Hi list,
I've got a thorny problem that I'm hoping will turn out to be a simple
one. Our OSSEC Manager refuses to see the one agent currently
connected to it. It's been connected in the past, and the manager
remembers this - the agent shows as disconnected in agent_control
rather than never
Are you sure that isn't how one way agents always show up? I have no
idea, I don't like that option. Was the manager updated recently
(maybe the one way comms setting has to be set on the manager and
someone forgot to set it)?
You can try:
Turn off the firewall on the manager.
Run the manager's
What's your mail configuration in the manager's ossec.conf?
I wish ossec was compiled with -ggdb by default. It might make the gdb
information a bit easier to follow.
On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com wrote:
I increased the number of agents my installation was
There was no information with the segfault? Did you try running
ossec-dbd under gdb? What database are you using? Any errors in
ossec.log? Any errors in the DB's log?
On Fri, Mar 23, 2012 at 12:37 PM, Nico Bugash nicobug...@gmail.com wrote:
I have successfully installed the ossec server on
If an attacker has gotten privileged access to the system there should
be a log somewhere detailing this. Hopefully there's a rule for that
log message...
What do you mean by use a directory or file not monitored to carry
out the attack? You mean monitored by syscheckd? As soon as they
change
Our config is pretty standard with respect to the ossec.conf. The
only non-standard thing we have is that we are usiing port 9025 for
SMTP on the mail server we are using rather than 25. We have that
changed in the sendmail.c file that is used when everything is
compiled:
OSSEC.CONF
global
Plus the files/filesystem would have to be decrypted to use. A
privileged user would probably have access to that decrypted data.
On Thu, Mar 22, 2012 at 5:58 PM, Castle, Shane
scas...@bouldercounty.org wrote:
If this happened then it's game over. Encrypting the files/filesystem will do
no
One-way agents normally show as Connected like regular agents,
actually. All the one-way flag does afaik is skip the section in the
agent startup where it waits for a response from the manager before
continuing to start; otherwise, they behave exactly like normal
agents.
Also, no, the manager
tcpdump will pick up packets even if they're blocked by the firewall.
Are the messages coming from the correct IP? Did the manager's IP change at all?
You could also try deleting the agent from the manager, creating a new
one, and installing that key on the agent.
On Tue, Mar 27, 2012 at 4:50 PM,
Not long by max length standards 15 characters or so. Are there
any other of those type of things I could check data corruption
somewhere that I might need to look for that isnt obvious to me. I
dont think it is with ossec-maild but something with the extra 60 or
so agent keys I
10 matches
Mail list logo