Hi Pedro,
My ossec.conf and internal_options.conf is attached.
I set remoted.verify_msg_id=0 to ignore Duplicated error
13 Mayıs 2016 Cuma 19:57:57 UTC+3 tarihinde Pedro S yazdı:
>
> Just to be sure, the variable I was talking about is:
>
> # Verify msg id (set to 0 to disable it)
>> remoted.verify_msg_id=1
>
>
> At /var/ossec/etc/internal_options.conf
>
>
> Best regards,
>
> Pedro S.
>
>
> On Friday, May 13, 2016 at 3:53:20 PM UTC+2, Pedro S wrote:
>>
>> Hi,
>>
>> I don't think *verify_msg *will be related with those errors.
>>
>> It seems like those files (EventChannel bookmarks) not longer exist in
>> tmp folder or OSSEC does not have enough permissions, try to reinstall the
>> agent.
>> If you prefer, paste here your EventChannel queries so I can test them in
>> my labs.
>>
>> Best regards,
>>
>> Pedro S.
>>
>>
>>
>> On Fri, May 13, 2016 at 1:37 PM, Abdulvehhab Agin <[email protected]
>> <javascript:>> wrote:
>>
>>> When i change verify_msg_id=0; *i have lots of error in ossec log*
>>>
>>>
>>>
>>>
>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move
>>> (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary
>>> bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move
>>> (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary
>>> bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move
>>> (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary
>>> bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
>>>
>>>
>>>
>>> 12 Mayıs 2016 Perşembe 10:37:15 UTC+3 tarihinde Pedro S yazdı:
>>>>
>>>> Hi,
>>>>
>>>> If multiple agents are using the same key, you need to set them up with
>>>> their own unique key.
>>>> If you re-installed an agent and didn't backup the rids files,
>>>> you should create a new key for the agent and use that.
>>>> If you prefer to avoid any counters error, try to deactivate counters,
>>>> open file etc/internal_options.conf (Manager & Agent) and set
>>>> verify_msg_id=0.
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Pedro S.
>>>>
>>>> On Wednesday, May 11, 2016 at 10:33:00 PM UTC+2, Abdulvehhab Agin wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> Sometimes ossec server says *"ERROR: Duplicated counter for"* errors.
>>>>> Especially we have mass log, and log sending protocol is UDP, so rids
>>>>> counter' agent and server sometimes inconsistent;
>>>>>
>>>>>
>>>>> When i see this error, I see the agent is inactive. After this; agent
>>>>> wont send any logs.
>>>>>
>>>>>
>>>>> How can i solve this problem?
>>>>>
>>>>>
>>>>> OSSEC version 2.8.3
>>>>>
>>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected] <javascript:>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
<!-- OSSEC Win32 Agent Configuration.
- This file is compost of 3 main sections:
- - Client config - Settings to connect to the OSSEC server.
- - Localfile - Files/Event logs to monitor.
- - syscheck - System file/Registry entries to monitor.
-->
<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
- try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!="4656" and EventID!="4658" and EventID!="4673"
and EventID!="4674" and EventID!="5152" and EventID!="5157" and EventID!="4656"
and EventID!="5156" and EventID!="5158"]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories
check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes" realtime="yes">C:\Documents and Settings/All
Users/Start Menu/Programs/Startup</directories>
<directories check_all="yes" realtime="yes">C:\Users/Public/All
Users/Microsoft/Windows/Start Menu/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>no</disabled>
</active-response>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>192.168.1.13</server-ip>
</client>
</ossec_config>
# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
#
# DO NOT TOUCH THIS FILE. The default configuration
# is at ossec.conf. More information at:
# http://www.ossec.net/en/manual.html
#
# This file should be handled with care. It contain
# run time modifications that can affect the use
# of ossec. Only change it if you know what you
# are doing. Again, look first at ossec.conf
# for most of the things you want to change.
# Analysisd default rule timeframe.
analysisd.default_timeframe=360
# Analysisd stats maximum diff.
analysisd.stats_maxdiff=25000
# Analysisd stats minimum diff.
analysisd.stats_mindiff=250
# Analysisd stats percentage (how much to differ from average)
analysisd.stats_percent_diff=30
# Analysisd FTS list size.
analysisd.fts_list_size=32
# Analysisd FTS minimum string size.
analysisd.fts_min_size_for_str=14
# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
# 1 to enable, 0 to disable.
analysisd.log_fw=1
# Logcollector file loop timeout (check every 2 seconds for file changes)
logcollector.loop_timeout=2
# Logcollector number of attempts to open a log file.
logcollector.open_attempts=8
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1
# Remoted counter io flush.
remoted.recv_counter_flush=128
# Remoted compression averages printout.
remoted.comp_average_printout=19999
# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=0
# Maild strict checking (0=disabled, 1=enabled)
maild.strict_checking=1
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=1
# Maild full subject (0=disabled, 1=enabled)
maild.full_subject=0
# Maild display GeoIP data (0=disabled, 1=enabled)
maild.geoip=1
# Monitord day_wait. Ammount of seconds to wait before compressing/signing
# the files.
monitord.day_wait=10
# Monitord compress. (0=do not compress, 1=compress)
monitord.compress=1
# Monitord sign. (0=do not sign, 1=sign)
monitord.sign=1
# Monitord monitor_agents. (0=do not monitor, 1=monitor)
monitord.monitor_agents=1
# Syscheck checking/usage speed. To avoid large cpu/memory
# usage, you can specify how much to sleep after generating
# the checksum of X files. The default is to sleep 2 seconds
# after reading 15 files.
syscheck.sleep=2
syscheck.sleep_after=15
# Database - maximum number of reconnect attempts
dbd.reconnect_attempts=10
# Debug options.
# Debug 0 -> no debug
# Debug 1 -> first level of debug
# Debug 2 -> full debugging
# Windows debug (used by the windows agent)
windows.debug=0
# Syscheck (local, server and unix agent)
syscheck.debug=0
# Remoted (server debug)
remoted.debug=0
# Analysisd (server or local)
analysisd.debug=0
# Log collector (server, local or unix agent)
logcollector.debug=0
# Unix agentd
agent.debug=0
# EOF
