Hi Jesus, Apologize for the late reply. Was away from the OSSEC for a while.
The configuration for eventlog ID was implemented however, I started getting some of the new message in ossec logs on the agent box. Do you think if these are normal? 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2016/09/06 07:04:43 ossec-agent: INFO: Started (pid: 3572). 2016/09/06 07:04:45 ossec-agent: INFO: Lock free. Continuing... 2016/09/06 07:04:59 ossec-agent: ERROR: Could not move (tmp/Security-a11968) to (bookmarks/Security) which returned (5) 2016/09/06 07:04:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a11968) to (bookmarks/Security) for (Security) 2016/09/06 07:05:01 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:01 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:05:21 ossec-agent: ERROR: Could not move (tmp/Security-a14540) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:21 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security) 2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck scan (forwarding database). 2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck database (pre-scan). 2016/09/06 07:05:37 ossec-agent: INFO: Initializing real time file monitoring (not started). 2016/09/06 07:05:37 ossec-agent: INFO: Real time file monitoring started. 2016/09/06 07:05:37 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed). 2016/09/06 07:05:47 ossec-agent: INFO: Ending syscheck scan (forwarding database). 2016/09/06 07:05:59 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:05:59 ossec-agent: ERROR: Could not move (tmp/Security-a14540) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security) 2016/09/06 07:06:07 ossec-agent: ERROR: Could not move (tmp/Security-a14540) to (bookmarks/Security) which returned (5) 2016/09/06 07:06:07 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security) 2016/09/06 07:06:37 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:06:37 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:06:55 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:06:55 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:07:15 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:07:15 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:07:27 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) This is another set of logs I see in the ossec.log file. "Error waiting mutex (timeout)" 2016/09/06 11:51:46 ossec-agent: INFO: Trying to connect to server (XX.XX.XX.XX:XXXX). 2016/09/06 11:51:46 ossec-agent: INFO: Using IPv4 for: XX.XX.XX.XX . 2016/09/06 11:52:48 ossec-agent: Error waiting mutex (timeout). 2016/09/06 11:55:03 ossec-agent: Error waiting mutex (timeout). 2016/09/06 11:56:35 ossec-agent: Error waiting mutex (timeout). 2016/09/06 11:57:03 ossec-agent(1114): ERROR: Unable to select(). Regards Kumar On 22 August 2016 at 14:20, Jesus Linares <je...@wazuh.com> wrote: > Hi Kumar, > > I think you can use other operators in the query (=, !=, <, >), so it > could be useful for you to define an interval: > <query>Event/System[EventID>xxxx and EventID<yyyy]</query> > > Anyway, I don't think that a query with "35 EventID" affects the > performance, but I have never tried it. > > Also, you must define the *<localfile> setting* in the ossec.conf of each > agent or use */var/ossec/shared/agent.conf* in case you want to configure > your agents from the manager. This way, only the events that you need will > be sent to the Manager. > > Regards. > > > On Friday, August 19, 2016 at 11:40:42 PM UTC+2, Kumar G wrote: >> >> Hi Team, >> >> >> Need your help on this. >> >> We have a couple of Windows Active Directory machines on which we need to >> enable the event logs for Application/System/Security. There are more than >> a million events which are expected from these eventlogs. Was looking in >> old posts and clould see utilizing the eventchannel log format and querying >> the EventID. >> >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=5140 or EventID=5144]</query> >> </localfile> >> >> We have about 35 event ids which need to be monitored per log. Is it >> advisable to query all the 35 eventid using eventchannel query method? Will >> this method impact the system performance. Is there any alternative to >> limit the events at agent level. By doing this we can stop the unnecessary >> events being processed by OSSEC. >> >> >> Thanks >> Kumar >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
