On Thu, Mar 14, 2013 at 9:49 AM, S Pratap Singh <[email protected]> wrote: > Yes , decoder pure-transfer I had defined in "local_decoder.xml" file but it > was not detecting it. To fix the issue I have configured changed the log > settings for my ftp server to log all the event in syslog file and enabled > rule id 1304 to match upload and download. It worked for me. > > I am not sure why it was not detecting the decoder "pure-transfer" defined > in the file "local_decoder.xml" . >
What are the permissions on /var/ossec/etc/local_decoder.xml? Permissions on /var/ossec/etc/decoder.xml? Is this a server, agent, or local installation? > > > On Thu, Mar 14, 2013 at 6:51 PM, S Pratap Singh <[email protected]> wrote: >> >> Thanks for the help Dan.. I have fixed the issue and everything works >> perfectly .. :) >> >> >> On Thu, Mar 14, 2013 at 2:11 PM, S Pratap Singh <[email protected]> >> wrote: >>> >>> Hi Dan, >>> >>> Things are working fine now. But I have another problem, now I am getting >>> most of the alert for FTP activity excluding file upload and download alert. >>> The rule which you have given works fine but when I restart Ossec I am >>> getting the following error : >>> >>> 2013/03/14 12:38:18 ossec-analysisd: Invalid decoder name: >>> 'pure-transfer'. >>> 2013/03/14 12:38:18 ossec-analysisd(1220): ERROR: Error loading the >>> rules: 'local_rules.xml'. >>> 2013/03/14 12:38:21 ossec-remoted(1210): ERROR: Queue >>> '/queue/ossec/queue' not accessible: 'Connection refused'. >>> 2013/03/14 12:38:21 ossec-remoted(1211): ERROR: Unable to access queue: >>> '/queue/ossec/queue'. Giving up.. >>> >>> So there is two problem I am facing currently : >>> 1 Not getting alert for upload and download since this is getting logged >>> into another file and not into syslog file. >>> 2 facing the issue with restart of ossec server. >>> >>> Thanks for your input and help so far. >>> >>> On Thu, Mar 14, 2013 at 2:58 AM, dan (ddp) <[email protected]> wrote: >>>> >>>> On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh <[email protected]> >>>> wrote: >>>> > All fixed but I am not getting alert to my mail box for FTP activity >>>> > as >>>> > other alerts. >>>> > >>>> >>>> Are you getting other alerts in your email? >>>> Do you have access to the maillogs? If so, check to see if the mail is >>>> being rejected or something. >>>> If not, use tcpdump or something similar to watch mail traffic to see >>>> if OSSEC even attempts to send the message. >>>> >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> > Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, send >>>> > an >>>> > email to [email protected]. >>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>> > >>>> > >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> >>> >>> >>> >>> -- >>> Regards, >>> Pratap Singh >> >> >> >> >> -- >> Regards, >> Pratap Singh > > > > > -- > Regards, > Pratap Singh > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
