ll /var/ossec/etc/local_decoder.xml -r--r----- 1 root ossec 262 Mar 14 18:39 /var/ossec/etc/local_decoder.xml
ll /var/ossec/etc/decoder.xml -r--r----- 1 root ossec 88975 Jul 12 2011 /var/ossec/etc/decoder.xml It's a server installation. On Thu, Mar 14, 2013 at 7:25 PM, dan (ddp) <[email protected]> wrote: > On Thu, Mar 14, 2013 at 9:49 AM, S Pratap Singh <[email protected]> > wrote: > > Yes , decoder pure-transfer I had defined in "local_decoder.xml" file > but it > > was not detecting it. To fix the issue I have configured changed the log > > settings for my ftp server to log all the event in syslog file and > enabled > > rule id 1304 to match upload and download. It worked for me. > > > > I am not sure why it was not detecting the decoder "pure-transfer" > defined > > in the file "local_decoder.xml" . > > > > What are the permissions on /var/ossec/etc/local_decoder.xml? > Permissions on /var/ossec/etc/decoder.xml? Is this a server, agent, or > local installation? > > > > > > > On Thu, Mar 14, 2013 at 6:51 PM, S Pratap Singh <[email protected]> > wrote: > >> > >> Thanks for the help Dan.. I have fixed the issue and everything works > >> perfectly .. :) > >> > >> > >> On Thu, Mar 14, 2013 at 2:11 PM, S Pratap Singh <[email protected]> > >> wrote: > >>> > >>> Hi Dan, > >>> > >>> Things are working fine now. But I have another problem, now I am > getting > >>> most of the alert for FTP activity excluding file upload and download > alert. > >>> The rule which you have given works fine but when I restart Ossec I am > >>> getting the following error : > >>> > >>> 2013/03/14 12:38:18 ossec-analysisd: Invalid decoder name: > >>> 'pure-transfer'. > >>> 2013/03/14 12:38:18 ossec-analysisd(1220): ERROR: Error loading the > >>> rules: 'local_rules.xml'. > >>> 2013/03/14 12:38:21 ossec-remoted(1210): ERROR: Queue > >>> '/queue/ossec/queue' not accessible: 'Connection refused'. > >>> 2013/03/14 12:38:21 ossec-remoted(1211): ERROR: Unable to access queue: > >>> '/queue/ossec/queue'. Giving up.. > >>> > >>> So there is two problem I am facing currently : > >>> 1 Not getting alert for upload and download since this is getting > logged > >>> into another file and not into syslog file. > >>> 2 facing the issue with restart of ossec server. > >>> > >>> Thanks for your input and help so far. > >>> > >>> On Thu, Mar 14, 2013 at 2:58 AM, dan (ddp) <[email protected]> wrote: > >>>> > >>>> On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh <[email protected]> > >>>> wrote: > >>>> > All fixed but I am not getting alert to my mail box for FTP activity > >>>> > as > >>>> > other alerts. > >>>> > > >>>> > >>>> Are you getting other alerts in your email? > >>>> Do you have access to the maillogs? If so, check to see if the mail is > >>>> being rejected or something. > >>>> If not, use tcpdump or something similar to watch mail traffic to see > >>>> if OSSEC even attempts to send the message. > >>>> > >>>> > -- > >>>> > > >>>> > --- > >>>> > You received this message because you are subscribed to the Google > >>>> > Groups > >>>> > "ossec-list" group. > >>>> > To unsubscribe from this group and stop receiving emails from it, > send > >>>> > an > >>>> > email to [email protected]. > >>>> > For more options, visit https://groups.google.com/groups/opt_out. > >>>> > > >>>> > > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, send > >>>> an email to [email protected]. > >>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>> > >>>> > >>> > >>> > >>> > >>> -- > >>> Regards, > >>> Pratap Singh > >> > >> > >> > >> > >> -- > >> Regards, > >> Pratap Singh > > > > > > > > > > -- > > Regards, > > Pratap Singh > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Regards, Pratap Singh -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
