[ossec-list] Re: New File Alert works "sometimes". Can't seem to get Realtime working.

Hi Ferdia. In order to be alerted about new files, you should add the option to Syscheck on the server side. Here is an example: 7200 *yes* https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Send Log Size

Hi Abdulvehhab. It has sense, it falls into a infinite recursivity, But it's a bit difficult to store some messages and send them to the server since the protocol consists on one datagram per message. Even if the agent stores some messages and sends all of them at a time, the firewall would

Re: [ossec-list] OSSEC Send Log Size

Hi. In normal operation, OSSEC connects once, on startup, and closes the socket on exiting. But, for the behavior of UDP, there isn't an actual "connection", instead of this, every datagram is independent of the rest. Maybe this is the reason why the firewall considers every delivery as a

[ossec-list] Re: fim/hids on laptops

Hi Derek. Unfortunately, OSSEC is not designed to work offline. Messages are actually queued while the agent tries to connect to the server, but this memory is very small and will be filled quickly. If you stop or restart the agent, the queued data will be lost. Regards. -- --- You

[ossec-list] Re: monitor hostname changes

Hi Francesco. A good way to achieve this is to monitor the command "hostname", adding the following lines to ossec.conf: command hostname 3600 Then, create a rule like this one, as child of rule 530 (about OSSEC command monitoring), with the option , in order to be alerted only when

[ossec-list] Re: ossec local logfile ignored

Hi Jacob. When does that message appear? I mean, does it happen on OSSEC start, or after a while? Can you see a message like the following, when OSSEC starts? ossec-logcollector(1950): INFO: Analyzing file: > '/home/mis/admin-tools/logs/ping-domain.log` ossec-logcollector(1950): ERROR: Could

[ossec-list] Re: How to give priority to custom rules

ot; will match the rule 17, no matter the message is long or short. Kind regards. Victor Fernandez. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from i

[ossec-list] Re: General questions I can't find an answer to

Hi. A1: In fact you should enable on your ossec.conf file, but it only enables the agent to receive commands from the server. However, the syscheck/rootcheck restarting is not immediate, but it will be done after a cycle of syscheck. A2: That line seems so be correct, and that verbatim do

[ossec-list] Re: agent.conf settings not syncing to agents

Hi. Every setting at agent.conf needs to be inside a section, otherwise the configuration reader may fail. So, please relocate the tags and that are outside and restart the agent. If the problem persists, enable debugging logs editing the file internal_options.conf and changing the

[ossec-list] Re: Get actual Agent IP

IP is used in OSSEC for assigning permissions to agents. It would be possible to add information about the IP address in the agent's queue and show it with *agent_control*, or include the IP in the alert generated when an agent connects to the manager. Another solution that won't imply to

[ossec-list] Re: Agent id

Hi, Please tell us your version of OSSEC, how many agents you want to register and your limit of agents, so we can reproduce your problem. Best. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop

[ossec-list] Re: Windows Agent Compilation

of this is that ossec-lua and ossec-luac are not compiled by make.bat. If you need the installer, maybe you could try to add the proper lines to compile these files. I hope it will help you. Best regards. Victor Fernandez. On Wednesday, April 6, 2016 at 9:08:55 PM UTC+2, Kumar Mg wrote: > &

[ossec-list] Re: Can't find resolution for these error messages

Hi Ben. The first error is normal, or at less, predictable to happen: since an agent-less isn't an agent, it can't receive active-responses. Active responses are generated by the rule analyzer (analisisd), that doesn't distinguish between agents and agent-less, so the remote daemon, that

[ossec-list] Re: Windows agent - unable to start agent (check config)

Hi. Have you added the original administrator and your own account to the "Administrators" group? I followed your steps, added my user account to "Administrators", closed and reopened my session, and it did work. Regards. -- --- You received this message because you are subscribed to the

[ossec-list] Re: Windows agent - unable to start agent (check config)

31 20:31:58 ossec-win32ui: INFO: Running the following command > (C:\Windows\system32\cmd.exe /c echo y|cacls "client.keys" /T /G > Administrators:f) > > What's wrong?? > > W dniu wtorek, 29 marca 2016 22:51:25 UTC+2 użytkownik Victor Fernandez > napisał: >> >

[ossec-list] Re: new file does not create any alert

Hi. I did the same as you: changed the rule's level from 0 to 10 and added yes on "ossec.conf", both at server, and I had no error. You should check the Syscheck database (tail of file at /var/ossec/queue/syscheck) and verify that new files are on it. Depending on whether the file appears in

[ossec-list] Re: new file does not create any alert

P.S.: This is a duplicated topic. There is a more detailed explanation to your problem at the other topic: https://groups.google.com/forum/#!topic/ossec-list/eSbdMTPLG7A Regards. On Friday, April 1, 2016 at 3:17:24 PM UTC+2, Victor Fernandez wrote: > > Hi. > > I did the same as

Re: [ossec-list] Disk usage monitor not working in RHEL5

I think the problem is the option "-h", because it introduces arbitrary line feeds in order to be more readable by people, but it makes more difficult to decode. This happened in RHEL5 but it can happen at any system with a long filesystem path. "-P" is an interesting option to preserve

[ossec-list] Re: ossec service in windows 10

Hi Diego. How do you start the service, with the UI or from Services? Does OSSEC print something into the file "ossec.log"? Best regards. Victor Fernandez. On Tuesday, April 19, 2016 at 12:15:49 PM UTC+2, Diego Arranz wrote: > > Hi all, > >I´m testing wazuh serv

Re: [ossec-list] Windows Agent Compilation

.c os_net/*.c os_xml/*.c zlib-1.2.8/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/md5_sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -I. -Iheaders/ -lwsock32 -lshlwapi Best regards. Victor Fernandez. -- --- You received this message b

[ossec-list] Re: ossec service in windows 10

inheritable permission entries from this object". (In Spanish: "Reemplazar todas las entradas de permisos secundarios por entradas de permisos heredables de este objeto".) 6. Click "Accept" and confirm the dialog box that will appear. 7. Try to start the agen

[ossec-list] Re: ossec service in windows 10

I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for "SYSTEM". Unfortunately, when we change the IP in the UI, the file "ossec.conf" is re-created without SYSTEM permissions, so the service starts and exits suddenly, but it prints the access error in the "ossec.log". So,

Re: [ossec-list] Solaris Compilation - Visibility

t;/logs/.report-%d.log", (int)getpid());* main-server.c:49: Remove the const qualifier: /*old*/ *int** ssl_error(const SSL* ssl, int ret)* /*new*/ *int** ssl_error(SSL* ssl, int ret)* Because of the compiler version, it's possible that new similar problems appear. Hope it helps. Kind regard

[ossec-list] Re: ERROR: Unable to send file 'merged.mg' to agent.

Hi Graeme. According to the log, I think the problem occurs when the manager tries to send the merged.mg to an agent that has not sent the keep-alive in the last 20 minutes. This may happen if a lot of agents get connected, or send the keep-alive at the same time. So, if many agents send a

[ossec-list] Re: can we re-use agentID's

Hi Chanti. By default, OSSEC doesn't allow to add an agent with a removed agent's ID. When OSSEC adds a new agent, the information about it is written at /var/ossec/etc/client.keys. When you remove an agent, the corresponding line isn't removed but "tainted" with a "!" symbol. If you want to

[ossec-list] Re: ERROR: Unable to send file 'merged.mg' to agent.

ds me to suspect it's repeating this > error in the logfiles multiple times for a connection attempt across only > one or two agents. > > Again, many thanks for the detailed response. > > Graeme > > On Thursday, July 28, 2016 at 5:33:29 PM UTC-7, Victor Fernandez wrote: >&g

[ossec-list] Re: Syscheck - scan only selected extensions

Hi, you can select file extensions easily using wildcards, for example: C:\Windows\*.exe,C:\Windows\*.dll This method works only with files that already exist. If you want to scan files that are created after OSSEC starts, you may use and create a regular expression that matches any path

[ossec-list] Re: ERROR: Agent '(empty)' not found.

sisd sends an active response to remoted. Hope it helps. Best regards. Victor Fernandez. On Thursday, July 7, 2016 at 8:03:46 AM UTC-7, BP9906 wrote: > > I'm facing an odd issue where we have some server partially configured > (dont ask) and so as a result the ossec server logs this ever

[ossec-list] Re: Agents not connecting, traffic visible in tcpdump

Hi Cal. As you can see when an agent connects successfully, the server answers it with an UDP message from server:1520 —in your case— to the agent. Usually the server prints an error into the log when it receives a bad message (unauthorized key, counter error, incorrectly formatted message...)

[ossec-list] Re: Last time agent connected to server

Hi Derek. You can do that by watching the modification time (with ls or stat) of the agent's information file at /var/ossec/queue/agent-info. For example, if the agent name is "myagent" and the IP is "1.2.3.4", the file will be " /var/ossec/queue/agent-info/myagent-1.2.3.4". When an agent

[ossec-list] Re: Syscheck not alerting on realtime scans

Hi Daniel. I had never used before, but I think it works for weekly scans since OSSEC prints this log (even when setting frequency=84800): 2016/08/01 14:27:33 ossec-syscheckd: INFO: Syscheck scan frequency: 604800 seconds This amount of time is one week, so I think that works only for

[ossec-list] Re: inode changes for syscheck

opy.txt test.txt In this case, the inode has changed, but since neither the size nor the content of the file have changed, OSSEC doen't detect it. Could you give us an use case in which it would be interesting to detect inode changes? Kind regards. Victor Fernandez. On Wednesday, June 29, 20

Re: [ossec-list] Re: Update Wazuh with standard Ossec files

Hi Alejandro, The issue seems to be a counter problem since any other error would print an additional error message. Try to remove the file: "/var/ossec/queue/rids/" from the agent, for N being the agent ID. For example: rm /var/ossec/queue/rids/$(cut -d' ' -f1 /var/ossec/etc/client.keys)

Re: [ossec-list] .txt file for log overwrites daily - ossec only reads once

Hi Grant, how is that file overwritten? I mean, is it truncated and re-written or is replaced by another? OSSEC follows local files and never reads them again from the beginning, there is no mechanism to detect that a previous file segment has been changed. But OSSEC does detect that a file

Re: [ossec-list] Inconsistencies with syscheck realtime + report_changes

Hi Chris, It's really curious that Syscheck creates the diff file but doesn't send it. There should be no difference between configuring it in real-time or not. I see that the diff file matches the actual change by the size difference. However, did you see any error at the

Re: [ossec-list] Supressing notification {Scanned}

Hi, I think that your configuration is correct. What's exactly the problem that you have? I mean, is the rule 1002 still appearing even with that message, or does the rule 3752 appear at the alert log? Best regards. On Tue, Feb 14, 2017 at 4:11 PM, wrote: > Hi! I'm

Re: [ossec-list] Maximum Number of Agents Allowed

Hi Patrick, unfortunately there is no way to do this, since the maximum agents parameter is used to create some static arrays into the code. This makes necessary to re-compile and install the binaries. Best regards. On Fri, Jan 20, 2017 at 1:51 PM, wrote: > Is

Re: [ossec-list] Re: Windows Eventlogs

Hi Kumar, The moving error is not usual, the return code 5 refers to an access denegation. So try to stop the agent, delete the file "C:\Program Files (x86)\ossec-agent\bookmarks\Security" and re-start the agent. Regarding the 2nd problem seems to be a connection problem between the agent and

Re: [ossec-list] OpenBSD 6 - Real Monitoring

Hello, I've never done this on OpenBSD, but try to force the inotify support with Make: cd src make TARGET=agent USE_INOTIFY=yes Hope it helps. Regards. On Friday, September 30, 2016 at 12:38:30 AM UTC+2, dan (ddpbsd) wrote: > > On Sep 29, 2016 4:10 PM, "R0me0 ***" >

Re: [ossec-list] Windows Eventlogs

for Windows eventlogs at agent level? > > Thanks > Kumar > > On Friday, 16 September 2016, Victor Fernandez <vic...@wazuh.com > > wrote: > >> Hi Kumar, >> >> The moving error is not usual, the return code 5 refers to an access >> denegation. So

[ossec-list] Re: OSSEC - sudo

Hi Kumar, The ossec group is intended to access shared files and write only onto logs and queues, but not on settings and rules files. Nevertheless, if you need to write those files, it's more secure to create a new user and add it to the ossec group and give it the needed permissions that run

Re: [ossec-list] Re: How to change the OSSEC installation directory in windows

dary partition, but > how do I handle the keys for each server that is created from the image, > and ensure proper communication after the image is built without having to > manually enter the server IP and key for the server at boot time? > > On Friday, September 23, 2016 at 4:2

[ossec-list] Re: Question on agent authentication and use of counters

uot;/var/ossec/queue/rids/sender_counter" from the manager to a new instance the next time you migrate a server. On the other hand, you can also delete the agents' counter folder. Kind regards. Victor Fernandez. On Thursday, September 15, 2016 at 9:08:46 PM UTC+2, Abhi wrote: > > Hi,

Re: [ossec-list] Re: How to change the OSSEC installation directory in windows

ctor. On Thursday, September 22, 2016 at 12:00:29 PM UTC+2, Eero Volotinen wrote: > > How about modifying the installation package? > > Eero > > 2016-09-22 12:56 GMT+03:00 Victor Fernandez <vic...@wazuh.com > >: > >> Hi, >> >> when you run the OSSE

[ossec-list] Re: Can I build the OSSEC server without the three GeoIP packages?

Hi Shawn, you can compile OSSEC from sources without enabling GeoIP by following these steps: - Download OSSEC source code: git clone https://github.com/ossec/ossec-hids.git - Install GCC compiler and Make tool if you haven't them: - sudo apt-get install gcc make [Debian/Ubuntu]

[ossec-list] Re: How to change the OSSEC installation directory in windows

Hi, when you run the OSSEC installer for Windows, you can choose the location where OSSEC will be installed. This shouldn't be a problem. Since OSSEC registers a background service on Windows, you should first install OSSEC into another partition and then create the C:\ drive image. Hope it

Re: [ossec-list] OSSEC Agent to server communication issue

Hi Vipin, Prior to connect to the manager, agents must be registered onto it. For example, let the manager's IP be 1.1.1.1 and the agent's IP be 2.2.2.2. In first place, use /var/ossec/bin/manage_agents to add an agent. Choose an arbitrary name for it, then you'll be asked for the agent's IP.

[ossec-list] Re: ossec-syscheckd realtime scanning does not detect file integrity changes when rootcheck is enabled

Hi Liam, unfortunately Syscheck and Rootcheck features are run in the same process and can't work together (at the same time). In short, the process works looping over three steps: 1. Complete Syscheck scan. 2. Rootcheck test. 3. Real-time Syscheck monitoring. So, every file changed

[ossec-list] Re: Simultaneous Events at 25 EPS, but Missing Alerts

Hi Jon, OSSEC connects through UDP protocol, that doesn't guarantee that messages arrive in the same order they were delivered. In order to prevent replay attacks, OSSEC verifies the counter from every message. I think there is a network issue, perhaps congestion, so messages arrive

[ossec-list] Re: Can you explain remoted.recv_counter_flush and remoted.comp_average_printout?

Hi Jon, these settings belong to arriving messages management. When agents delivery messages to the manager, Remoted decrypts, decompress and checks the counter from every message. OSSEC saves the counters on files at /var/ossec/queue/rids in order to reload them when the manager is

Re: [ossec-list] ossec-authd TLS1.2 only

Hi, OSSEC v2.8.3 uses the method SSLv23, that is version-flexible and negotiates the highest protocol mutually supported by the manager and the agent, preferably TLS v1.2. The new OSSEC v2.9 will use the method TLSv12, that forces to establish the TLS v1.2 protocol and rejects the connection

[ossec-list] Re: Question:Edit/change agent's IP Address

Hi, Do you refer to changing the agent's IP on registering at manage_agents? In that case you may use the word *"any"* when the program asks for the IP address: $ sudo /var/ossec/bin/manage_agents > > * OSSEC HIDS v2.9.0 Agent manager. * > * The

[ossec-list] Re: Unexpected FIM behavior

Hi Matt, As we can see, Syscheck isn't very accurate with time for three main reasons: 1. In order not to impact the system performance, Syscheck sleeps two seconds for every 15 checked files. You can change this by changing the settings "syscheck.sleep" and "syscheck.sleep_after" at

Re: [ossec-list] remoted Dropping Events

comment jogged my memory about why remoted is running 3 separate > processes - 1514/udp, 514/udp and 514/tcp. > > > > On Friday, December 9, 2016 at 10:33:50 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Dec 9, 2016 9:17 AM, "Chris Decker" <ch.

Re: [ossec-list] remoted Dropping Events

Hi, Agents should send a keepalive each 10 minutes (600 seconds) by default, and this should be enough. But you can go down that time at the agent's ossec.conf: 1.2.3.4 *60* If you see any agent disconnected, check its ossec.log file. On the other hand, as Dan says,

Re: [ossec-list] remoted Dropping Events

2/13 09:05:49 ossec-agentd(1215): ERROR: No client configured. > > Exiting. > > > > > > The documentation also doesn't make it appear that is an > option > > there: > > > > http://ossec.github.io/docs/syntax/head_ossec_config.client.html

Re: [ossec-list] remoted Dropping Events

GET=server > > > > Obviously I could change this value back to 'server', but will this fix > the issue? > > > > Thanks, > Chris > > > On Saturday, December 10, 2016 at 6:04:45 AM UTC-5, Victor Fernandez wrote: >> >> Hi Chris, >> >> as you

Re: [ossec-list] Still having problems with OSSEC 2.8 on FreeBSD 10.3

Hello, The "ossec/queue" file is actually a socket that *ossec-agentd* creates to allow *Syscheck *and *Logcollector *to send data. Then *ossec-agentd* delivers that data to the manager. When you launched "/usr/local/ossec-hids/bin/ossec-control start", the application logged that *ossec-execd*

Re: [ossec-list] Re: Compile issue : undefined reference ?

Hi, I did compile OSSEC v2.8.3 on a clean CentOS 7 following these steps: 1. Install MySQL Community repository: curl -Lo mysql.rpm http://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm mysql -y install mysql.rpm rm mysql.rpm 2. Download OSSEC v2.8.3 sources: yum -y install

Re: [ossec-list] Custom decoder & rule not working

Hi Martin, the problem is that this log also matches with rule 2501 (from Syslog) that has level 5. Since your rule 100201 has level 1 OSSEC discards it in favor of rule 2501. So increasing the level to 6 it should work: app.ERROR Multiple login attempts bepark.eu/fr/connexion 100201

[ossec-list] Re: install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

Hi Eduardo, It seems that the error from "getaddrinfo" does not show which process logs it, but both remoted and authd processes are logging errors. Could you share your configuration and the command that you use to run ossec-authd? It could be very useful for us to help you. Best regards.

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

eira, 23 de março de 2017 15:37:50 UTC-3, Victor Fernandez > escreveu: >> >> Hi Eduardo, >> >> I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your >> configuration and it worked. But when I disabled IPv6 I got the >> same errors you have. >&

Re: [ossec-list] Re: %AppData% alert on new file creation proper setup

Hi, I tested that configuration at Windows agent's ossec.conf: 300 C:\Users/Administrator/AppData/Local/Temp And I added this new rule on manager's local_fules.xml: 554 < regex>C:\\Users/\S+/AppData/Local/Temp File added to the system at Temp directory. syscheck,pci_dss_11.5, This

Re: [ossec-list] install ossec - bind to port 1514 fail | getaddrinfo: name or service not know

Hi Eduardo, I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your configuration and it worked. But when I disabled IPv6 I got the same errors you have. Please try to enable IPv6 on the running system with: sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w

[ossec-list] Re: Modify rules

Hi, You have some options to achieve this: One of them is to increase the rule level. Changing the value at the original rule would work but I'd recommend you to create a new rule (at file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing the rule level: 5700

Re: [ossec-list] Redundancy manager (backup)

Sorry I forgot to mention Chef, you can definitely use it to deploy your agents. If you are interested on it, take a look at: https://github.com/sous-chefs/ossec. Best regards. On Tue, Apr 4, 2017 at 2:55 PM, Martin wrote: > Is it possible to deploy them (agents) easily

Re: [ossec-list] Redundancy manager (backup)

Hi Martin, please give us a clue: do you see any issue at the logs? For example, when the agent switches to other server you should see logs such: ossec-agentd: INFO: Closing connection to server (10.0.0.1:1514). ossec-agentd: INFO: Trying to connect to server (10.0.0.2:1514). If the agent

Re: [ossec-list] Redundancy manager (backup)

Hi Martin, I'm glad to know that everything is OK. Your firewall configuration for the manager is good, filtering by source IP is fine. However the configuration for the agent should filter by source port, because we do not know which port the agent communicates from. I mean, the agent does

Re: [ossec-list] Redundancy manager (backup)

Hi Martin, there are actually some options to deploy agents, you can use Puppet or Ansible to make a large deployment. A very simple unattended installation could be installing the agent with preloaded variables. You can find file etc/preloaded-vars.conf at the source code, fill it (uncomment and

Re: [ossec-list] Redundancy manager (backup)

Hi Martin, when agents connect to manager, the latter sends an ACK message to confirm that the connection is established. From that moment on, agents send data with no arrival confirmation. This means that, if the server went down, agents would keep sending data, that will be lost. There is a

Re: [ossec-list] OSSEC fails to start after install from RPM on RHEL7

Hi Felix, I followed your steps and got the same result. Maybe the OSSEC log could help us: root@centos ~]# tail /var/ossec/logs/ossec.log 2017/04/07 00:59:35 ossec-testrule: INFO: Reading local decoder file. 2017/04/07 00:59:35 ossec-testrule: INFO: Started (pid: 2303). 2017/04/07 00:59:50

Re: [ossec-list] Re: OSSEC Agent not works

Hi, have you more than one network interface on your manager? I see your tcpdump log a bit unusual: 00:58:11.619862 IP 10.2.2.3.43453 > *10.2.2.12*.fujitsu-dtcns: UDP, length 73 00:58:11.620415 IP *10.2.2.13*.fujitsu-dtcns > 10.2.2.3.43453: UDP, length 73 It seems that the manager is

[ossec-list] Re: Syscheck on windows agent taking too long

Hi Thiago, Maybe this is not exactly an issue, if you have configured a large amount of files –or Windows Registry entries– to be monitored. The thing is that Syscheck is actually sleeping most of the time, and does so in order not to congest the network. You can do some tuning on Syscheck

[ossec-list] Re: Implementing ossec-local at scale in Docker containers

Hi Sushan, I think that embedding a local OSSEC into every container is not the best approach, IMHO. In fact, the Docker's "best practices" guideline recommends to have one process per container, this could mean one service per container. Since agents can auto-register via ossec-authd, you

[ossec-list] Re: queue/ossec/queue' not accessible after fresh install

Hi Barry, File /var/ossec/etc/local_decoder.xml must exist and contain at less one decoder, although it is a dummy one, for example: local_decoder_example Try to create that file and fill it with the content above and restar ossec with: /var/ossec/bin/ossec-control restart. Hope it

Re: [ossec-list] Re: Syscheck on windows agent taking too long

Glad to solve your problem! Best regards. El 10 mar. 2017 10:31 a. m., "Thiago Campos" escribió: > > Victor,its work! Thanks again. > > 2017/03/10 11:55:42 ossec-agent: INFO: Starting syscheck scan (forwarding > database). > 2017/03/10 11:55:42 ossec-agent: INFO:

[ossec-list] Re: Syscheck real-time monitoring

Hi Thiago, the previous messages "Event count after '2':" make me think that your system is receiving a large amount of Syscheck events in real-time. I think that the error "real time call back called, but 0 bytes" happens only in Windows agents when the internal Windows directory monitor

[ossec-list] Re: Had to rebuild the server, now how to get agent to reconnect

Hi Barry, the AR queue is managed by process *ossec-remoted*. Please confirm that it's up with: /var/ossec/bin/ossec-control status And take a look for the ossec.log file: grep ossec-remoted /var/ossec/logs/ossec.log | tail -n 20 The *ossec-remoted* process dies if file

Re: [ossec-list] Re: Windows agent doesn't synchronize agent.conf

; dont think changing the default buffer size is a good idea > > > > Yes, just add tcp support to agentd and remoted. > Wazuh may already have this, I'm not positive. > > > On Monday, 10 July 2017 12:34:48 UTC+1, Victor Fernandez wrote: > >> > >> Hi

[ossec-list] Re: makefile compile g++: error: server.o: No such file or directory

Hi, try: $(CC) server.cpp config.h $(CFLAGS) -c -o $@ $< -I./$(INCLUDE_PATH) instead of: $(CC) server.cpp config.h $(CFLAGS) -c $@ -I./$(INCLUDE_PATH) Option -c tells the compiler that it shouldn't compile, but you have to use "-o" in order to specify the output. $@=server.o. Then use $<

Re: [ossec-list] Re: Windows agent doesn't synchronize agent.conf

it can bring me some problem in the > future. > > Em segunda-feira, 3 de julho de 2017 11:39:52 UTC-3, Victor Fernandez > escreveu: >> >> Hi, >> >> it is strange that the log indicates line 147 when it was not able to >> read it. Maybe the agent.conf file is no

Re: [ossec-list] syslog_output question

Hi Robert, OSSEC should take these settings independently: - Configuration A will send alerts with level 8 or higher. - Configuration B will send alerts with level 4 or higher (including alerts sent by the former setting) belonging to these groups. So you'll receive duplicate alerts.

Re: [ossec-list] ossec-agent buffer and/or cache configurations

Hello Grant, OSSEC tracks logs from the file end when it starts. I mean, when OSSEC starts it opens every monitored file and jumps to the current file end. >From that moment on it will report all new data arriving to the log. If OSSEC detects that a log was rotated, it re-opens the file and

Re: [ossec-list] Re: Windows agent doesn't synchronize agent.conf

Hi, it is strange that the log indicates line 147 when it was not able to read it. Maybe the agent.conf file is not arriving to the agent or it is being discarded due to a checksum error. First, please remove file *merged.mg * from folder *shared* in the agent and the manager.

[ossec-list] Re: Rule on server only for specific agents

Hi Tom, there is a rule option, , that should work for you. Alerts start this way: ** Alert 1488922301.778562: mail - ossec,syscheck,pci_dss_11.5, 2017 Mar 07 13:31:41 (myagent) 192.168.66.1->syscheck The text in red is the agent hostname, it has form "(name) IP". Another instance may be

Re: [ossec-list] Re: ignore / ignore regex behavior

Hi Sean, if you want to filter by agent name, taking into account that the key is at the begin of the name, you could simply use this pattern: <*agent_config* *name*=”^m1”> <*agent_config* *name*=”^g1”> <*agent_config* *name*=”^t5”> The *name* option filters by agent name. If you

Re: [ossec-list] Help needed creating local rule to ignore an ossec core alert

Hi, The name of the agent isn't extracted into a field for that rule. This is an example of an alert of disconnected agent: ** Alert 1515842367.7996: mail - ossec,pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1, 2018 Jan 13 12:19:27 fedora->ossec-monitord Rule: 504 (level 3) -> 'Ossec agent

Re: [ossec-list] Expected behaviour of syscheck

Hi, The configuration parser allows multiple definitions of . OSSEC reads the *ossec.conf* file first, and then *agent.conf* (only in agents). The option is aggregable so all directories specified will be monitored. On the other hand, value-based options (like ) are overwritten. So the option

Re: [ossec-list] ossec-logcollector(1103): ERROR [(9)-(Bad file descriptor)]. Can't get my OSSEC agent to monitor my Windows logs.

Hi Patrik and Dan, I wonder if this issue may be related to the file path. *C:\ProgramData\GlobalSCAPE\**EFT Server Enterprise/Logs* sounds to be a directory. Could you confirm that? The *localfile* configuration for logs supports paths or patterns to files only. If you want to follow all the