Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

Email levels are at enough priority, I am getting emails now after stopping alerting from RDP. I have multiple RDP where agent is installed and I get lot of false alerts from RDPs, for Authentication failure and Account locked out. On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan

[ossec-list] OSSEC regular expression example for agent.conf

I'm having trouble getting an ignore expression to actually ignore a change and suspect it's due to not understanding how OSSEC regular expressions work. When I searched for examples I found very little so I'm hoping someone can reply with examples or explanations. What I tried was:

[ossec-list] ossec-keepalive

Just FYI, not sure if a resolution to https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ has been put in place or not but it is occurring in v2.9.2 - I received an email alert (can post the text if it would be helpful). Related to this, I noticed that the alert level is

Re: [ossec-list] Re: Testing OSSEC

On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soni wrote: >>> hey, > > I have added the rule in local_rules.xml file in way as in the > attached image.. > After adding the rule, i have restarted OSSEC services. But I get > the following errors: >

Re: [ossec-list] OSSEC regular expression example for agent.conf

I'm pretty sure ignores are available in agent.conf Sean On Mon, Aug 28, 2017 at 10:57 AM, dan (ddp) wrote: > On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison > wrote: > > I'm having trouble getting an ignore expression to actually ignore a > change

Re: [ossec-list] OSSEC regular expression example for agent.conf

On Mon, Aug 28, 2017 at 10:40 AM, Leroy Tennison wrote: > I'm having trouble getting an ignore expression to actually ignore a change > and suspect it's due to not understanding how OSSEC regular expressions > work. When I searched for examples I found very little so

Re: [ossec-list] OSSEC 2.8.3, Server doesnot trigger email alerts for agent

On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki wrote: > Email levels are at enough priority, I am getting emails now after stopping > alerting from RDP. I have multiple RDP where agent is installed and I get > lot of false alerts from RDPs, for Authentication

[ossec-list] Re: OSSEC regular expression example for agent.conf

I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote: > > I'm having trouble getting an ignore expression to actually ignore a > change and

[ossec-list] Re: ossec-keepalive

Thanks for the answer, that clarifies my understanding. Sounds like you would like to see the alert details so here they are ("our-demo" below is an agent, not the server): OSSEC HIDS Notification. 2017 Aug 27 08:20:39 Received From: (our-demo) 10.nnn.nnn.nnn->ossec-keepalive Rule: 1002 fired

Re: [ossec-list] Re: OSSEC regular expression example for agent.conf

On Aug 28, 2017 2:46 PM, "Leroy Tennison" wrote: I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? Rules and decoders are the only places that come to mind at the moment. On

Re: [ossec-list] Re: ERROR: Unable to Bind port '1514'

Hello dan, I killed the instance but anything happend, i had that start the process manualy because de services get down. =S Regards... El viernes, 25 de agosto de 2017, 11:01:25 (UTC-5), dan (ddpbsd) escribió: > > > > On Aug 25, 2017 11:32 AM, "Carlos Islas" > wrote: