On Thu, Mar 14, 2013 at 9:59 AM, S Pratap Singh <[email protected]> wrote: > ll /var/ossec/etc/local_decoder.xml > -r--r----- 1 root ossec 262 Mar 14 18:39 /var/ossec/etc/local_decoder.xml > > ll /var/ossec/etc/decoder.xml > -r--r----- 1 root ossec 88975 Jul 12 2011 /var/ossec/etc/decoder.xml > > It's a server installation. >
Please provide the entire local_decoder.xml file. What OS/distro/version are you using? > On Thu, Mar 14, 2013 at 7:25 PM, dan (ddp) <[email protected]> wrote: >> >> On Thu, Mar 14, 2013 at 9:49 AM, S Pratap Singh <[email protected]> >> wrote: >> > Yes , decoder pure-transfer I had defined in "local_decoder.xml" file >> > but it >> > was not detecting it. To fix the issue I have configured changed the log >> > settings for my ftp server to log all the event in syslog file and >> > enabled >> > rule id 1304 to match upload and download. It worked for me. >> > >> > I am not sure why it was not detecting the decoder "pure-transfer" >> > defined >> > in the file "local_decoder.xml" . >> > >> >> What are the permissions on /var/ossec/etc/local_decoder.xml? >> Permissions on /var/ossec/etc/decoder.xml? Is this a server, agent, or >> local installation? >> >> > >> > >> > On Thu, Mar 14, 2013 at 6:51 PM, S Pratap Singh <[email protected]> >> > wrote: >> >> >> >> Thanks for the help Dan.. I have fixed the issue and everything works >> >> perfectly .. :) >> >> >> >> >> >> On Thu, Mar 14, 2013 at 2:11 PM, S Pratap Singh <[email protected]> >> >> wrote: >> >>> >> >>> Hi Dan, >> >>> >> >>> Things are working fine now. But I have another problem, now I am >> >>> getting >> >>> most of the alert for FTP activity excluding file upload and download >> >>> alert. >> >>> The rule which you have given works fine but when I restart Ossec I am >> >>> getting the following error : >> >>> >> >>> 2013/03/14 12:38:18 ossec-analysisd: Invalid decoder name: >> >>> 'pure-transfer'. >> >>> 2013/03/14 12:38:18 ossec-analysisd(1220): ERROR: Error loading the >> >>> rules: 'local_rules.xml'. >> >>> 2013/03/14 12:38:21 ossec-remoted(1210): ERROR: Queue >> >>> '/queue/ossec/queue' not accessible: 'Connection refused'. >> >>> 2013/03/14 12:38:21 ossec-remoted(1211): ERROR: Unable to access >> >>> queue: >> >>> '/queue/ossec/queue'. Giving up.. >> >>> >> >>> So there is two problem I am facing currently : >> >>> 1 Not getting alert for upload and download since this is getting >> >>> logged >> >>> into another file and not into syslog file. >> >>> 2 facing the issue with restart of ossec server. >> >>> >> >>> Thanks for your input and help so far. >> >>> >> >>> On Thu, Mar 14, 2013 at 2:58 AM, dan (ddp) <[email protected]> wrote: >> >>>> >> >>>> On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh <[email protected]> >> >>>> wrote: >> >>>> > All fixed but I am not getting alert to my mail box for FTP >> >>>> > activity >> >>>> > as >> >>>> > other alerts. >> >>>> > >> >>>> >> >>>> Are you getting other alerts in your email? >> >>>> Do you have access to the maillogs? If so, check to see if the mail >> >>>> is >> >>>> being rejected or something. >> >>>> If not, use tcpdump or something similar to watch mail traffic to see >> >>>> if OSSEC even attempts to send the message. >> >>>> >> >>>> > -- >> >>>> > >> >>>> > --- >> >>>> > You received this message because you are subscribed to the Google >> >>>> > Groups >> >>>> > "ossec-list" group. >> >>>> > To unsubscribe from this group and stop receiving emails from it, >> >>>> > send >> >>>> > an >> >>>> > email to [email protected]. >> >>>> > For more options, visit https://groups.google.com/groups/opt_out. >> >>>> > >> >>>> > >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups "ossec-list" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> >>>> send >> >>>> an email to [email protected]. >> >>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>> >> >>>> >> >>> >> >>> >> >>> >> >>> -- >> >>> Regards, >> >>> Pratap Singh >> >> >> >> >> >> >> >> >> >> -- >> >> Regards, >> >> Pratap Singh >> > >> > >> > >> > >> > -- >> > Regards, >> > Pratap Singh >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > > -- > Regards, > Pratap Singh > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
