- eth1: b.b.b.b
I need to route messages between agent and server via eth1 interface
and IP b.b.b.b, but hostname for this agent is
On Fri, Jun 21, 2013 at 2:40 AM, Taher tahe...@gmail.com wrote:
Right. So how do we manage 'checking directories with syscheck' centrally?
Add those configurations to the agent.conf.
On Wednesday, 19 June 2013 15:18:29 UTC+5:30, Taher wrote:
Hello All,
I am newbie to OSSEC and we have
On Fri, Jun 21, 2013 at 9:02 AM, vanhien771354 vanhien771...@gmail.com wrote:
Because it matches rule 512. Try rewriting your rule to if_sid 512
instead of using your decoder and stuff.
I try to do put rule 512 in local rule
Rule 512 exists already. You know that before it was triggered
On Fri, Jun 21, 2013 at 9:34 AM, vanhien771354 vanhien771...@gmail.com wrote:
Create a rule that uses:
if_sid512/if_sid
matchUSB Storage Inserted/match
And try again.
Thank for your reply.I try create a rule
rule id=100010 level=7
if_sid512/if_sid
matchUSB Storage/match
On Fri, Jun 21, 2013 at 9:35 AM, alireza sadeh seighalan
seighal...@gmail.com wrote:
hi everyone
i want to add agents to ossec-wui. how can i do that? i added windows
agent and run agentless togather but none of them added to
ossec-wui.thanks in advance
I don't think you do. They should
On Fri, Jun 21, 2013 at 11:35 AM, alireza sadeh seighalan
seighal...@gmail.com wrote:
hi everyone
i am a newbie in ossec . i enabled agentless according these steps but i
think there is a problem on it. because it doesnt add to ossec-wui .
It's been a long time since I've tried the wui, but
On Fri, Jun 21, 2013 at 1:06 PM, David Blanton
blanton.davi...@gmail.com wrote:
Here it is from the ossec.log:
2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to '/queue/alerts/ar'
(active-response queue)
2013/06/21 11:01:24 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq'
On Fri, Jun 21, 2013 at 12:23 PM, Michael Barrett
michael_barr...@mgic.com wrote:
Do I need to be concerned with these errors? I don't seem to see it on
other machines
RH Linux ossec ver 2.6
2013/06/21 10:43:46 ossec-agentd: ERROR: Unable to unmerge file
'/etc/shared/win_audit_rcl.txt'.
1101 - 1200 of 5855 matches
Mail list logo