[email protected]. On Wed, Aug 19, 2015 at 8:48 AM, <[email protected]> wrote:
> [email protected] > <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics> > Google > Groups > <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview> > <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview> > Topic digest > View all topics > <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics> > > - Filter Windows Event at client <#14f4525ab71fb0a4_group_thread_0> - 7 > Updates > - OVA Download <#14f4525ab71fb0a4_group_thread_1> - 4 Updates > - archives.log and logstash <#14f4525ab71fb0a4_group_thread_2> - 1 > Update > - ossec send not every alert <#14f4525ab71fb0a4_group_thread_3> - 1 > Update > > Filter Windows Event at client > <http://groups.google.com/group/ossec-list/t/c5857ffb13999c9f?utm_source=digest&utm_medium=email> > Ralph Durkee <[email protected]>: Aug 18 10:23AM -0400 > > I'm trying to filter Windows events based on strings such as the login > type and workstation name, but as a starting point I tried the > configuration below to filter on EventID 4624. The > /var/ossec/etc/shared/agent.conf file contains: > > <agent_config> > <!-- Generic Agent configurations. --> > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4624]</query> > </localfile> > > </agent_config> > > However I continue receiving all security events including Security > EventID 4624 and others. > I restarted the windows system agent via agent_control -R and also > restarted the OSSEC manager. > I don't have any errors in ossec.log with regard to the > shared/agent.conf file. > > Any suggestions on getting this working? > > Thanks, > > -- Ralph Durkee > > On 08/08/2015 01:32 PM, Santiago Bassett wrote: > Santiago Bassett <[email protected]>: Aug 18 08:46AM -0700 > > Try restarting it manually and see if that works. > > Ralph Durkee <[email protected]>: Aug 18 01:10PM -0400 > > I've restarted ossec on the server several times. Are you refering to > the Windows agent? > > -- Ralph Durkee > > On 08/18/2015 11:46 AM, Santiago Bassett wrote: > Ralph Durkee <[email protected]>: Aug 18 01:17PM -0400 > > Tried stopping and starting the agent service on the windows system. > Still getting other security events from that system such as 4672 and > 4634 in addition to the 4624. Any other suggestions? > > -- Ralph Durkee > > On 08/18/2015 01:10 PM, Ralph Durkee wrote: > Santiago Bassett <[email protected]>: Aug 18 10:24AM -0700 > > Could you share your ossec.conf settings (from the agent) and also the > shared/agent.conf ones. Those are probably located in C:\Program > Files/ossec-agent > > I am guessing, but I think you probably are reading all Security events in > some other place of the configuration (look for the different locations). > > Regards > > Ralph Durkee <[email protected]>: Aug 18 03:13PM -0400 > > The shared agent is as previously shared, copied below for reference: > > <agent_config> > <!-- Generic Agent configurations. --> > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4624]</query> > </localfile> > > </agent_config> > > *The Windows OSSEC after the comments starts with *(middle portion > removed, and has no localfile entries. ) > > > <ossec_config> > > <!-- One entry for each file/Event log to monitor. --> > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > > <!-- Rootcheck - Policy monitor config --> > . . . SNIP . . . > > > </ossec_config> > > > <!-- END of Default Configuration. --> > > > <ossec_config> > <client> > <server-hostname>xxx-ossec-srv1</server-hostname> > </client> > </ossec_config> > > -- Ralph Durkee > > On 08/18/2015 01:24 PM, Santiago Bassett wrote: > Santiago Bassett <[email protected]>: Aug 18 12:20PM -0700 > > I guess you want to remove these sections from the ossec.conf file in the > agent. Those are used to get all application, security and system events. > > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > Back to top <#14f4525ab71fb0a4_digest_top> > OVA Download > <http://groups.google.com/group/ossec-list/t/81b7e74959357beb?utm_source=digest&utm_medium=email> > [email protected]: Aug 18 11:44AM -0700 > > Hi everyone i'm new to cyber security and I was wondering how do I > download > the OVA file ? > I have server 2012 r2 running and installed virtual box on the server > "dan (ddp)" <[email protected]>: Aug 18 02:53PM -0400 > > > Hi everyone i'm new to cyber security and I was wondering how do I > download > > the OVA file ? > > I have server 2012 r2 running and installed virtual box on the server > > I haven't tried it myself, but you should be able to download with a > browser, and then use the Import Appliance option (under File in the > Virtualbox gui) to import it. If that doesn't work, extracting the ova > file to get to an ovf file might work. > > [email protected]: Aug 18 12:03PM -0700 > > Thank you for your reply when I click on the ova download it takes me to > another page I'm using internet explore > http://www.ossec.net/files/ossec-vm-2.8.2.ova > > On Tuesday, August 18, 2015 at 11:53:16 AM UTC-7, dan (ddpbsd) wrote: > "dan (ddp)" <[email protected]>: Aug 18 03:08PM -0400 > > > Thank you for your reply when I click on the ova download it takes me to > > another page I'm using internet explore > > http://www.ossec.net/files/ossec-vm-2.8.2.ova > > When I click that link it starts a download (in chrome). Try right > clicking and choose the save as option > > Back to top <#14f4525ab71fb0a4_digest_top> > archives.log and logstash > <http://groups.google.com/group/ossec-list/t/a2cfa83dcab8db87?utm_source=digest&utm_medium=email> > Dan Burns <[email protected]>: Aug 18 11:08AM -0700 > > Hi Daniil, > > I'm interested in using your pattern to read the archives.log file with > Logstash, am I correct that I can use this on the file input for the > archives.log file to properly parse messages? > > On Monday, June 29, 2015 at 5:16:34 PM UTC-4, Daniil Svetlov wrote: > Back to top <#14f4525ab71fb0a4_digest_top> > ossec send not every alert > <http://groups.google.com/group/ossec-list/t/a8d8e22245ae5ba9?utm_source=digest&utm_medium=email> > "dan (ddp)" <[email protected]>: Aug 18 08:34AM -0400 > > > <description>File added to the system.</description> > > <group>syscheck,</group> > > </rule> > > After making this change, did you restart the OSSEC processes? > Did syscheck complete a scan after creating the file you wanted it to > detect? > > Back to top <#14f4525ab71fb0a4_digest_top> > You received this digest because you're subscribed to updates for this > group. You can change your settings on the group membership page > <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/join> > . > To unsubscribe from this group and stop receiving emails from it send an > email to [email protected]. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
