On Tue, Nov 6, 2012 at 11:39 AM, Chris H chris.hemb...@gmail.com wrote:
On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote:
On Tue, Nov 6, 2012 at 6:13 AM, Chris H chris@gmail.com wrote:
Hi,
I'm passing log files from Domain Controllers via the OSSEC agent, and
trying
On Wed, Nov 7, 2012 at 10:58 AM, w3ndtr w3n...@gmail.com wrote:
I have OSSEC 2.5 server up and running currently without any issues with
agent monitoring and will be upgrading to the newer version next year. Is
there a way to scan a NAS device with the agent or agentless monitoring?
The
On Thu, Nov 8, 2012 at 8:59 AM, Scott wa6...@gmail.com wrote:
Hello, I have just upgraded from 2.5.1 to 2.6 and I no longer get remote
syslog messages in the logs (all was working before the upgrade). I wanted
to get on the latest stable version and keep it up-to-date.
Funny time to be
On Thu, Nov 8, 2012 at 9:43 AM, Scott Nelson wa6...@gmail.com wrote:
On Nov 8, 2012, at 8:18 AM, dan (ddp) wrote:
Funny time to be upgrading...
Why? I like to keep my software up-to-date!
2.7 has entered release candidate stage.
remote
connectionsyslog/connection
allowed
On Thu, Nov 8, 2012 at 3:39 PM, CTech chromatec...@gmail.com wrote:
I have ossec agents running on several machines, but only one of them
(agent 001) is set in the server's ossec.config to allow active response.
The active-response section in my server's ossec.config is pasted at the
bottom of
On Nov 8, 2012 3:50 PM, CTech chromatec...@gmail.com wrote:
Thanks for such a quick response. Do you know of any way to prevent this?
No
On Fri, Nov 9, 2012 at 12:41 AM, peng lin linpeng0...@gmail.com wrote:
in my ossec.conf , i write
alert_new_filesyes/alert_new_files
directories check_all=yes realtime=yes
report_changes=yes/103/directories
Is realtime available for your mystery platform? Are you sure it was
compiled in? Do
On Fri, Nov 9, 2012 at 9:07 AM, rezgui mohamed rezgui...@gmail.com wrote:
Dear support,
on my machine debian i have a specific log file /var/log/speciflog.log so my
question if i install an ossec-agent on my machine and i modify the config
file /var/ossec/etc/ossec.conf to add the log file
On Fri, Nov 9, 2012 at 9:29 AM, rezgui mohamed rezgui...@gmail.com wrote:
i have questio if i add a new logfile
on /var/ossec/etsc/ossec.conf
localfile
log_format?/log_format
location/var/log/myspecificlog.log/location
/localfile
my question which log format can i
On Fri, Nov 9, 2012 at 1:04 PM, mcrane0 mathew.cr...@gmail.com wrote:
Subject says it all. I'd like to know if it's possible to have Syscheck or
the File Integrity monitoring tools record what user made the change as part
of it's alerting capabilities.
Thanks!
That's still not an option.
On Fri, Nov 9, 2012 at 1:45 PM, mcrane0 mathew.cr...@gmail.com wrote:
Can you elaborate on this? It is a UNIX environment, would this tell us
what user made changes to a file in conjunction with file integrity alerts?
No, I cannot. Consult your UNIX admin. You might also want to find out
On Fri, Nov 9, 2012 at 1:41 PM, rezgui mohamed rezgui...@gmail.com wrote:
Dear support,
how can i forword logs contain a name_application expression from
archives.log to /var/log/myapplication.log
Best regards
rsyslog? syslog-ng? This isn't really an OSSEC question.
On Mon, Nov 12, 2012 at 10:51 AM, Kat uncommon...@gmail.com wrote:
I see this topic come up a lot and I have dealt with the question from
auditors too. Unless you have full auditing enabled, the simple answer is
no.
Think about this -- a file is writable by the owner and a group - the group
On Tue, Nov 13, 2012 at 10:01 AM, brandall brand...@paywire.com wrote:
Hello,
I have started receiving a heavy volume of these messages lately.
klnagent is part of Kaspersky. Oddly enough, there is nothing in the
error logs for Kaspersky related to these instances. Thoughts?
Received
On Tue, Nov 13, 2012 at 2:33 PM, Jose Sento Se jhsec...@gmail.com wrote:
Hi, i was trying to install Ossec 2.7rc1 and i got de following message:
5- Instalando o sistema
- Executando o Makefile
./install.sh: line 88: make: command not found
How can i solve this problem?
Thanks!
On Wed, Nov 14, 2012 at 9:49 AM, Michiel van Es vanesmich...@gmail.com wrote:
Hello,
I am trying to set up a local_decoder.xml entry to decode our Clavister log
entries.
The clavister logfiles show only outgoing dropped traffic, for example:
Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08]
On Mon, Nov 19, 2012 at 4:39 AM, Michiel van Es vanesmich...@gmail.com wrote:
Hello
2012/11/15 Jb Cheng jjoob...@gmail.com
The OSSEC allowed fields are listed at the beginning of the file
etc/decoder.xml. In your case, 'dstport' is correct.
For the extra fields in the raw log which you
present when
OSSEC starts. If a new file gets created, it won't be picked up
automatically,
2012/11/20 Michiel van Es vanesmich...@gmail.com
2012/11/19 dan (ddp) ddp...@gmail.com
snip
The decoder is clavister, not clavister-alert.
Before changing the decoder name:
**Phase 1: Completed
On Tue, Nov 20, 2012 at 8:46 AM, Scott Nelson wa6...@gmail.com wrote:
On Nov 19, 2012, at 4:58 PM, Michael Starks wrote:
On 16.11.2012 11:44, Scott wrote:
However, I am not receiving all of the remote log entries. In fact, I
only see a very small amount of the entries.
Are you sure you're
On Tue, Nov 20, 2012 at 9:51 AM, stones2125 m...@mrshenk.com wrote:
I am new to OSSEC and have been trying to figure out how to do the
following...if possible.
- When a file changes on a Windows server, how do I see the username of the
person who changed it.
You can't.
- How do I see the
On Tue, Nov 20, 2012 at 10:07 AM, bujanga buja...@gmail.com wrote:
I am running a legacy FreeBSD 7.4 system and had some minor issues
installing OSSEC as an agent.
1. It says I must be user root to install.
I su to the user toor and save my root for console work only. Since I
am remote, this
On Tue, Nov 20, 2012 at 9:59 AM, stones2125 m...@mrshenk.com wrote:
So how is OSSEC PCI compliant since the requirement is to identify the user
who made a change.
I didn't think products/projects were PCI compliant, I thought your
processes and systems would have to be PCI compliant.
You can
why it works on other, non-linux, platforms. Also not sure
why strnlen is used explicitly if string.h isn't included
explicitly...
-
On Tue, Nov 20, 2012 at 9:18 AM, dan (ddp) ddp...@gmail.com wrote:
On Tue, Nov 20, 2012 at 10:07
On Tue, Nov 20, 2012 at 1:30 PM, Eero Volotinen eero.voloti...@iki.fi wrote:
2012/11/20 bujanga buja...@gmail.com:
Yes, 1 is a local admin issue.
Here is more on 2 from a different server running FreeBSD
7.3-RELEASE-p1. I am willing to do more here if you want, just let me
know.
On Wed, Nov 21, 2012 at 2:44 PM, Scott wa6...@gmail.com wrote:
Hello,
I would like to have my logs from a distant subnet forwarded to a central
ossec server. Some of these logs are UDP 514 syslog format from
appliances.
So, I was thinking that I change my current ossec server that is on
On Wed, Nov 21, 2012 at 3:03 PM, Scott Nelson wa6...@gmail.com wrote:
On Nov 21, 2012, at 1:50 PM, dan (ddp) wrote:
On Wed, Nov 21, 2012 at 2:44 PM, Scott wa6...@gmail.com wrote:
Hello,
I would like to have my logs from a distant subnet forwarded to a central
ossec server. Some
No, I think Ubuntu uses a broken shell. Try running it with bash instead of
dash.
On Nov 22, 2012 2:15 PM, morgan cox morganco...@gmail.com wrote:
just tried to install ossec 2.7
Server install seems fine. however the 2.7 agent setup on Ubuntu 10.04
doesn't install correctly.
I have tested
On Wed, Nov 21, 2012 at 3:47 PM, Scott Nelson wa6...@gmail.com wrote:
On Nov 21, 2012, at 2:23 PM, dan (ddp) wrote:
Hmm. Okay, please have patience with me, so if I then forget about hybrid
mode, then how do I forward logs safely and securely over the internet to
my central ossec server
On Tue, Nov 20, 2012 at 5:38 PM, Scott wa6...@gmail.com wrote:
I should mention this is OSSEC 2.7
On Tuesday, November 20, 2012 4:35:31 PM UTC-6, Scott wrote:
Hi everyone,
Sorry to be on the list so much, but I've hit another block in my
understanding of ossec.
What am I doing wrong
On Thu, Nov 22, 2012 at 11:30 AM, Nick Davies n...@badhedgehog.co.uk wrote:
AND...
I've downloaded and installed 2.7 but am getting the same results. Looking
at read_win_el.c (line 57 this time) it looks to still be using OpenEventLog
rather than EvtOpenLo.
Is my diagnosis of the problem
On Tue, Nov 20, 2012 at 9:28 PM, peng lin linpeng0...@gmail.com wrote:
hi,i upgrade to ossec 2.7 final . both 2.7 final and 2.7 bete2 ,i used mysql
to store message,everything seems ok,mysql have datas, but
sometimes , i saw this error:
2012/11/21 10:03:38 ossec-dbd(5203): ERROR: Error
On Tue, Nov 20, 2012 at 11:04 AM, Scott Nelson wa6...@gmail.com wrote:
On Nov 20, 2012, at 9:27 AM, dan (ddpbsd) wrote:
Ok, this has totally confused me. Maybe you should provide your
configurations. I don't know whether you're using syslog or the OSSEC secure
method of transport.
Sorry
On Tue, Nov 20, 2012 at 11:08 AM, Francisco Jelves
francisco.jel...@gmail.com wrote:
After running OSSEC server upgrade 2.6 to 2.7 final release, the / var /
ossec / logs / alerts / alerts.log is zero bytes.
The following command displays all disconnected agents: if Never connected.
. /
On Fri, Nov 23, 2012 at 11:47 AM, Johnny js69...@gmail.com wrote:
Is there any documentation/guidance on how the -f flag can be used to
generate bulk keys? I've attempted to format the input file as a csv with
id, name, and ip without luck.
I've been unable to find the original submission for
On Fri, Nov 23, 2012 at 12:03 PM, dan (ddp) ddp...@gmail.com wrote:
On Fri, Nov 23, 2012 at 11:47 AM, Johnny js69...@gmail.com wrote:
Is there any documentation/guidance on how the -f flag can be used to
generate bulk keys? I've attempted to format the input file as a csv with
id, name, and ip
On Fri, Nov 23, 2012 at 1:58 PM, JPZ jp.zurbr...@gmail.com wrote:
I apologies before hand if I double posted; I sent an email to ossec-list 48
hours ago but didn't see any activity or it being posted here on the google
group so I deduced something went wrong.
I am attempting to use the
On Fri, Nov 23, 2012 at 2:37 PM, Sue susan.hes...@gmail.com wrote:
Hi,
I have been working on configuring OSSEC to monitor some Ubuntu virtual
boxes hosting web servers. The manager server is a smallish vbox originally
created to host Nagios and MRTG.
Today as I was trying to edit the
On Nov 24, 2012 5:07 AM, Régis Houssin regis.hous...@gmail.com wrote:
Hi,
same problem with debian squeeze
your fix is ok :-)
Debian uses a busted shell as well.
Le vendredi 23 novembre 2012 04:54:19 UTC+1, Michael Starks a écrit :
On 11/22/2012 12:49 PM, morgan cox wrote:
just tried
On Sun, Nov 25, 2012 at 7:29 PM, Kristy Truong asiannbarb...@gmail.com wrote:
how do you use this?
Add the decoders to /var/ossec/etc/local_decoder.xml, rules to
/var/ossec/rules/local_rules.xml, and restart the OSSEC processes.
On Wednesday, November 14, 2012 8:49:10 AM UTC-6, Michiel van
On Mon, Nov 26, 2012 at 5:39 AM, rezgui mohamed rezgui...@gmail.com wrote:
Dear support,
if i do /var/ossec/bin/agent_control -R 22
this line is to run the agent on the machine distant or on local?
Best regards
You run that command on the OSSEC server.
On Mon, Nov 26, 2012 at 9:14 AM, rezgui mohamed rezgui...@gmail.com wrote:
i know ,this command is to restart the agent on the remote machine?
Best regards
agent_control
OSSEC HIDS agent_control: Control remote agents.
-R id Restarts agent.
On Mon, Nov 26, 2012 at 9:21 AM, rezgui mohamed rezgui...@gmail.com wrote:
so on the background ossec server connect through ssh to the remote machine
then start the agent
No. Why would it use SSH? The server and the agent already
communicate. The OSSEC server will trigger a restart of the
On Mon, Nov 26, 2012 at 12:48 PM, Sue susan.hes...@gmail.com wrote:
Thanks for your consideration. Without the report_changes option can I still
get an alert if there is a diff in a file? Using a rule perhaps? If so, how
do I go about seeing what the change was?
You will still get alerts that
Put the file in the ossec dir somewhere, and rederence it by that chroot
point. For instance, put it in /var/ossec and run
/var/ossec/bin/manage_agents -f /FILE
The documentation has been updated to reflect this, but hasn't been pushed
live yet.
On Nov 26, 2012 11:15 PM, peng lin
On Tue, Nov 27, 2012 at 2:42 AM, Shaun saravana...@gmail.com wrote:
Hi All ,
I'm trying my hand at writing ossec rules
i created a custom rule to capture failed login attempts on linux machine in
/var/ossec/rules/local_rules.xml
group name=syslog,sshd,
rule id=100123 level=10 frequency=3
On Tue, Nov 27, 2012 at 6:57 AM, rezgui mohamed rezgui...@gmail.com wrote:
Dear support,
have you please a tutorial to automaticate the install of agent on my all
machine trough puppet
Best regards
We do not have a tutorial, but I can't imagine it would be too hard.
Use a binary package. Use
On Tue, Nov 27, 2012 at 7:02 AM, Michiel van Es vanesmich...@gmail.com wrote:
Hi,
We want to check for hardening and one of our Windows hardening rules is to
rename the Administrator account and create a decoy Administrator account,
not part of any group and disabled.
One of the things we
On Tue, Nov 27, 2012 at 4:41 AM, rezgui mohamed rezgui...@gmail.com wrote:
Dear support,
if i past the key on the ossec agent in which file the agent write this key
?
wher can i find the key after past?
Best rgards
You get the key from the manage_agents program on the server, and
paste it
On Tue, Nov 27, 2012 at 11:14 AM, Scott wa6...@gmail.com wrote:
On Friday, November 23, 2012 7:20:44 AM UTC-6, dan (ddpbsd) wrote:
etc/local_decoder.xml:
decoder name=zabbix
prematch^Zabbix Server[\d+]: /prematch
/decoder
decoder name=zabbix-check-failed
parentzabbix/parent
On Tue, Nov 27, 2012 at 7:29 PM, funwithossec h...@donobi.net wrote:
All,
Apologies if this has been covered, but I sure couldn't find it :-)
In my lab I have a central ossec 2.6 server on Ubuntu and one client on
Centos, set them up with active response and followed procedure here:
On Wed, Nov 28, 2012 at 6:11 AM, Yesodha yeso...@easylinkindia.com wrote:
Hi,
Can anyone response this ticket?Still i am facing this issue.
Regards,
Yesodha Prabhu
This isn't a ticket, and the response was to tune syscheck.
On Wednesday, October 10, 2012 2:23:23 PM UTC+5:30, Yesodha
On Wed, Nov 28, 2012 at 9:00 AM, Mike Disley
mike.a.dis...@tpsgc-pwgsc.gc.ca wrote:
Greetings,
Under Supported Systems, Operating systems, on the OSSEC site there is a
reference to VMWare ESX 3.0,3.5 (including CIS checks).
Is there a list online of those CIS checks for VMWare that OSSEC
-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, November 28, 2012 9:14 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] VMWare ESX - CIS Checks
On Wed, Nov 28, 2012 at 9:00 AM, Mike Disley
mike.a.dis...@tpsgc-pwgsc.gc.ca wrote
On Wed, Nov 28, 2012 at 10:01 AM, mcrane0 mathew.cr...@gmail.com wrote:
ossec.conf on server, relevant portion:
directories report_changes=yes
check_all=yes/etc,/var/ossec/etc/directories
directories check_all=yes/usr/bin,/usr/sbin/directories
directories
On Fri, Nov 30, 2012 at 3:00 AM, rezgui mohamed rezgui...@gmail.com wrote:
but this is only to generate the on sever but i need the copy this key on
the agent remotly
Best regards
Why not use ossec-authd?
grep $IP_ADDRESS /var/ossec/etc/client.keys /tmp/$IP_ADRESS scp
/tmp/$IP_ADDRESS
On Fri, Nov 30, 2012 at 2:00 PM, Mike Hubbard
mikehubb...@highermindset.com wrote:
Hello - Is there a way to have syscheck NOT perform pre-scan upon startup if
it had already created it's database in a previous run? Ideally, I think I
would like it to do a comparison to the existing database -
On Mon, Dec 3, 2012 at 2:13 PM, Daniel Requena requ...@gmail.com wrote:
Hi,
I'm trying to customize the behavior of the rule 35051
(squid_rules.xml) in order to not have it fired if someone tries to access
facebook website.
This rule keeps annoying me, because Facebook like button
On Mon, Dec 3, 2012 at 9:37 PM, peng lin linpeng0...@gmail.com wrote:
how to install with hybrid mode ?
is that use this ? to layer Deploy?
server
|
|
--- hybridhybrid
On Tue, Dec 4, 2012 at 1:08 AM, peng lin linpeng0...@gmail.com wrote:
can't restart windows agent in server ?
i think in server to restart all linux client is ok,but can't restart it in
windows. (i can't see any about restart information in windows /ossec/logs)
what happen ?
Is active
On Mon, Dec 3, 2012 at 2:00 PM, Mike Hubbard
mikehubb...@highermindset.com wrote:
Yes, I experimented with that and found that you could either initialize the
database right off the bat, or wait the frequency duration before
initializing itbut not a don't initialize it.
So, modify the
On Tue, Dec 4, 2012 at 10:46 AM, Jeroen D virtu...@gmail.com wrote:
I was working all day with regular expressions to get a new child decoder of
bro-ids working. Nothing seemed to work so I tried one of the tested and
tried decoders to check if the childs are processed at all.
It turns out,
On Tue, Dec 4, 2012 at 9:31 PM, peng lin linpeng0...@gmail.com wrote:
On Tuesday, December 4, 2012 9:48:07 PM UTC+8, dan (ddpbsd) wrote:
On Mon, Dec 3, 2012 at 9:37 PM, peng lin linpe...@gmail.com wrote:
how to install with hybrid mode ?
is that use this ? to layer Deploy?
On Wed, Dec 5, 2012 at 2:41 AM, peng lin linpeng0...@gmail.com wrote:
12/12/05 14:49:04 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2012/12/05 14:49:06 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2012/12/05 14:49:06 ossec-logcollector(1950): INFO: Analyzing
On Wed, Dec 5, 2012 at 12:28 AM, peng lin linpeng0...@gmail.com wrote:
hybrid can create key to agent ,,
how server ceeate key to hybrid ?
and how hybrid will import the key ?
This all works the same way it does for servers and agents.
For the hybrid-server installation (/var/ossec), use
On Tue, Dec 4, 2012 at 9:35 PM, peng lin linpeng0...@gmail.com wrote:
oh? In linux ,i need't enable active response.
in windows i must enable it ,so that in server can restart windows'agent
?
AR should be enabled on all agents for the remote restart feature to work.
On Tuesday, December 4,
On Dec 5, 2012 8:07 AM, jack.23783 jack.23...@gmail.com wrote:
Come on...What should I do?
Provide the errors so we can troubleshoot for you.
On Wed, Dec 5, 2012 at 8:52 PM, dan (ddp) ddp...@gmail.com wrote:
On Dec 5, 2012 7:50 AM, jack.23783 jack.23...@gmail.com wrote:
Hi all,
I'm
On Wed, Dec 5, 2012 at 5:27 AM, peng lin linpeng0...@gmail.com wrote:
1 can't restart windows agent in server
AR should be enabled on all agents for the remote restart feature to work
what is AR ? Is that a file in /var/ossec/etc/shard/ar ? how it use to do.
and how to enabled. I not notes
On Dec 5, 2012 6:27 PM, Scott wa6...@gmail.com wrote:
Am I doing something wrong? Most of my ossec alerts have the server's
hostname instead of the sending system's hostname.
If I call my server ossec and other servers host1, host2, etc, send
syslog UDP messages to abc, then I may get these
On Wed, Dec 5, 2012 at 9:39 PM, peng lin linpeng0...@gmail.com wrote:
i see ossec have report function.
if i want use this funcion,i should config it in every agent's conf file,or
only to config server (or hybrid)'s conf file.
ex. i holp see alert report and file change report .
how should
On Mon, Dec 3, 2012 at 11:18 AM, t_shawn tsh...@gmail.com wrote:
Hi, I'd like to learn to take advantage of the reporting from OSSEC. I have
tried one, but only get an e-mail with a subject, nothing in the body.
reports
rule18152/rule
user type=relationsrcip/user
titleDaily report: Failed
(|) should work, regex doesn't help.
rule id=100102 level=0
if_sid35005/if_sid
matchfacebook.com|facebook.com:443|static.facebook.com|...etc.../match
descriptionignore facebook/description
/rule
Regards.
2012/12/4 dan (ddp) ddp...@gmail.com
On Tue, Dec 4, 2012 at 7:30 AM
On Thu, Dec 6, 2012 at 9:56 AM, Scott wa6...@gmail.com wrote:
The messages at 23:04 and 23:05 were NOT from my ossec server, even though
the log uses the name of my ossec server in the archive.
Of these three messages, the first was from host1, the second from host2 and
the third from host3.
On Thu, Dec 6, 2012 at 9:48 PM, peng lin linpeng0...@gmail.com wrote:
https://groups.google.com/forum/?fromgroups#!topic/ossec-list/yQpi0f7tPMY
conf file in that link
i have let it work with run ./ossec-remote . now it works good. but i only
doubt why it not auto run this directive.when i
On Fri, Dec 7, 2012 at 12:22 PM, Brenden Walker bren...@unruleable.org wrote:
I'm trying to monitor a few websites for changes, I followed some examples
online other than needing to change http:\\ to http/\\ in the match (that's
how it appears in archives.log):
Added to ossec.conf
On Fri, Dec 7, 2012 at 12:47 PM, Brenden Walker bren...@unruleable.org wrote:
On Fri, 7 Dec 2012 12:31:24 -0500 dan (ddp) ddp...@gmail.com wrote:
On Fri, Dec 7, 2012 at 12:22 PM, Brenden Walker
bren...@unruleable.org wrote:
I'm trying to monitor a few websites for changes, I followed some
On Dec 9, 2012 7:34 AM, Guilmxm guilhem.march...@gmail.com wrote:
Hi,
My SSH server is being attacked since a few days, ossec detects it but
does not initiate an active response resulting in blocking the remote host.
Therefore, any other types of attacked result in ossec active responses,
On Sun, Dec 9, 2012 at 11:10 AM, Guilmxm guilhem.march...@gmail.com wrote:
Ok, the error in log :
2012/12/09 12:47:44 ossec-execd(1311): ERROR: Invalid command name
'firewall-drop14400' provided.
Came from the fact i wanted to increase the default 600 seconds banish
time to 14400 (4 hours),
On Tue, Dec 11, 2012 at 1:12 AM, Phil Daws ux...@splatnix.net wrote:
Hello:
am attempting to write a local decoder for Asterisk and cannot get the syntax
correct. The log line appears as:
[Dec 10 19:47:47] NOTICE[23927][C-0013] chan_sip.c: Call from ''
(NNN.NNN.NNN.NNN:9202) to
On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote:
I'm having trouble making a rule to eliminate this false positive, rule 1002
is kicking in:
sendmail[24167]: qBAHj1gY023631: to=fatal-err...@example.com,
delay=00:00:06, xdelay=00:00:05, mailer=esmtp, pri=120705,
On Mon, Dec 10, 2012 at 10:12 AM, orfan a.ula...@gmail.com wrote:
I have ossec-hids-server-2.6_2.
rule id=509 level=0
categoryossec/category
decoded_asrootcheck/decoded_as
descriptionRootcheck event./description
grouprootcheck,/group
/rule
Decoded as rootcheck, but i
On Tue, Dec 11, 2012 at 6:20 AM, Roman K mf.f...@gmail.com wrote:
Hi ALL. After upgrading ossec to 2.7 release I try to check auditd logs.
server side ossec.conf changes:
localfile
log_formatauditd/log_format
location/var/log/audit/audit.log/location
/localfile
# service
On Tue, Dec 11, 2012 at 5:03 PM, Scott Nelson wa6...@gmail.com wrote:
On Dec 11, 2012, at 3:55 PM, dan (ddp) wrote:
On Mon, Dec 10, 2012 at 12:53 PM, Scott wa6...@gmail.com wrote:
I'm having trouble making a rule to eliminate this false positive, rule 1002
is kicking in:
sendmail[24167
On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com
wrote:
On Mon, Dec 10, 2012 at 9:46 PM, Brenden Walker bren...@unruleable.org
wrote:
On Mon, 10 Dec 2012 13:15:50 -0800 (PST) Guilmxm
On Dec 12, 2012 2:58 AM, Vaclav Adamec vaclav.ada...@suchy-zleb.cz
wrote:
Hello,
is there any chance configure OSSEC to make every log only appendable?
Eg. setup automatically chattr -a for active logs and chattr -i for archive
? Because then If I remove CAP_LINUX_IMMUTABLE rights for root
On Dec 12, 2012 5:49 AM, Sendil sendil.e...@gmail.com wrote:
Has Anybody has tried using the multi line command in ossec, If yes
please let me know the systax used. i have followed the Wiki but could not
get the result instead the ossec-hids failed to start. I am using ossec
version 2.6. My
On Dec 12, 2012 5:48 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Wed, Dec 12, 2012 at 7:38 AM, dan (ddp) ddp...@gmail.com wrote:
On Dec 12, 2012 2:36 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Tue, Dec 11, 2012 at 6:47 AM, C. L. Martinez carlopm...@gmail.com
wrote
have to be exactly 50
lines.
In case you have anyother reference links please guide me.
Thank you.
On Wed, Dec 12, 2012 at 4:27 PM, dan (ddp) ddp...@gmail.com wrote:
On Dec 12, 2012 5:49 AM, Sendil sendil.e...@gmail.com wrote:
Has Anybody has tried using the multi line command
On Wed, Dec 12, 2012 at 6:13 AM, C. L. Martinez carlopm...@gmail.com wrote:
On Wed, Dec 12, 2012 at 11:01 AM, dan (ddp) ddp...@gmail.com wrote:
So I don't have to dig through the whining to find out:
Did you check permissions? Perhaps of ar.conf?
Yes. In ossec server:
[root] ls -al
total
On Wed, Dec 12, 2012 at 10:07 AM, orfan a.ula...@gmail.com wrote:
Ossec don't send messages about system audit events. But I can see the
events when run 'rootcheck_control -i XXX'. And there is no records about
that events in alert.log file. It worked before, i recieved the email about
system
On Wed, Dec 12, 2012 at 1:56 PM, Leonardo Pezente lmpeze...@gmail.com wrote:
im a noob in ossec, but i think it was a good idea to have in my nids
machine.
he is aready running, and now i want to him to send an e-mail of possible
problem, of he and my nids(snort) detect, but i dont have idea
On Thu, Dec 13, 2012 at 2:39 PM, Seb James seb...@gmail.com wrote:
Hi all,
I am currently attempting to set up a custom decoder with a install of OSSEC
on a Debian system.
My log is
2012-12-07T18:09:20+00:00 DEBUG (7) : File Ref MAGO1335
with a decoder of
decoder name=magento-alert¬
On Dec 17, 2012 4:37 PM, Carrie Poole carrie.po...@andesaservices.com
wrote:
I’m getting segmentation faults across all of my agents when restarting.
Nothing is showing connected anymore.
/var/ossec/bin/ossec-control: line 138: 24910 Segmentation fault
${DIR}/bin/${i}
What's line 138 in
-agentd may have
crashed. But real troubleshooting can't really happen until the basics
are taken care of, namely finding out which daemon is crashing.
~ Carrie
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Monday, December 17, 2012 4:41 PM
On Mon, Dec 17, 2012 at 3:49 PM, Dhinakaran G
dhinakara...@capillarytech.com wrote:
Hi all,
In web_rules.xml rule is triggering alert that are stored in the log , but
not reaching our email notication , any idea.
here the file:
group name=web,accesslog,
rule
-list@googlegroups.com]
On Behalf Of dan (ddp)
Sent: Monday, December 17, 2012 10:06 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] segmentation fault
On Mon, Dec 17, 2012 at 7:17 PM, Carrie Poole
carrie.po...@andesaservices.com wrote:
Line 138 in ossec.conf is the active response
Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
On Behalf Of dan (ddp)
Sent: Monday, December 17, 2012 10:42 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] segmentation fault
On Mon, Dec 17, 2012 at 10:31 PM, Carrie Poole
carrie.po
On Dec 18, 2012 1:30 PM, Dhinakaran G dhinakara...@capillarytech.com
wrote:
after i finish the all stuff:I am getting this errror.
root@capillary:/home/capillary/ossec-hids-2.7#
/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
2012/12/18 23:54:05
On Dec 18, 2012 3:09 PM, Dhinakaran G dhinakara...@capillarytech.com
wrote:
How to recompile ?
How did you compile it the first time?
cd src
make setdb
cd ..
./install.sh
There might be a change you have to make to a Makefile because ubuntu is
odd. It's in the list archives.
On Wednesday,
] On
Behalf Of dan (ddp)
Sent: Tuesday, December 18, 2012 1:35 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] segmentation fault
On Dec 18, 2012 1:13 PM, Carrie Poole carrie.po...@andesaservices.com
wrote:
Turned out to be permissions on queue folder that caused
On Dec 18, 2012 3:09 PM, verrick trubl...@gmail.com wrote:
Does anyone have any idea about how to strip out IP addresses from
outgoing alerts, without going to a full blown email security system? There
doesn't seem to be any native options. We're on the verge of outsourcing
our email service and
701 - 800 of 5855 matches
Mail list logo