So, How Do I install Ossec on 100s computer without doing the key generation for each one?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, April 16, 2010 5:34 PM To: [email protected] Subject: Re: [ossec-list] Excessive number of events I'm guessing the systems are unixmstr.sungard, funt, and marley. The times to look at are 6:00 to 7:00, 7:00 to 8:00, 8:00 to 9:00 on the various systems. And it looks like it might be worth investigating, since you're getting 200-300 more alerts for those systems than you usually get. On Fri, Apr 16, 2010 at 1:53 PM, Michael Barrett <[email protected]> wrote: > Thanks for the guidance, I looked into the log on newman (which is the > OSSEC server) > > All the excessive alerts indicate "mail - stats" > > Does this help narrow down the issue? Possibly some tweak I can make? > > ** Alert 1271421891.358061: mail - stats, > 2010 Apr 16 07:44:51 (unixmstr.sungard) 172.24.203.138->rootcheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 7:00 and 8:00 is 415. We reached 666. > > > ** Alert 1271426220.619212: mail - stats, > 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 8:00 and 9:00 is 479. We reached 730. > > ** Alert 1271417553.254691: mail - stats, > 2010 Apr 16 06:32:33 (marley) 144.122.203.18->rootcheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 6:00 and 7:00 is 573. We reached 824. > > ** Alert 1271421891.358061: mail - stats, > 2010 Apr 16 07:44:51 (unixmstr.sungard) 172.24.203.138->rootcheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 7:00 and 8:00 is 415. We reached 666. > > ** Alert 1271426220.619212: mail - stats, > 2010 Apr 16 08:57:00 (funt) 172.24.189.13->syscheck > Rule: 11 (level 8) -> 'Excessive number of events (above normal).' > Src IP: (none) > User: (none) > The average number of logs between 8:00 and 9:00 is 479. We reached 730. > > > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > Accomplishing the impossible means only that your boss will add it to your > regular duties Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > |------------> > | From: | > |------------> > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |"dan (ddp)" <[email protected]> | > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |------------> > | To: | > |------------> > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |[email protected] | > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |------------> > | Date: | > |------------> > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |04/16/2010 11:49 AM | > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |------------> > | Subject: | > |------------> > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |Re: [ossec-list] Excessive number of events | > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |------------> > | Sent by: | > |------------> > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > |[email protected] | > >-------------------------------------------------------------------------- ------------------------------------------------------------------------| > > > > > > Is newman your ossec server? If so, check the logfile is mentions. > Basically, one or more hosts has logged (during a specific time frame, > possibly mentionedin the alert) more events than usual. These could be > multiple occurances of the same event trigger, or entirely different > types of events. > Depending on your storage methods you could investigate in a number of > ways. Something like logwatch might be useful to help reduce the > amount of raw data you have to sift through. If you log to a database > (ossec-dbd), there is probably some simple-ish sql to help find an > answer. > I don't think there is an one-size-fits-all answer to this question, > except for the very broad: look at the logs. > > On 4/16/10, Michael Barrett <[email protected]> wrote: >> Any advise on how to find out what is going on? What can cause this > alert, >> where would I look for more information? >> ____________________________________________ >> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty >> Insurance Corporation >> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 >> 1.888.601.4440 | * [email protected] >> >> >> Accomplishing the impossible means only that your boss will add it to > your >> regular duties Doug Larson >> >> This message is intended for use only by the person(s) addressed above > and >> may contain privileged and confidential information. Disclosure or use of >> this message by any other person is strictly prohibited. If this message > is >> received in error, please notify the sender immediately and delete this >> message. >> >> >> >> |------------> >> | From: | >> |------------> >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |"dan (ddp)" <[email protected]> >> | >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |------------> >> | To: | >> |------------> >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |[email protected] >> | >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |------------> >> | Date: | >> |------------> >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |04/16/2010 08:24 AM >> | >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |------------> >> | Subject: | >> |------------> >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |Re: [ossec-list] Excessive number of events >> | >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |------------> >> | Sent by: | >> |------------> >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> |[email protected] >> | >> >>>------------------------------------------------------------------------- -------------------------------------------------------------------------| > >> >> >> >> >> >> It tells you that you are getting an abnormal amount of alerts for >> that time of the day. >> Something is happening to cause those alerts, find out what. >> >> On Thu, Apr 15, 2010 at 5:05 PM, Michael Barrett >> <[email protected]> wrote: >>> Message: <30>Apr 15 15:37:50 newman >> ossec:/var/ossec/logs/alerts/alerts.log >>> Rule: 11 (level 8) -> 'Excessive number of events (above normal).' >>> >>> >>> I get several of these every day. I asked a question about suppressing >>> them and was told that I shouldn't do it. >>> >>> What does this alert tell me? How would I follow up on this event? >>> ____________________________________________ >>> Michael Barrett | Information Security Analyst - Lead | Mortgage > Guaranty >>> Insurance Corporation >>> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 >>> 1.888.601.4440 | * [email protected] >>> >>> >>> Accomplishing the impossible means only that your boss will add it to >> your >>> regular duties Doug Larson >>> >>> This message is intended for use only by the person(s) addressed above >> and >>> may contain privileged and confidential information. Disclosure or use > of >>> this message by any other person is strictly prohibited. If this message >> is >>> received in error, please notify the sender immediately and delete this >>> message. >>> >>> -- >>> To unsubscribe, reply using "remove me" as the subject. >>> >> >> > >
