Josh, some of these are really amazing. Thank you so much for sharing and
posting that.
All the best
Grant
On Wednesday, March 25, 2015 at 12:43:29 PM UTC-4, DefensiveDepth wrote:
I have been doing some work in the area as well, but with Sysmon logs.
Feel free to look over what I have
It should be enough sir
Each agent needs their own key, but once the agent has the key and checks
in with the server, it will pick up any custom configurations
All the best
On Thursday, May 14, 2015 at 7:02:32 PM UTC-4, Daniil Svetlov wrote:
Hi!
I'm trying update ossec-agent key on windows
Have you run a tcdpump or ngrep on the server to ensure packets are
arriving on UDP port 1514?
When the agent is initially restarted it begins a new dialog with the
server and you should be able to see that on the wire
On Thursday, May 14, 2015 at 5:31:28 PM UTC-4, Andy Theuninck wrote:
I
You can look up the codes here
http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd941635%28v=ws.10%29.aspx
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
...you have a 2008 server or newer,
it is certainly what happens when deleting old agents.
This is normal expected behavior
Check you ossec.log to look for errors with remote agents reporting in.
On Wednesday, July 1, 2015 at 8:35:14 PM UTC-4, Michael Starks wrote:
On 07/01/2015 04:50 PM, Jon Price wrote:
Ive had ~1000
I wasn't aware that agent-auth works in Windows, I know some people have
written things to make it work
Here is some code you can try
https://github.com/sedarasecurity/ossec-agent-auth/blob/master/build.sh
I am sure there others out there as well, typically we use a mass deploy
script
Try Alienvault or OSSIM, they both make good use of OSSEC and add
additional tools you will need for detecting the spread of malware
On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote:
Hello Experts.
How can I launch a SEIM for my local network and find the spread point of
are wide open, give it a try!
https://www.alienvault.com/products/ossim
Grant Leonard
Castra Consulting, LLC http://castraconsulting.com/#/
919-949-4002
On Sun, Aug 9, 2015 at 10:46 AM, 'Jason Long' via ossec-list
ossec-list@googlegroups.com wrote:
Thank you.
Grant , Can you give me more
I haven't seen this directory fill up unless it cannot talk to the server
and even in that case it did not take much disk space
What kind of size are you seeing?
On Wednesday, August 19, 2015 at 10:51:26 AM UTC-4, Jamey B wrote:
>
> I'm making a CRON job to remove anything in the queue folder,
It is possible, our company has successfully pulled it off for another
larger corporation
On Wednesday, September 16, 2015 at 8:00:46 AM UTC-4, Chris Spangler wrote:
>
> Does anyone know if ossec will allow for an unattended install under
> Windows Server 2012. It seems like I saw some issues
Do you have a firewall at all ? Are any server ports exposed to the world?
is it always /proc that is full? Where is all the space and how big is your
hard drive? Could it be, given you are running a mail server, simply
spam/email that has filled up your hard drive?
This doesn't seem related
We addressed this using an OSSIM plugin to read a different part of the
alert log
Hope that helps sir
Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
919-949-4002
On Fri, Nov 20, 2015 at 12:28 PM, Joshua Roback <jrob...@gmail.com> wrote:
> I have a dec
How can we get the ossec agent to read a localfile that overwrites itself?
The CIS CAT benchmarks write a .txt file which we are reading with
"syslog" as the local file
However when the benchmark tests run, ossec does not appear to re-read the
log, its as if it never gets read again.
As it
We will take a stab at it this week and see what we can uncover
All the best
Grant
On Friday, February 24, 2017 at 12:32:02 PM UTC-5, dan (ddpbsd) wrote:
>
> Any Windows users want to take a look at this?
>
> On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J.
>
hecking the file inode.
>
> So if the file is replaced (it is first removed and then re-created, or
> your benchmark writes on another log file that then is moved onto the
> monitored file) OSSEC should detect it and read it again entirely.
>
> I hope that it help.
>
&
I am in EST and I absolutely agree with you. I think we should spend no
more than 30 minutes looking at your discovery, looking at logs in
archives.log then , as you noted, requesting an enhancement to ensure those
log values are sent over by the agent.
All the best
Grant Leonard
Castra
I am in EST and I absolutely agree with you. I think we should spend no
more than 30 minutes looking at your discovery, looking at logs in
archives.log then , as you noted, requesting an enhancement to ensure those
log values are sent over by the agent.
All the best
Grant Leonard
Castra
with another "open source windows event agent to syslog" utility, the same
issue was present.
Grant
On Wednesday, March 8, 2017 at 2:49:59 PM UTC-5, Grant Leonard wrote:
>
> I am in EST and I absolutely agree with you. I think we should spend no
> more than 30 minutes lookin
Two specific questions
Are the amount of logs cached/tracked configurable? (Specifically for linux
agents) when the agent cannot reach the ossec-server
(yes I read the discussion from 2010, looking for updated thoughts here)
How, specifically, does the agent handle being down/restarted?
For
I turned them OFF this way.
I am assuming you can declare just these options with no logging location
and you will have the reverse of my config
yes
no
no
yes
no
no
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
Out of curiosity, can you post the raw message here? I would like to know
what kind of log has "`" in it.
All the best
On Monday, September 25, 2017 at 4:23:30 AM UTC-4, Robert Necela wrote:
>
> Hello, i have message with character "`". But i can't write rule with such
> character. \. -> For
for the existing list
Thanks!
On Thursday, November 9, 2017 at 8:52:08 AM UTC-5, dan (ddpbsd) wrote:
>
> On Tue, Nov 7, 2017 at 9:58 AM, Grant Leonard
> <gr...@castraconsulting.com > wrote:
> >
> > Good morning
> >
> > After the /var/ossec/bin/ossec-report
Good morning
After the /var/ossec/bin/ossec-reportd runs, the tallies are left aligned
and when emailed the spacing is not kept from stdout to email
Thus stdout looks like this
Top entries for 'Group':
pci_dss_10.6.1
You need to make sure the numbers you picked for your new rules exist in a
DS group and you have the correct translation statements in your .cfg.local
file for the plugin.
Also, to ensure you get a hit with the rule, your level has to be > 0 to be
written to alerts.log
You are closing in sir!
Does anyone know where I can find this version, if it even exists?
All the best
Grant
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
Thank you sir, this is the source code, I was hoping for binaries as I am
not really awesome at making them for Mac from scratch, I don't use that OS
Thoughts?
All the best
Grant
On Thursday, January 17, 2019 at 1:58:49 PM UTC-5, dan (ddpbsd) wrote:
>
> On Thu, Jan 17, 2019 at 1:48 PM
You are going to need to grab logs from the desktop as well, as those have
the "unlock" and "lock" instances, many times users remain logged in and
you get tons of background authentication noise.
You can also marry that with Kerberos ticket requests, but that is a whole
next level of noise.
27 matches
Mail list logo