Re: [ossec-list] CentOS 7

Hi Dillon You can use the Wazuh repositories. To add Wazuh yum repository, create a file named /etc/yum.repos.d/wazuh.repo: cd /etc/yum.repos.d vi wazuh.repo For RHEL / CentOS: [wazuh] name = WAZUH OSSEC Repository - www.wazuh.com baseurl = http://ossec.wazuh.com/el/$releasever/$basearch

Re: [ossec-list] OSSEC Windows Client registration failed

Please review your firewall, usually windows block the traffic And try to restart the service manually as well Rewards Enviado desde mi iPhone > El 23 sept 2015, a las 18:53, theresa mic-snare > escribió: > > Hi guys, > > > yesterday I wanted to install the

Re: [ossec-list] OSSEC agents on different subnet unable to connect OSSEC server

Hi Thair, Your Agents configuration are with static IP, Network or set to ANY? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On June 17, 2016 at 11:27:22 AM, Tahir Hafiz (tahir.ha...@gmail.com) wrote: ERROR: Invalid ID for the source ip -- --- You received

Re: [ossec-list] Debugging a rule that fires when tested with ossec-logtest but never fires in production

Hi Kevin A silly question Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com El 2 de junio de 2016 a las 22:45:01, Kevin Branch ( ke...@branchnetconsulting.com) escribió: I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 agent. The rule simply

Re: [ossec-list] ERROR: Incorrectly formated message

Hi Robert, the same agent id? Try this, in ossecpath/etc/internal-options.conf modify remoted.verify_msg_id=1 to 0 in both places, agent and manager regards > On 02 Feb 2016, at 16:56, Robert wrote: > > Hi, > > This problem drives me crazy. > I already followed the

Re: [ossec-list] Uninstall ossec agent via command line

Hi Sebastiano, Yes, you can uninstall in silent mode, only need to execute "c:\path-to-ossec-agent\uninstall.exe /S” Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com > On 29 Feb 2016, at 19:10, Sebastiano Mortellaro <bola...@gmail.com> wrote: > &

Re: [ossec-list] Windows agent - unable to start agent (check config)

Hi Krzysztof are you compiling your own windows agent from sources? or you are downloading from any web? Jose Luis Ruiz Wazuh Inc. j...@wazuh.com <mailto:j...@wazuh.com> > On Mar 29, 2016, at 4:03 PM, Krzysztof Zaklikiewicz <zakli...@gmail.com> > wrote: > >

Re: [ossec-list] Windows agent - unable to start agent (check config)

Try to add and admin user to this new Administrator group and reinstall Ossec --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com > On Mar 29, 2016, at 4:21 PM, Krzysztof Zaklikiewicz <zakli...@gmail.com> > wrote: > > Hi > > I downloaded from http:/

Re: [ossec-list] Auto populating agent lists

Hi gershon Try ossec- authd http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html#ossec-authd If you like ossec-authd with more options look here http://documentation.wazuh.com/en/latest/manual_authd.html Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com

Re: [ossec-list] RE: Prerrequisites Instalation OSSEC

Hi Adiel http://ossec-docs.readthedocs.org/en/latest/manual/supported-systems.html http://ossec-docs.readthedocs.org/en/latest/manual/installation/installation-requirements.html José Luis Ruiz > On 25 Apr 2016, at 19:03, Adiel Navarro wrote: > > >

Re: [ossec-list] RPM building leads to a tmp script that makes no sense.

he folder. --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com > On May 16, 2016, at 10:04 AM, James Dough <slippingdo...@gmail.com> wrote: > > I'm trying to build the OSSEC RPM with the most recent version, using my own > custom preloaded vars. > > I'm using the default sp

Re: [ossec-list] RPM building leads to a tmp script that makes no sense.

Hi James, A couple things You should NEVER create your packages as the root user. Building RPM's as root is dangerous, because the binary files are installed on the system before being packaged, thus you must always build as normal user so you won't accidentally pollute your system. All

Re: [ossec-list] Irregular Agent Activity in OSSEC agents

--- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com) wrote: Hey Everyone, I am noticing some irregular activity in some of my OSSEC agents - *A little bit about the system - * My Deployment is on 2000~ servers managed from dedicated ossec

Re: [ossec-list] Monitoring root activities - problem with custom decoder and rules.

Level: '0' Description: 'Auditd: system call to the kernel' So you need to create a child rule to match with dstuser: '0' in your local_rules.xml 80720 0 Root command Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On July 7, 2016 at 3:

Re: [ossec-list] Monitoring root activities - problem with custom decoder and rules.

Hi Dominik You can install Wazuh Ruleset: http://documentation.wazuh.com/en/latest/ossec_ruleset.htm Auditd rules and decoders are included. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On July 7, 2016 at 4:16:29 PM, Dominik (reusser...@gmail.com) wrote: Hi Jose

Re: [ossec-list] Monitoring root activities - problem with custom decoder and rules.

You are right Here the correct link, i forget the “l” at the end. http://documentation.wazuh.com/en/latest/ossec_ruleset.html Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On July 7, 2016 at 5:09:07 PM, Dominik (reusser...@gmail.com) wrote: Thanks Jose. I installed

Re: [ossec-list] How to automate configuration of OSSEC Agent on Windows?

it helps. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On January 27, 2017 at 1:11:04 AM, Igor Gatis (i...@esfera5.com.br) wrote: I need to make OSSEC install fully automatic. Installation can be easily done with /S flag to make it silent ( https://chocolatey.org/packages

Re: [ossec-list] Re: reindexing logs

echo "### 4. Deleting intemediate index: $src_index" delete_index $src_index fi else echo "### Index $src_index doest not exist. Skipping." fi # Update date. d=$(date -I -d "$d + 1 day"

Re: [ossec-list] Re: How to change the OSSEC installation directory in windows

. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On September 29, 2016 at 12:55:19 PM, Dustin Church (church...@gmail.com) wrote: Victor, I currently have 78 servers that will be recreated nightly using a single image. I understand that I can install OSSEC to a secondary

Re: [ossec-list] cannot connect to ossec server on docker

Hi Ka-Hing When do you run the command nc -u 10.0.129.94 1514, this command is from the agent container or the main server? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 7:14:50 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: nc -u 10.0.129.94

Re: [ossec-list] cannot connect to ossec server on docker

Hi Ka-Hing Thanks for sharing! Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 9:44:23 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: > Figured out the problem. It's a docker bug: > https://github.com/docker/docker/issues/7540 > > On Fr

Re: [ossec-list] cannot connect to ossec server on docker

Did you try to add a new key to the agent already? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 9:19:52 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: > From the agent container > > On Friday, August 26, 2016 at 6:16:23 PM UTC-7, j

Re: [ossec-list] cannot connect to ossec server on docker

Hi Ka-hing First of all we need to know which command you use to run the container in order to know which ports are you mapping. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 26, 2016 at 5:11:03 PM, Ka-Hing Cheung (kah...@gmail.com) wrote: > I have os

Re: [ossec-list] Re: reindexing logs

and template. After that, probably you will need to reindex all your index to apply the new template. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On September 28, 2016 at 3:26:38 PM, roberto.mendo...@phoebustecnologia.com.br ( roberto.mendo

Re: [ossec-list] Re: reindexing logs

Hi Roberto, nice news :) Please feel free to send pull request to Wazuh and Ossec with your improvements and new rules, the Ossec community will appreciate. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On September 30, 2016 at 9:00:32 AM, roberto.mendo

Re: [ossec-list] Wazuh install and mysql

Hi Sean, What rpm are you using? wazuh-manager-1.1.1-3 or ossec-hids-2.8.3-3? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On December 12, 2016 at 5:25:41 PM, Sean Roe (sean...@gmail.com) wrote: Hi all, I have installed the ossec server using the Wazuh rpms

Re: [ossec-list] time based exceptions

egards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 29, 2017 at 6:17:37 PM, mscr...@ieee.org (mscr...@ieee.org) wrote: Hi Ossec-list, I am wondering if anyone else has run into this issue, I have a cron that runs at the same time every day and it always triggers the promiscuous mod

Re: [ossec-list] OSSEC alerts on syslog

Hi, can you verify if the port it’s open? [root@wazuh-manager /]# netstat -tuna | grep 514 udp0 0 0.0.0.0:514 0.0.0.0:* The symantec ip is allowed in ossec.conf right? Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On March 14, 2017 at 12:44

Re: [ossec-list] latest stable/recommended version

Hello, The last stable version is 2.9.0, the downloads page is not updated. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On April 21, 2017 at 4:41:09 PM, Lukáš Jirkovský (l.jirkov...@gmail.com) wrote: Hello, just a quick question – what is the current stable

Re: [ossec-list] OSSEC alerts on syslog

not receiving alerts, enable logall in ossec.conf yes and take a look in the file “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but not in your alerts, probably the decoders or rules have something wrong. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com

Re: [ossec-list] Agents Disconnected

Hi Carlos, Take a look from the log file /var/ossec/logs/ossec.log, this is the main log file for managers and agents. You can do something like *cat /var/ossec/logs/ossec.log | grep ERROR, *to verify if you have errors in some point. Regards --- Jose Luis Ruiz Wazuh Inc. j

Re: [ossec-list] Agents Disconnected

egards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 3, 2017 at 7:48:10 PM, Carlos Islas (sparks.10008...@gmail.com) wrote: 017/08/03 08:27:40 <http://airmail.calendar/2017-08-03 08:27:40 GMT+2> ossec-remoted(1403): ERROR: Incorrectly formated

Re: [ossec-list] Agents Disconnected

Hi Carlos, The manager has his own agent, probably the alerts are from the manager it self. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On August 3, 2017 at 7:57:59 PM, Carlos Islas (sparks.10008...@gmail.com) wrote: In adition the host send alerts to my email

Re: [ossec-list] Disconnect issue

Hi Prakash Try set to 0 (now you should have 1) the option *remoted.verify_msg_id* in /var/ossec/etc/internal_options.conf in the manager and agent and restart both. *remoted.verify_msg_id=0* i hope it helps. Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On June 6

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

--- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On June 7, 2017 at 10:15:19 AM, John Kondur (kongfra...@gmail.com) wrote: Thanks I did find it that did help, I had two more questions not sure if I should start another thread: I had frequency set on the agents to: 7200 I looked