*ON https://github.com/ossec/ossec-hids/releases*
*Server / Agent 2.8*
*Change log*
*Disable /var/ossec/queue/diff/*state.$epoch files, they were not used.
pull: by reyjrar*
*HOW to enadle /var/ossec/queue/diff/*state.$epoch files in ossec 2.8*
среда, 11 февраля 2015 г., 16:44:05 UTC+3 пользователь dan (ddpbsd) написал:
>
> On Wed, Feb 11, 2015 at 8:19 AM, alex petrov <allrea...@gmail.com
> <javascript:>> wrote:
> > used to be so
> >
>
> What used to what?
>
> Are you sure the values OSSEC is receiving are changing?
>
> Check the permissions on the queue/diff directories.
>
> > test:/var/ossec/queue/diff/test/533# ls -l
> > total 756
> > -rwxr-x--- 1 ossec ossec 2703 Feb 11 12:22 last-entry
> > -rwxr-x--- 1 ossec ossec 2882 Sep 26 14:46 state.1411728392
> > -rwxr-x--- 1 ossec ossec 1211 Sep 29 08:04 state.1411963489
> > -rwxr-x--- 1 ossec ossec 1559 Sep 29 08:05 state.1411963522
> > -rwxr-x--- 1 ossec ossec 1915 Sep 29 08:05 state.1411963539
> > -rwxr-x--- 1 ossec ossec 2093 Sep 29 08:06 state.1411963594
> > -rwxr-x--- 1 ossec ossec 2182 Sep 29 08:07 state.1411963663
> > -rwxr-x--- 1 ossec ossec 2526 Sep 29 08:08 state.1411963693
> > -rwxr-x--- 1 ossec ossec 2704 Sep 29 15:11 state.1411989085
> > -rwxr-x--- 1 ossec ossec 1211 Sep 30 08:08 state.1412050121
> > -rwxr-x--- 1 ossec ossec 2093 Sep 30 08:08 state.1412050130
> > -rwxr-x--- 1 ossec ossec 2182 Sep 30 08:10 state.1412050259
> > -rwxr-x--- 1 ossec ossec 2360 Sep 30 08:11 state.1412050279
> > -rwxr-x--- 1 ossec ossec 2704 Sep 30 08:12 state.1412050322
> > -rwxr-x--- 1 ossec ossec 2093 Sep 30 08:16 state.1412050582
> > -rwxr-x--- 1 ossec ossec 2271 Sep 30 08:18 state.1412050680
> > -rwxr-x--- 1 ossec ossec 2360 Sep 30 08:18 state.1412050707
> > -rwxr-x--- 1 ossec ossec 2704 Sep 30 08:18 state.1412050724
> > -rwxr-x--- 1 ossec ossec 1826 Sep 30 08:30 state.1412051419
> > -rwxr-x--- 1 ossec ossec 2093 Sep 30 08:31 state.1412051484
> > -rwxr-x--- 1 ossec ossec 2271 Sep 30 08:32 state.1412051570
> > -rwxr-x--- 1 ossec ossec 2360 Sep 30 08:33 state.1412051598
> > -rwxr-x--- 1 ossec ossec 2704 Sep 30 08:33 state.1412051632
> > -rwxr-x--- 1 ossec ossec 2882 Sep 30 15:18 state.1412075929
> >
> > now only 'Feb 11 12:22 last-entry'
> >
> > WHY?
> >
> > вторник, 10 февраля 2015 г., 16:57:28 UTC+3 пользователь dan (ddpbsd)
> > написал:
> >>
> >> On Tue, Feb 10, 2015 at 8:43 AM, alex petrov <allrea...@gmail.com>
> wrote:
> >> > help me please
> >> >
> >>
> >> Make sure there are changes between runs? Maybe increase the frequency
> >> (10 is very small)?
> >>
> >> I don't really have any ideas of what to look at, and I don't have any
> >> systems to test this on.
> >>
> >> > понедельник, 9 февраля 2015 г., 16:53:37 UTC+3 пользователь dan
> (ddpbsd)
> >> > написал:
> >> >>
> >> >> On Mon, Feb 9, 2015 at 8:13 AM, alex petrov <allrea...@gmail.com>
> >> >> wrote:
> >> >> > <rule id="700086" level="7">
> >> >> > <if_sid>530</if_sid>
> >> >> > <match>ossec: output: 'for /f "tokens=3*"</match>
> >> >> > <check_diff />
> >> >> > <description>new soft install</description>
> >> >> > </rule>
> >> >> >
> >> >> >
> >> >> > <localfile>
> >> >> > <log_format>full_command</log_format>
> >> >> > <frequency>10</frequency>
> >> >> > <command>for /f "tokens=3*" %a in ('reg query
> >> >> > "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s ^|
> find
> >> >> > /i
> >> >> > "DisplayName"') do @echo %a%b</command>
> >> >> > </localfile>
> >> >> >
> >> >> >
> >> >> > but is only a single file in the directory
> /var/ossec/queue/diff/tes
> >> >> > /700086/ only one file 'last-entry' , not what it Compare the. How
> to
> >> >> > get
> >> >> > files like "state.1412050724" for example.
> >> >> >
> >> >>
> >> >> Looks like I was confused, I was thinking syscheck. Sorry about
> that.
> >> >>
> >> >> Does the last-entry file contain the current output from the
> command?
> >> >>
> >> >>
> >> >> > понедельник, 9 февраля 2015 г., 16:08:11 UTC+3 пользователь dan
> >> >> > (ddpbsd)
> >> >> > написал:
> >> >> >>
> >> >> >> On Mon, Feb 9, 2015 at 6:07 AM, alex petrov <allrea...@gmail.com>
>
> >> >> >> wrote:
> >> >> >> > Help please. Why when I use the chesk_diff I have created in
> the
> >> >> >> > directory
> >> >> >> > /var/ossec/queue/diff/tes /700086/ only one file 'last-entry'
> >> >> >> > instead
> >> >> >> > of
> >> >> >> > multiple files with changes.
> >> >> >> >
> >> >> >>
> >> >> >> Are all of these files text files?
> >> >> >> Has a syscheck scan been run since they were changed?
> >> >> >>
> >> >> >> > --
> >> >> >> >
> >> >> >> > ---
> >> >> >> > You received this message because you are subscribed to the
> Google
> >> >> >> > Groups
> >> >> >> > "ossec-list" group.
> >> >> >> > To unsubscribe from this group and stop receiving emails from
> it,
> >> >> >> > send
> >> >> >> > an
> >> >> >> > email to ossec-list+...@googlegroups.com.
> >> >> >> > For more options, visit https://groups.google.com/d/optout.
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to ossec-list+...@googlegroups.com.
> >> >> > For more options, visit https://groups.google.com/d/optout.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
