On Thu, Jun 5, 2014 at 9:35 AM, Paul Searle <[email protected]> wrote: > Dan, could you point me to any upgrade / migration notes or articles... > Thanks, > Paul >
There's nothing official that I'm aware of. > On Jun 5, 2014 7:11 AM, "dan (ddp)" <[email protected]> wrote: >> >> On Wed, Jun 4, 2014 at 5:21 PM, pmsearle90 <[email protected]> wrote: >> > Oh and I am using version 2.6 on the client and the server. >> > >> >> That makes things significantly harder to troubleshoot. I haven't used >> that version in a long time, and have no test infrastructure. >> >> > On Wednesday, June 4, 2014 3:26:42 PM UTC-5, pmsearle90 wrote: >> >> >> >> I have worked with OSSEC in the past and taken over in the last three >> >> months our OSSEC infrastructure, so have mercy... >> >> >> >> I am following up after reading this thread and trying to implement USB >> >> thumb drive insertion monitoring : >> >> >> >> >> >> https://groups.google.com/d/topic/ossec-list/eL2DTKSXnhI/discussion >> >> >> >> >> >> and trying to follow the 2.7.1 documentation from Daniel Cid on USB >> >> storage detection example for using the <check_diff /> feature: >> >> >> >> >> >> >> >> >> >> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage >> >> >> >> >> >> I do not get the server to add the directory to the "/diff/" >> >> subdirectory: >> >> >> >> >> >> Next create a local rule for that command: >> >> >> >> <rule id="140125" level="7"> >> >> <if_sid>530</if_sid> >> >> <match>ossec: output: 'reg QUERY</match> >> >> <check_diff /> >> >> <description>New USB device connected</description> >> >> </rule> >> >> >> >> Now after a few minutes you will see a directory at >> >> /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot >> >> of >> >> this command >> >> >> >> >> >> I get the following excerpt on my client side log (from service >> >> restart) >> >> and then nothing on my alert log on the server: >> >> >> >> >> >> 2014/06/04 13:10:11 ossec-agent: Exiting... >> >> 2014/06/04 13:10:11 ossec-agent: Remote commands are not accepted from >> >> the >> >> manager. Ignoring it on the agent.conf >> >> 2014/06/04 13:10:11 ossec-agent(1202): ERROR: Configuration error at >> >> 'shared/agent.conf'. Exiting. >> >> 2014/06/04 13:10:11 ossec-execd(1350): INFO: Active response disabled. >> >> Exiting. >> >> 2014/06/04 13:10:11 ossec-agent(1410): INFO: Reading authentication >> >> keys >> >> file. >> >> 2014/06/04 13:10:11 ossec-agent: INFO: Assigning counter for agent >> >> AZS1901RG03: '99746:8391'. >> >> 2014/06/04 13:10:11 ossec-agent: INFO: Assigning sender counter: 7:4371 >> >> 2014/06/04 13:10:11 ossec-agent: INFO: Trying to connect to server >> >> (10.1.16.26:1514). >> >> 2014/06/04 13:10:11 ossec-agent: INFO: Using IPv4 for: 10.1.16.26 . >> >> 2014/06/04 13:10:11 ossec-agent: Starting syscheckd thread. >> >> 2014/06/04 13:10:11 ossec-rootcheck: INFO: Started (pid: 4924). >> >> >> >> Thanks for any help in advance, >> >> Paul >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/QyRQ-luU7XI/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
