On Mon, Nov 17, 2014 at 4:12 AM, Teddy Js <[email protected]> wrote:
> Dear All,
>
> After I install ossec hybrid mode (run server and agent in same server),
> Agent failed to read ossec.log file.
>
> 2014/11/17 15:49:33 ossec-logcollector(1950): INFO: Analyzing file:
> '/usr/local/ossec/logs/alerts/alerts.log'.
> 2014/11/17 15:49:33 ossec-logcollector: INFO: Started (pid: 7208).
> 2014/11/17 15:51:44 ossec-logcollector(1904): INFO: File not available,
> ignoring it: '/usr/local/ossec/logs/alerts/alerts.log'.
>
> Log said the file is not available, but that file is there and growing
>
It's a known issue (#442 I think). Any help debugging would be greatly
appreciated!
> # tail /usr/local/ossec/logs/alerts/alerts.log
> Rule: 18107 (level 3) -> 'Windows Logon Success.'
> User: WIN2K8$
> 2014 Nov 17 16:07:28 WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: WIN2K8$: EXAMPLE: WIN2K8.example.com:
> An account was successfully logged on. Subject: Security ID: S-1-0-0
> Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New
> Logon: Security ID: S-1-5-18 Account Name: WIN2K8$ Account Domain:
> EXAMPLE Logon ID: 0x1ebe53 Logon GUID:
> {BC74F4B1-9F30-0E51-1BC6-C90D83300BE5} Process Information: Process ID:
> 0x0 Process Name: - Network Information: Workstation Name: Source
> Network Address: 192.168.146.5 Source Port: 51835 Detailed Authentication
> Information: Logon Process: Kerberos Authentication Package: Kerberos
> Transited Services: - Package Name (NTLM only): - Key Length: 0 This
> event is generated when a logon session is created. It is generated on the
> computer that was accessed.
>
> ** Alert 1416215251.187795: - windows,
> 2014 Nov 17 16:07:31 (WIN2K8) 192.168.146.5->WinEvtLog
> Rule: 18149 (level 3) -> 'Windows User Logoff.'
> User: WIN2K8$
> 2014 Nov 17 16:07:28 WinEvtLog: Security: AUDIT_SUCCESS(4634):
> Microsoft-Windows-Security-Auditing: WIN2K8$: EXAMPLE: WIN2K8.example.com:
> An account was logged off. Subject: Security ID: S-1-5-18 Account Name:
> WIN2K8$ Account Domain: EXAMPLE Logon ID: 0x1ebe53 Logon Type: 3
> This event is generated when a logon session is destroyed. It may be
> positively correlated with a logon event using the Logon ID value. Logon IDs
> are only unique between reboots on the same computer." 4646,1
>
> Can Ossec Agent start the debug mode to see what is problem with
> logcollector ?
>
> thanks.
>
> Best Regards,
>
>
> -Teddy-
>
>
> On Friday, November 14, 2014 4:47:33 PM UTC+7, dan (ddpbsd) wrote:
>>
>>
>> On Nov 14, 2014 4:43 AM, "Chris H" <[email protected]> wrote:
>> >
>> > This is exactly what I'm trying to get working with my issue where the
>> > hybrid agent stops parsing the alerts log file :(
>> >
>>
>> It's not a hybrid issue really, a regular agent installation has the same
>> problem.
>>
>> >
>> > On Wednesday, November 12, 2014 2:09:36 PM UTC, dan (ddpbsd) wrote:
>> >>
>> >> On Wed, Nov 12, 2014 at 5:47 AM, Teddy Jayasaputra
>> >> <[email protected]> wrote:
>> >> > Dear all,
>> >> >
>> >> > Any of you have working with ossec server talking to ossec in OSSIM?
>> >> >
>> >> > I send alert level ossec via syslog to rsyslog ossim but not working
>> >> > because
>> >> > OSSIM use custom log with tag AV in front of each log so alert from
>> >> > ossec
>> >> > server not recognize by OSSIM.
>> >> >
>> >> > I heard about ossec in hybrid mode.
>> >> > Can someone describe it? Or point me the manual to do it? Can hybrid
>> >> > mode
>> >> > solve deployment ossec to ossec in OSSIM ?
>> >> >
>> >>
>> >> Hybrid mode allows an OSSEC manager to report alerts to another OSSEC
>> >> manager.
>> >>
>> >> > Thanks.
>> >> >
>> >> > Best Regards,
>> >> >
>> >> > -Teddy-
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
