Re: [ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Santiago Bassett 
Usually there are warning or error messages in ossec.log file (check those
both in the agent and manager).

On Mon, Jan 4, 2016 at 11:06 AM, Cal  wrote:

> Found a solution, thinking it might be a key issue. On one server, I had
> to chmod the keys file, which allowed the agent to connect. I tried
> re-adding the existing key to the other agents and configuring the
> permissions without anything working. Finally, I re-issued the keys for the
> disconnect clients, and all connected after restart. Not sure what the
> issue was.
>
>
> On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote:
>>
>> Also, from agent:
>>
>> # netstat -panu | grep 1520
>> udp0  0 AGENT_IP:43737 SERVER_IP:1520  ESTABLISHED
>> 30669/ossec-agentd
>>
>> On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote:
>>>
>>> I have about 20 OSSEC agents connected to my OSSEC server without issue.
>>> There are approximately 6 however that cannot connect. I'm using a
>>> non-default port of 1520. Note: All IPs replaced here for OPSEC.
>>>
>>> Logs:
>>>
>>>- Agent:
>>>   - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for:
>>>   SERVER_IP .
>>>   2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server
>>>   reply (not started). Tried: 'SERVER_IP'.
>>>- Server:
>>>   - Nothing outside the standard output, even with debug enabled
>>>
>>>
>>> What I've done so far:
>>>
>>>- Added rules into iptables to allow communication on both
>>>agent/sever
>>>- TCPdump confirming on agent that it is sending packet
>>>- TCPdump confirming on server that it is receiving agent packet
>>>- Netcat on both server/agent:
>>>   - netcat -uv SERVER_IP 1520
>>>   Connection to SERVER_IP 1520 port [udp/*] succeeded!
>>>   - netcat -uv AGENT_IP1520
>>>   Connection to AGENT_IP 1520 port [udp/*] succeeded!
>>>
>>> ossec.conf:
>>>
>>>- 
>>>  
>>>SERVER_IP
>>>1520
>>>  
>>>  
>>>secure
>>>tcp
>>>1520
>>>  
>>>
>>>
>>>
>>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Using Regular Expressions in an OSSEC rule

2016-01-04 Thread Santiago Bassett 
How about using Comp-\S+? I would also recommend to use a variable like
this (taken from syslog rules):

core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted

On Mon, Dec 28, 2015 at 10:22 AM,  wrote:

> Hello all and Happy Holidays,
>
> I setup a rule to look for log-in's after hours as follows:
>
> 
> 
> authentication
> 6 pm - 9 am
> Login after hours
> 
>
> 
>   50
>   USERNAME
>   Ignore USERNAME
> 
> 
>
> The first rule tries to pickup all logins after hours, and the subordinate
> rule tries to strip out none human accounts such as service accounts and
> machine accounts.
>
>
> The issue I am having is this rule picks EVERY login including (service
> accounts and machine accounts) which I have tried to enter in between
> brackets like COMP-01|COMP-02 | SERVICE ACCOUNT-1 | and so on. I was
> wondering if I have a whole bunch of computer /service accounts (i.e.
> COMP-01, COMP-02) how to use a regular expression to enter a single filter
> which covers all the machine names (i.e. COMP*.* in dos-ease).
>
> Thanks,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] for what time ossec save logs?

2016-01-04 Thread Santiago Bassett 
Maxim I would recommend you to use a separate log management system, as I
would not say OSSEC covers all a system like this does.

For example you can use Splunk or ELK Stack (my preferred choice as it is
also free Open Source), or SIEM systems (AlienVault, Arcsight,...)

I hope that helps,

Santiago.


On Mon, Dec 28, 2015 at 5:01 AM, dan (ddp)  wrote:

> On Mon, Dec 28, 2015 at 7:00 AM, Maxim Surdu  wrote:
> > Hi everyone,
> >
> > Who can tell me how much time ossec saves my logs? i need to configure or
> > how it is work?, i need ossec to save my logs for minimum 2 years.
> >
> > Any help would be greatly appreciated
> >
>
> OSSEC does not currently delete logs.
>
> > Thanks,
> > Maxim
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Cal 
Found a solution, thinking it might be a key issue. On one server, I had to 
chmod the keys file, which allowed the agent to connect. I tried re-adding 
the existing key to the other agents and configuring the permissions 
without anything working. Finally, I re-issued the keys for the disconnect 
clients, and all connected after restart. Not sure what the issue was.

On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote:
>
> Also, from agent:
>
> # netstat -panu | grep 1520
> udp0  0 AGENT_IP:43737 SERVER_IP:1520  ESTABLISHED 
> 30669/ossec-agentd
>
> On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote:
>>
>> I have about 20 OSSEC agents connected to my OSSEC server without issue. 
>> There are approximately 6 however that cannot connect. I'm using a 
>> non-default port of 1520. Note: All IPs replaced here for OPSEC.
>>
>> Logs:
>>
>>- Agent:
>>   - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: 
>>   SERVER_IP .
>>   2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server 
>>   reply (not started). Tried: 'SERVER_IP'.
>>- Server:
>>   - Nothing outside the standard output, even with debug enabled
>>   
>>
>> What I've done so far:
>>
>>- Added rules into iptables to allow communication on both agent/sever
>>- TCPdump confirming on agent that it is sending packet
>>- TCPdump confirming on server that it is receiving agent packet
>>- Netcat on both server/agent:
>>   - netcat -uv SERVER_IP 1520
>>   Connection to SERVER_IP 1520 port [udp/*] succeeded!
>>   - netcat -uv AGENT_IP1520
>>   Connection to AGENT_IP 1520 port [udp/*] succeeded!
>>
>> ossec.conf:
>>
>>- 
>>  
>>SERVER_IP
>>1520
>>  
>>  
>>secure
>>tcp
>>1520
>>  
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Send my own logs to Ossec server

2016-01-04 Thread Joao T. 
Can I feed ossec server with log files or just is possible to feed the 
agents?

On Thursday, December 31, 2015 at 11:56:10 AM UTC+1, Alberto Mijares wrote:
>
> You can use syslog. Tell syslogd to write a specific file and ossec 
> agent to read that file. 
>
> Read about syslog format and protocol, and the man page of the syslog 
> server in your OS. 
>
> Regards 
>
>
> Alberto Mijares 
>
>
>
> On Thu, Dec 31, 2015 at 5:34 AM, Joao T.  
> wrote: 
> > Hello, 
> > 
> > I would like to know if it is possible to send to Ossec server some logs 
> > created by my own script running in the same hostname than Ossec server 
> ? 
> > To which port should I communicate and what about the message? can be 
> plain 
> > text? 
> > 
> > Thank you and happy new year 
> > Joao 
> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Send my own logs to Ossec server

2016-01-04 Thread dan (ddp) 
On Mon, Jan 4, 2016 at 8:46 AM, Joao T.  wrote:
> Can I feed ossec server with log files or just is possible to feed the
> agents?
>

If those logfiles exist on the server, the OSSEC processes there
should be able to read them.

> On Thursday, December 31, 2015 at 11:56:10 AM UTC+1, Alberto Mijares wrote:
>>
>> You can use syslog. Tell syslogd to write a specific file and ossec
>> agent to read that file.
>>
>> Read about syslog format and protocol, and the man page of the syslog
>> server in your OS.
>>
>> Regards
>>
>>
>> Alberto Mijares
>>
>>
>>
>> On Thu, Dec 31, 2015 at 5:34 AM, Joao T.  wrote:
>> > Hello,
>> >
>> > I would like to know if it is possible to send to Ossec server some logs
>> > created by my own script running in the same hostname than Ossec server
>> > ?
>> > To which port should I communicate and what about the message? can be
>> > plain
>> > text?
>> >
>> > Thank you and happy new year
>> > Joao
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Couple of agents unable to connect to server

2016-01-04 Thread Cal 
I have about 20 OSSEC agents connected to my OSSEC server without issue. 
There are approximately 6 however that cannot connect. I'm using a 
non-default port of 1520. Note: All IPs replaced here for OPSEC.

Logs:

   - Agent:
  - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP .
  2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server 
  reply (not started). Tried: 'SERVER_IP'.
   - Server:
  - Nothing outside the standard output, even with debug enabled
  

What I've done so far:

   - Added rules into iptables to allow communication on both agent/sever
   - TCPdump confirming on agent that it is sending packet
   - TCPdump confirming on server that it is receiving agent packet
   - Netcat on both server/agent:
  - netcat -uv SERVER_IP 1520
  Connection to SERVER_IP 1520 port [udp/*] succeeded!
  - netcat -uv AGENT_IP1520
  Connection to AGENT_IP 1520 port [udp/*] succeeded!
   
ossec.conf:

   - 
 
   SERVER_IP
   1520
 
 
   secure
   tcp
   1520
 
   
   

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Cal 
Also, from agent:

# netstat -panu | grep 1520
udp0  0 AGENT_IP:43737 SERVER_IP:1520  ESTABLISHED 
30669/ossec-agentd

On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote:
>
> I have about 20 OSSEC agents connected to my OSSEC server without issue. 
> There are approximately 6 however that cannot connect. I'm using a 
> non-default port of 1520. Note: All IPs replaced here for OPSEC.
>
> Logs:
>
>- Agent:
>   - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP 
>   .
>   2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server 
>   reply (not started). Tried: 'SERVER_IP'.
>- Server:
>   - Nothing outside the standard output, even with debug enabled
>   
>
> What I've done so far:
>
>- Added rules into iptables to allow communication on both agent/sever
>- TCPdump confirming on agent that it is sending packet
>- TCPdump confirming on server that it is receiving agent packet
>- Netcat on both server/agent:
>   - netcat -uv SERVER_IP 1520
>   Connection to SERVER_IP 1520 port [udp/*] succeeded!
>   - netcat -uv AGENT_IP1520
>   Connection to AGENT_IP 1520 port [udp/*] succeeded!
>
> ossec.conf:
>
>- 
>  
>SERVER_IP
>1520
>  
>  
>secure
>tcp
>1520
>  
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.