[ossec-list] Re: Windows agent doesn't synchronize agent.conf

Hi ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': > XMLERR: File 'shared/agent.conf' not found. (line 147). what is in the line 147?. More information about the agent.conf and the process to synchronize it:

[ossec-list] OSSEC rule match time and timeframe

Hello, Lets say I have a script which runs once every half an hour. With a latency difference in about 10-20 seconds. Would it be possible to match the following: 1. Time 2. Hostname 3. Username The reason I prefer more than a single match, i.e only time is to not by mistake miss an actual

[ossec-list] Rule fired but active-response didn't work

My rule fired, i received alert emails too. But active-response doesn't work. Here is my active-response config in ossec.conf: firewall-drop all 100101 600 Here is my email alert: Received From: ubuntu-server->/var/log/nginx/access.log Rule: 100101 fired (level 9) ->

[ossec-list] Re: Rule fired but active-response didn't work

Hey, I had a similar issue with the active response not working as intended. The way I solved it was to add the following to the ossec.conf ossec-server 30,60,120,240,480 no kind regards, Fredrik Den måndag 3 juli 2017 kl. 12:05:36 UTC+2 skrev Tunguyen: > > My rule

[ossec-list] Re: Rule fired but active-response didn't work

ossec.conf on the AGENT side, forgot to mention! Den måndag 3 juli 2017 kl. 12:14:30 UTC+2 skrev Fredrik Hilmersson: > > Hey, I had a similar issue with the active response not working as > intended. The way I solved it was to add the following to the ossec.conf > > > > > >ossec-server >

[ossec-list] Re: I'm unclear why my rule is not matching...

What happens if you change using 192.168.1.255? Den måndag 3 juli 2017 kl. 14:29:48 UTC+2 skrev Ian Brown: > > I've got this event log in windows: > > 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The >

[ossec-list] Re: I'm unclear why my rule is not matching...

No effect. I tried dstip too, but I don't think either of those tags contain data due to the decoder used? windows ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: ^\.+: (\w+)\((\d+)\): (\.+): (\.+): \.+: (\S+): status, id, extra_data, user, system_name name,

[ossec-list] Re: I'm unclear why my rule is not matching...

I believe I've figured it out -- I think the decoder isn't matching the full log string and is thus stripping the ip address information. Also after looking at the regex in the decoder, I've discovered that it doesn't even match against the first three example strings provided: Here's an

Re: [ossec-list] Re: Windows agent doesn't synchronize agent.conf

Hi, it is strange that the log indicates line 147 when it was not able to read it. Maybe the agent.conf file is not arriving to the agent or it is being discarded due to a checksum error. First, please remove file *merged.mg * from folder *shared* in the agent and the manager.

[ossec-list] What is the best method to augment an existing decoder?

There is a decoder that isn't quite handling some log entries the want I need. I want to augment an existing decoder, but apparently I'm not doing this correctly. Here's an example log entry: 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: