2012/12/20 <[email protected]>
> Today's Topic Summary > > Group: http://groups.google.com/group/ossec-list/topics > > - install.sh fails on Agents when Dash is the default > shell<#13bb7cb4d0e263a8_group_thread_0>[2 Updates] > - Account Activity Notification <#13bb7cb4d0e263a8_group_thread_1> [1 > Update] > - ossec email alerting on <ignore> > folders<#13bb7cb4d0e263a8_group_thread_2>[1 Update] > - Cisco ASA syslog rule not working <#13bb7cb4d0e263a8_group_thread_3>[1 > Update] > - syscheck errors - Unable to create directory and Unable to rename > file <#13bb7cb4d0e263a8_group_thread_4> [18 Updates] > - Win Null-Route flagging IP 0.0.0.0 <#13bb7cb4d0e263a8_group_thread_5>[1 > Update] > - Regarding Network traffic <#13bb7cb4d0e263a8_group_thread_6> [1 > Update] > - segmentation fault <#13bb7cb4d0e263a8_group_thread_7> [1 Update] > - Setting up log in mysql databases ? getting some > error<#13bb7cb4d0e263a8_group_thread_8>[1 Update] > > install.sh fails on Agents when Dash is the default > shell<http://groups.google.com/group/ossec-list/t/59063332d8774d69> > > [email protected] Dec 19 05:03PM -0800 > > Hi, > > I'm installing ossec 2.7 on some hosts. I've previously used 2.6 with > no > trouble. > > The server install went fine. But on my agents, I get this output when > trying to install: > ...more<http://groups.google.com/group/ossec-list/msg/fb982b864be88ca3> > > > "dan (ddp)" <[email protected]> Dec 19 08:05PM -0500 > > > > Hi, > > > I'm installing ossec 2.7 on some hosts. I've previously used 2.6 > with no > trouble. > > > The server install went fine. But on my agents, I get this output > when > trying to install: > ...more<http://groups.google.com/group/ossec-list/msg/c9640513133ea576> > > Account Activity > Notification<http://groups.google.com/group/ossec-list/t/e05d54870c0c291e> > > Lsilverman <[email protected]> Dec 19 02:30PM -0800 > > You'd have to write a decoder that could parse the important > information > out of the log message, in this case the username. You would then > write a > rule based on your decoder that would go off at a > ...more<http://groups.google.com/group/ossec-list/msg/16b5363c1ff72633> > > ossec email alerting on <ignore> > folders<http://groups.google.com/group/ossec-list/t/e75db066fbe10dbb> > > Lsilverman <[email protected]> Dec 19 02:15PM -0800 > > I am monitoring my inetpub folder on a webserver and ignoring log > files/folders within inetpub. For some reason ossec sends me email > alerts > for files/folders that I am ignoring. Can someone look > ...more<http://groups.google.com/group/ossec-list/msg/7934c43b83465bb6> > > Cisco ASA syslog rule not > working<http://groups.google.com/group/ossec-list/t/8b5cfcb25f86dd40> > > funwithossec <[email protected]> Dec 19 01:06PM -0800 > > On Tuesday, December 18, 2012 4:58:06 PM UTC-8, funwithossec wrote: > > > Any idea how to make Ossec identify this syslog message as what it > is? > > > -Thanks > > > All, > > Thanks for any looks on > ...more<http://groups.google.com/group/ossec-list/msg/f8d21541d7f59380> > > syscheck errors - Unable to create directory and Unable to rename > file<http://groups.google.com/group/ossec-list/t/80a2dae86d934277> > > Lsilverman <[email protected]> Dec 19 06:53AM -0800 > > Let me start off with I love ossec, It's an amazing product if you > take the > time to learn it and tune it. My manager is a CentOS box and my agent > in > question is a Win 2003 R2 SP2 box. > ...more<http://groups.google.com/group/ossec-list/msg/341bd46a6d371cd9> > > > "dan (ddp)" <[email protected]> Dec 19 10:22AM -0500 > > On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman > > > Does anyone see an issue with my config? Ossec knows that those are > new > > files, why do I not get an alert? Why is my windows ossec install > looking > ...more<http://groups.google.com/group/ossec-list/msg/1aed92e581f3fd8a> > > > Lsilverman <[email protected]> Dec 19 07:24AM -0800 > > I did not set it on the server. Where/how would I do that? > > Thanks for your quick response!!!! > > > > On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote: > ...more<http://groups.google.com/group/ossec-list/msg/bcb2f5859b87567a> > > > "dan (ddp)" <[email protected]> Dec 19 10:26AM -0500 > > On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman > > I did not set it on the server. Where/how would I do that? > > > Thanks for your quick response!!!! > > In the server's /var/ossec/etc/ossec.conf, in the > ...more<http://groups.google.com/group/ossec-list/msg/52558bb2ca9100bc> > > > Lsilverman <[email protected]> Dec 19 07:45AM -0800 > > I am adding this now, I will test and let you know my results. > > I thought that the ossec.conf on the manager related to the agent > running > on the manager doing checks of itself? Similar to the > ...more<http://groups.google.com/group/ossec-list/msg/8093c0c9a8ed3b00> > > > "dan (ddp)" <[email protected]> Dec 19 10:46AM -0500 > > On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman > > the manager doing checks of itself? Similar to the ossec.conf file > on any > > agent. > > > Thanks > > It does, but it also governs the alerts it sends out. > ...more<http://groups.google.com/group/ossec-list/msg/a672946efaa5160b> > > > Lou Silverman <[email protected]> Dec 19 11:14AM -0500 > > It appears you are correct, report_changes is not available on Windows > OS as I am no longer getting those errors. > > I am now alerting on new files! Now to write the rules for modified > ...more<http://groups.google.com/group/ossec-list/msg/7b21c405e329c3a7> > > > "dan (ddp)" <[email protected]> Dec 19 11:19AM -0500 > > ---------- Forwarded message ---------- > From: dan (ddp) <[email protected]> > Date: Wed, Dec 19, 2012 at 11:17 AM > Subject: Re: [ossec-list] syscheck errors - Unable to create directory > ...more<http://groups.google.com/group/ossec-list/msg/5c7fc378a6982ce1> > > > "dan (ddp)" <[email protected]> Dec 19 11:26AM -0500 > > On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman > > Changing it back to 72000 allowed me to start the agent. Any ideas? > > > Thanks > > > Lou > > Nope. Can you provide the exact error? > > ...more<http://groups.google.com/group/ossec-list/msg/b901f2822b5e79a4> > > > Lou Silverman <[email protected]> Dec 19 11:27AM -0500 > > Here is a funky error... I changed my syscheck frequency from 72000s > to > 7200s and I could not start my agent - I got an error to check my > config. Changing it back to 72000 allowed me to start the > ...more<http://groups.google.com/group/ossec-list/msg/ed83a10c1918c184> > > > "dan (ddp)" <[email protected]> Dec 19 11:28AM -0500 > > > >> Thanks > > >> Lou > > > Nope. Can you provide the exact error? > > I just checked one of my agents and it's set to 7200: > > <syscheck> > <frequency>7200</frequency> > > ... > </syscheck> > ...more <http://groups.google.com/group/ossec-list/msg/cd91b356d427871> > > > Lou Silverman <[email protected]> Dec 19 11:32AM -0500 > > Here is a snippet of my config: > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 20 hours. It doesn't need to be higher > - on most > ...more<http://groups.google.com/group/ossec-list/msg/e7c782140fa2d935> > > > "dan (ddp)" <[email protected]> Dec 19 11:34AM -0500 > > On Wed, Dec 19, 2012 at 11:32 AM, Lou Silverman > > 2.6 or 2.7? > > > Thanks > > > Lou > > I'm using 2.7. I haven't used 2.6 in ages. Did you get that error > message from the ossec.log? > > ...more<http://groups.google.com/group/ossec-list/msg/98043b1ac65f671a> > > > Lou Silverman <[email protected]> Dec 19 12:12PM -0500 > > I got the error when trying to start my agent. It popped up preventing > me from starting the server. When I installed 2.6, 2.7 was still a > beta. > Can I use a version 2.7 agent with a 2.6 server? > ...more<http://groups.google.com/group/ossec-list/msg/24d037ea5f33bb60> > > > "dan (ddp)" <[email protected]> Dec 19 12:22PM -0500 > > On Wed, Dec 19, 2012 at 12:12 PM, Lou Silverman > > use a version 2.7 agent with a 2.6 server? > > > Thanks > > > Lou > > No, they should be kept in sync if possible, and the agent should > ...more<http://groups.google.com/group/ossec-list/msg/10aa6b9ddeafb970> > > > Lou Silverman <[email protected]> Dec 19 12:35PM -0500 > > Correction to my previous post, it prevented me from starting the > agent. > > When I change 07200 to 7200, the server IP disappears from the box. > when > I add it and hit SAVE, i get a popup with this > ...more<http://groups.google.com/group/ossec-list/msg/510279a1360717bc> > > > "dan (ddp)" <[email protected]> Dec 19 12:41PM -0500 > > On Wed, Dec 19, 2012 at 12:35 PM, Lou Silverman > > > Changing it back to 07200 allows me to save the server IP and start > the > > agent. > > > Thanks > > I have no clue. That's odd. notepad shouldn't be > ...more<http://groups.google.com/group/ossec-list/msg/a38c604befb7cbbb> > > > Lou Silverman <[email protected]> Dec 19 01:25PM -0500 > > I will install 2.7 to see if that fixes the issue and will report > back. > I will have to update my server so give me some time. > > Another quick Q - I have added the real_time="yes" option to my agent > ...more<http://groups.google.com/group/ossec-list/msg/9b9219da4ebeab47> > > Win Null-Route flagging IP > 0.0.0.0<http://groups.google.com/group/ossec-list/t/2d71f0f0bcbe930e> > > Truongy <[email protected]> Dec 19 09:30AM -0800 > > Has anyone experienced an issue where IP 0.0.0.0 was added to the > routing > table? Anyone know a solution to this as white-listing 0.0.0.0 in > ossec.conf does not work? > > > Network Destination > ...more<http://groups.google.com/group/ossec-list/msg/323538fd2bb240f8> > > Regarding Network > traffic<http://groups.google.com/group/ossec-list/t/3a2751542eff4170> > > Dhinakaran G <[email protected]> Dec 19 06:20AM -0800 > > Hi All , > > I am new user of Ossec , I want know what are the data will pass from > client to server > > In server we are planing to opening only > > 1. sshd rules > > 2. pam rules > ...more<http://groups.google.com/group/ossec-list/msg/910d1aa97769ce67> > > segmentation > fault<http://groups.google.com/group/ossec-list/t/f05383cc7ae1e3bc> > > "dan (ddp)" <[email protected]> Dec 19 09:24AM -0500 > > On Tue, Dec 18, 2012 at 4:28 PM, Carrie Poole > > Ossec.conf: > > This is the server's ossec.conf. I'm only interested in the ossec.conf > of a system with a segfaulting syscheckd. > > With the > ...more<http://groups.google.com/group/ossec-list/msg/216ca0db3b3e0958> > > Setting up log in mysql databases ? getting some > error<http://groups.google.com/group/ossec-list/t/b61d2abc3f09a01c> > > Dhinakaran G <[email protected]> Dec 19 01:53AM -0800 > > Thank you very much i found that information in > > > https://groups.google.com/forum/?fromgroups=#!searchin/ossec-list/Error$20Making$20os_dbd/ossec-list/qqWzQTEP7kc/phfU1tXHbisJ > On Tuesday, December > ...more<http://groups.google.com/group/ossec-list/msg/8347f24643ede91a> > > You received this message because you are subscribed to the Google Group > ossec-list. > You can post via email <[email protected]>. > To unsubscribe from this group, > send<[email protected]>an empty message. > For more options, visit > <http://groups.google.com/group/ossec-list/topics>this group. >
