To unsubscribe, go to https://groups.google.com/forum/#!forum/ossec-list and click the little person with a gear coming out of his shoulder icon at the top right. Then select "Leave this group"
On Wed, Aug 19, 2015 at 7:19 AM, Dmitry Nebo <[email protected]> wrote: > [email protected]. > > On Wed, Aug 19, 2015 at 8:48 AM, <[email protected]> wrote: > >> [email protected] >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics> >> Google >> Groups >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview> >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview> >> Topic digest >> View all topics >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics> >> >> - Filter Windows Event at client >> <#14f45b5be7825898_14f4525ab71fb0a4_group_thread_0> - 7 Updates >> - OVA Download <#14f45b5be7825898_14f4525ab71fb0a4_group_thread_1> - 4 >> Updates >> - archives.log and logstash >> <#14f45b5be7825898_14f4525ab71fb0a4_group_thread_2> - 1 Update >> - ossec send not every alert >> <#14f45b5be7825898_14f4525ab71fb0a4_group_thread_3> - 1 Update >> >> Filter Windows Event at client >> <http://groups.google.com/group/ossec-list/t/c5857ffb13999c9f?utm_source=digest&utm_medium=email> >> Ralph Durkee <[email protected]>: Aug 18 10:23AM -0400 >> >> I'm trying to filter Windows events based on strings such as the login >> type and workstation name, but as a starting point I tried the >> configuration below to filter on EventID 4624. The >> /var/ossec/etc/shared/agent.conf file contains: >> >> <agent_config> >> <!-- Generic Agent configurations. --> >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4624]</query> >> </localfile> >> >> </agent_config> >> >> However I continue receiving all security events including Security >> EventID 4624 and others. >> I restarted the windows system agent via agent_control -R and also >> restarted the OSSEC manager. >> I don't have any errors in ossec.log with regard to the >> shared/agent.conf file. >> >> Any suggestions on getting this working? >> >> Thanks, >> >> -- Ralph Durkee >> >> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >> Santiago Bassett <[email protected]>: Aug 18 08:46AM -0700 >> >> Try restarting it manually and see if that works. >> >> Ralph Durkee <[email protected]>: Aug 18 01:10PM -0400 >> >> I've restarted ossec on the server several times. Are you refering to >> the Windows agent? >> >> -- Ralph Durkee >> >> On 08/18/2015 11:46 AM, Santiago Bassett wrote: >> Ralph Durkee <[email protected]>: Aug 18 01:17PM -0400 >> >> Tried stopping and starting the agent service on the windows system. >> Still getting other security events from that system such as 4672 and >> 4634 in addition to the 4624. Any other suggestions? >> >> -- Ralph Durkee >> >> On 08/18/2015 01:10 PM, Ralph Durkee wrote: >> Santiago Bassett <[email protected]>: Aug 18 10:24AM -0700 >> >> Could you share your ossec.conf settings (from the agent) and also the >> shared/agent.conf ones. Those are probably located in C:\Program >> Files/ossec-agent >> >> I am guessing, but I think you probably are reading all Security events in >> some other place of the configuration (look for the different locations). >> >> Regards >> >> Ralph Durkee <[email protected]>: Aug 18 03:13PM -0400 >> >> The shared agent is as previously shared, copied below for reference: >> >> <agent_config> >> <!-- Generic Agent configurations. --> >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4624]</query> >> </localfile> >> >> </agent_config> >> >> *The Windows OSSEC after the comments starts with *(middle portion >> removed, and has no localfile entries. ) >> >> >> <ossec_config> >> >> <!-- One entry for each file/Event log to monitor. --> >> <localfile> >> <location>Application</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>System</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> >> <!-- Rootcheck - Policy monitor config --> >> . . . SNIP . . . >> >> >> </ossec_config> >> >> >> <!-- END of Default Configuration. --> >> >> >> <ossec_config> >> <client> >> <server-hostname>xxx-ossec-srv1</server-hostname> >> </client> >> </ossec_config> >> >> -- Ralph Durkee >> >> On 08/18/2015 01:24 PM, Santiago Bassett wrote: >> Santiago Bassett <[email protected]>: Aug 18 12:20PM -0700 >> >> I guess you want to remove these sections from the ossec.conf file in the >> agent. Those are used to get all application, security and system events. >> >> <localfile> >> <location>Application</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>System</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> Back to top <#14f45b5be7825898_14f4525ab71fb0a4_digest_top> >> OVA Download >> <http://groups.google.com/group/ossec-list/t/81b7e74959357beb?utm_source=digest&utm_medium=email> >> [email protected]: Aug 18 11:44AM -0700 >> >> Hi everyone i'm new to cyber security and I was wondering how do I >> download >> the OVA file ? >> I have server 2012 r2 running and installed virtual box on the server >> "dan (ddp)" <[email protected]>: Aug 18 02:53PM -0400 >> >> > Hi everyone i'm new to cyber security and I was wondering how do I >> download >> > the OVA file ? >> > I have server 2012 r2 running and installed virtual box on the server >> >> I haven't tried it myself, but you should be able to download with a >> browser, and then use the Import Appliance option (under File in the >> Virtualbox gui) to import it. If that doesn't work, extracting the ova >> file to get to an ovf file might work. >> >> [email protected]: Aug 18 12:03PM -0700 >> >> Thank you for your reply when I click on the ova download it takes me to >> another page I'm using internet explore >> http://www.ossec.net/files/ossec-vm-2.8.2.ova >> >> On Tuesday, August 18, 2015 at 11:53:16 AM UTC-7, dan (ddpbsd) wrote: >> "dan (ddp)" <[email protected]>: Aug 18 03:08PM -0400 >> >> > Thank you for your reply when I click on the ova download it takes me to >> > another page I'm using internet explore >> > http://www.ossec.net/files/ossec-vm-2.8.2.ova >> >> When I click that link it starts a download (in chrome). Try right >> clicking and choose the save as option >> >> Back to top <#14f45b5be7825898_14f4525ab71fb0a4_digest_top> >> archives.log and logstash >> <http://groups.google.com/group/ossec-list/t/a2cfa83dcab8db87?utm_source=digest&utm_medium=email> >> Dan Burns <[email protected]>: Aug 18 11:08AM -0700 >> >> Hi Daniil, >> >> I'm interested in using your pattern to read the archives.log file with >> Logstash, am I correct that I can use this on the file input for the >> archives.log file to properly parse messages? >> >> On Monday, June 29, 2015 at 5:16:34 PM UTC-4, Daniil Svetlov wrote: >> Back to top <#14f45b5be7825898_14f4525ab71fb0a4_digest_top> >> ossec send not every alert >> <http://groups.google.com/group/ossec-list/t/a8d8e22245ae5ba9?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Aug 18 08:34AM -0400 >> >> > <description>File added to the system.</description> >> > <group>syscheck,</group> >> > </rule> >> >> After making this change, did you restart the OSSEC processes? >> Did syscheck complete a scan after creating the file you wanted it to >> detect? >> >> Back to top <#14f45b5be7825898_14f4525ab71fb0a4_digest_top> >> You received this digest because you're subscribed to updates for this >> group. You can change your settings on the group membership page >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/join> >> . >> To unsubscribe from this group and stop receiving emails from it send an >> email to [email protected]. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
