Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread InfoSec 
In the Wazuh fork, dynamic decoders are an outstanding idea. It allows 
unprecedented visualization capabilities in the security console *without* 
having to resort to further parsing tricks at ingestion time. It is all 
done in OSSEC.

Dynamic decoders enable unprecedented normalization of events. Dynamic 
variables + dynamic decoders would tremendously boost OSSEC's host 
intrusion detection capabilities, enabling modeling of attack scenarios 
that were previously *unthinkable *in stock OSSEC.

The above examples are a very basic illustration of the endless threat 
scenario modeling possibilities that dynamic variables would add to Wazuh 
fork of OSSEC.

By the way, legitimate user names and domain names in Windows may contain 
spaces. System events have "NT Authority" as domain name. The 
out-of-the-box dynamic decoders fail and only picks up "NT" in the case of 
"NT Authority" domain. Ditto for user names that contain spaces.

The following work in case user name or domain contain spaces:

Account Name:\s\s+(\w\.+)\s\s+Account Domain:

and for domain names:

Account Domain:\s\s+(\w\.+)\s\s+Logon ID:

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread InfoSec 
Sure thing.

I am trying to implement three use cases.

1) Windows event ID: Failed object access attempt by a subject "Subject" 
(tied to a real user, not a system account) of Object Type: File and 
object: "C:\Users\Other-than-Subject\Whatever-else comes after.ext". Ten 
recurrences by same Subject --> trigger an e-mail alert.

Here's what the event look like. The content of all the fields is decoded 
in Wazuh fork of OSSEC.

2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_FAILURE(4656): Microsoft-
Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an 
object was requested. Subject: Security ID: 
S-1-5-21-XX-XX-XX- Account Name: Subject1 
Account Domain: DESKTOP Logon ID: 0xX Object: Object Server: Security 
Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt 
Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID: 
0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request 
Information: Transaction ID: {----} 
Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: 
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): 
Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x11 Privileges Used for 
Access Check: - Restricted SID Count: 0

During decoding, the values of Account Name are stored as "subject", Object 
Name as "object", the main directory in object as obj_dir_1, and first 
subdirectory as obj_dir_2. In the example above obj_dir_1 is "Users" and 
obj_dir_2 is "Subject2".

Practically, if an event similar to the above occurs where the value of 
obj_dir_1 is "Users" *and* the value of decoded field "subject" does *not* 
match the value of decoded field "obj_dir_2" ten times in half an hour from 
same subject trigger an e-mail alert.

2) User successfully accessing files in the home folder of another user --> 
A single occurrence generates an *immediate *e-mail alert.

2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_SUCCESS(4656): Microsoft-
Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an 
object was requested. Subject: Security ID: 
S-1-5-21-XX-XX-XX- Account Name: Subject1 
Account Domain: DESKTOP Logon ID: 0xX Object: Object Server: Security 
Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt 
Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID: 
0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request 
Information: Transaction ID: {----} 
Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: 
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): 
Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x11 Privileges Used for 
Access Check: - Restricted SID Count: 0

Practically, if a single event similar to the above occurs where the value 
of subject does *not* match the value of obj_dir_2 *and* obj_dir_1 is 
"Users" trigger an e-mail alert.

Use case 1 is a security incident that can be described as: repeated failed 
attempts at unauthorized object access by user.

Use case 2 is a more serious security incident: confirmed successful 
unauthorized object access by user due to a loophole in the access control 
list on Object. If subject1 is a *privileged *account, this is a clear 
abuse of privilege by a system administrator.

Use Case 3 is an even more serious incident: one or more use case 1 
followed by use case 2. Subject successfully managed to modify the ACL on 
Object (then we would expect to see evidence thereto in the logs in terms 
of changed permissions events -- another use case) or managed to subvert or 
bypass the access control mechanism.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Windows Defender Decoder ?

2017-03-01 Thread dan (ddp) 
On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison  wrote:
> It would be great to see the decoder entries that go with these rules ...  I
> know this is an older post but maybe you are still around and can share the
> decoder and maybe the plugin as well?
>


If you can provide log samples, we can work on decoders. :-)


> On Monday, May 16, 2016 at 4:22:08 PM UTC-5, Brent Morris wrote:
>>
>> Rob - can you post your OSSEC version of the log?  I can check my rules.
>> These are a culmination of gleaned rules that I updated some time back with
>> new event IDs.  Yours is covered in there  but I would like to test it
>> against a valid OSSEC log.  So if you can post it from the OSSEC logs,
>> that'd be great.
>>
>> Here they are..
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread Jesus Linares 
Hi,

could you give us a real example?.

Thanks

On Wednesday, March 1, 2017 at 10:34:18 AM UTC-8, dan (ddpbsd) wrote:
>
> On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J. 
>  wrote: 
> > That is not what I meant. 
> > 
> > If the source IP is decoded and stored in field srcip, I want to be able 
> to 
> > specify _srcip_ (or whatever convention used to tell regex that this is 
> a 
> > variable), and have _srcip_ replaced by the value saved as srcip in the 
> > event. 
> > 
> > If srcip is 10.0.0.1, specifying in the regex 
> > Some-regex-preceding-_srcip_-some regex tailing _srcip_ 
> in 
> > the regex would be dynamically replaced by its value (10.0.0.1) during 
> regex 
> > evaluation. 
> > 
>
> There's no support for that. 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Defender Decoder ?

2017-03-01 Thread Ed Davison 
It would be great to see the decoder entries that go with these rules ... 
 I know this is an older post but maybe you are still around and can share 
the decoder and maybe the plugin as well?

On Monday, May 16, 2016 at 4:22:08 PM UTC-5, Brent Morris wrote:
>
> Rob - can you post your OSSEC version of the log?  I can check my rules. 
>  These are a culmination of gleaned rules that I updated some time back 
> with new event IDs.  Yours is covered in there  but I would like to 
> test it against a valid OSSEC log.  So if you can post it from the OSSEC 
> logs, that'd be great.
>
> Here they are..
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC IDS on Windows only sending Error logs

2017-03-01 Thread Ed Davison 
I have OSSEC 2.8.3 installed on a Windows 2012R2 server and have added an 
eventchannel localfile option to gather logs from 
"Microsoft-Windows-Backup" log.  No errors on startup.

On the OSSIM side, I have logall enabled and am checking alerts.log file 
and can ONLY see Error logs being forwarded, not Information or Warning 
logs.  I need these latter as that is where the successful and successful 
with warning errors are logged as well as a backup was configured or 
cancelled.

How can I get ALL of the logs for all log severities sent to OSSIM using 
2.8.3 OSSEC for Windows and eventchannel?

Thanks in advance.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: syscheckd causing soft lockups

2017-03-01 Thread Santiago Bassett 
That is probably rootcheck trying to detect system anomalies and kernel
level rootkits. It does it by comparing the output of netstat with its own
results binding ports to check if they are open.

Remember that syscheckd not only does FIM, but also Rootchecks (policy
monitoring checks and anomalies detection).

You can disable these checks using

no (under rootcheck section).

Other checks are  done to detect hiddent files or processes.

Complete documentation here:

http://ossec-docs.readthedocs.io/en/latest/manual/rootcheck/manual-rootcheck.html

You can also enable debug for syscheck in internal_options.conf file (so
you get to know better what it is doing)

I hope it helps,

Santiago.

On Wed, Mar 1, 2017 at 7:59 AM, John Gelnaw  wrote:

>
> Followup. ossec-syscheckd appears to be doing some bind operation:
>
>
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
> bind(6, {sa_family=AF_INET, sin_port=htons(12310),
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> close(6) = 0
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
> bind(6, {sa_family=AF_INET, sin_port=htons(12311),
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> close(6) = 0
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
> bind(6, {sa_family=AF_INET, sin_port=htons(12312),
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> close(6) = 0
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
> bind(6, {sa_family=AF_INET, sin_port=htons(12313),
> sin_addr=inet_addr("0.0.0.0")}, 16
> 2017 Mar 1 10:27:58 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck
> for 22s! [ossec-syscheckd:19286]
> 2017 Mar 1 10:28:26 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck
> for 22s! [ossec-syscheckd:19286]
> 2017 Mar 1 10:28:58 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck
> for 22s! [ossec-syscheckd:19286]
> 2017 Mar 1 10:29:26 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck
> for 22s! [ossec-syscheckd:19286]
> 2017 Mar 1 10:29:54 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck
> for 22s! [ossec-syscheckd:19286]
>
> My guess is that it's trying to bind, running out of available sockets,
> and waiting until a socket frees up (or forever, whichever comes first).
>
> Why would syscheckd be attempting to bind to 0.0.0.0, however?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted not running

2017-03-01 Thread dan (ddp) 
On Wed, Mar 1, 2017 at 6:59 AM, Eduardo Reichert Figueiredo
 wrote:
> Port 1514 is already, i received UPD packets (validated with tcpdump), ossec
> is running (monitord, logcollector, syscheck, analysisd), only remoted not
> running, but remoted is displayed for port 1514 (netstat -vandup).
>

Shutdown ossec:
`/var/ossec/bin/ossec-control stop`

Make sure no processes are still running:
`ps auxww | grep ossec`

If there are any running processes still, kill them manually.
Try starting OSSEC again:
`/var/ossec/bin/ossec-control start`

If that doesn't help, can you provide the  configuration?

> Em quarta-feira, 1 de março de 2017 08:53:21 UTC-3, Eero Volotinen escreveu:
>>
>> Is something runnin on port 1514 already? or ossec already running?
>>
>> Eero
>>
>> 2017-03-01 13:50 GMT+02:00 Eduardo Reichert Figueiredo
>> :
>>>
>>> Dear All,
>>> i doing installing ossec server in RHEL 6.8, but just ossec-remoted not
>>> running, i do troubleshooting with commands bellow:
>>> #gdb /var/ossec-2.9/bin/ossec-remoted
>>> ###RESULT###
>>> ...
>>> Reading symbols from /var/ossec-2.9/bin/ossec-remoted...(no debugging
>>> symbols found)...done.
>>> (gdb) set follow-fork-mode child
>>> (gdb) run -df
>>> Starting program: /var/ossec-2.9/bin/ossec-remoted -df
>>> [Thread debugging using libthread_db enabled]
>>> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Starting ...
>>> 2017/03/01 08:36:40 ossec-remoted: INFO: Started (pid: 88290).
>>> [New process 88293]
>>> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '1'.
>>> 2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port
>>> '1514'
>>> [Thread debugging using libthread_db enabled]
>>> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '0'.
>>> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from:
>>> '0.0.0.0/0'
>>> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from:
>>> '0.0.0.0/0'
>>> 2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port
>>> '1514'
>>>
>>> Program exited with code 01.
>>> Missing separate debuginfos, use: debuginfo-install
>>> glibc-2.12-1.192.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64
>>> krb5-libs-1.10.3-57.el6.x86_64 libcom_err-1.41.12-22.el6.x86_64
>>> libselinux-2.0.94-7.el6.x86_64 openssl-1.0.1e-48.el6_8.4.x86_64
>>> zlib-1.2.3-29.el6.x86_64
>>> (gdb) Q
>>>
>>> Can you help me?
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

2017-03-01 Thread dan (ddp) 
On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J.
 wrote:
> That is not what I meant.
>
> If the source IP is decoded and stored in field srcip, I want to be able to
> specify _srcip_ (or whatever convention used to tell regex that this is a
> variable), and have _srcip_ replaced by the value saved as srcip in the
> event.
>
> If srcip is 10.0.0.1, specifying in the regex
> Some-regex-preceding-_srcip_-some regex tailing _srcip_ in
> the regex would be dynamically replaced by its value (10.0.0.1) during regex
> evaluation.
>

There's no support for that.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How to check that chained checksums are correct

2017-03-01 Thread dan (ddp) 
On Wed, Mar 1, 2017 at 11:10 AM, Dominik  wrote:
> OSSEC creates checksums and chained checksums of the archives. I need a way
> to confirm that the chain is correct.
>
> zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-28.log.gz | md5sum
> creates the entry
> Current checksum:
> MD5  (/logs/archives/2017/Feb/ossec-archive-28.log) =
>  in ossec-archive-28.log.sum
>
> Likewise
> zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-27.log.sum | md5sum
> creates the entry
> Chained checksum:
> MD5  (/logs/archives/2017/Feb/ossec-archive-28.log) =
>  in ossec-archive-28.log.sum
>
> I could create a script to do the check all the way to the beginning.
>
> Does OSSEC provide a method to do this check without scripting it?
>
> I was not able to find that in the documentation (probably checking at the
> wrong place)
>

I don't believe we have a script or anything to check that.

> Thanks
> Dominik
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] How to check that chained checksums are correct

2017-03-01 Thread Dominik 
OSSEC creates checksums and chained checksums of the archives. I need a way 
to confirm that the chain is correct. 

zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-28.log.gz | md5sum 
creates the entry 
Current checksum:
MD5  (/logs/archives/2017/Feb/ossec-archive-28.log) = 
 in ossec-archive-28.log.sum 

Likewise 
zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-27.log.sum | md5sum 
creates the entry 
Chained checksum:
MD5  (/logs/archives/2017/Feb/ossec-archive-28.log) = 
 in ossec-archive-28.log.sum

I could create a script to do the check all the way to the beginning.

Does OSSEC provide a method to do this check without scripting it?

I was not able to find that in the documentation (probably checking at the 
wrong place) 

Thanks
Dominik

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: syscheckd causing soft lockups

2017-03-01 Thread John Gelnaw 

Followup. ossec-syscheckd appears to be doing some bind operation:


socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 
bind(6, {sa_family=AF_INET, sin_port=htons(12310), 
sin_addr=inet_addr("0.0.0.0")}, 16) = 0 
close(6) = 0 
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 
bind(6, {sa_family=AF_INET, sin_port=htons(12311), 
sin_addr=inet_addr("0.0.0.0")}, 16) = 0 
close(6) = 0 
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 
bind(6, {sa_family=AF_INET, sin_port=htons(12312), 
sin_addr=inet_addr("0.0.0.0")}, 16) = 0 
close(6) = 0 
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 
bind(6, {sa_family=AF_INET, sin_port=htons(12313), 
sin_addr=inet_addr("0.0.0.0")}, 16
2017 Mar 1 10:27:58 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck 
for 22s! [ossec-syscheckd:19286]
2017 Mar 1 10:28:26 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck 
for 22s! [ossec-syscheckd:19286] 
2017 Mar 1 10:28:58 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck 
for 22s! [ossec-syscheckd:19286] 
2017 Mar 1 10:29:26 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck 
for 22s! [ossec-syscheckd:19286] 
2017 Mar 1 10:29:54 ahc-www01 NMI watchdog: BUG: soft lockup - CPU#0 stuck 
for 22s! [ossec-syscheckd:19286]

My guess is that it's trying to bind, running out of available sockets, and 
waiting until a socket frees up (or forever, whichever comes first).

Why would syscheckd be attempting to bind to 0.0.0.0, however?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted not running

2017-03-01 Thread Eduardo Reichert Figueiredo 
Port 1514 is already, i received UPD packets (validated with tcpdump), 
ossec is running (monitord, logcollector, syscheck, analysisd), only 
remoted not running, but remoted is displayed for port 1514 (netstat 
-vandup).

Em quarta-feira, 1 de março de 2017 08:53:21 UTC-3, Eero Volotinen escreveu:
>
> Is something runnin on port 1514 already? or ossec already running?
>
> Eero
>
> 2017-03-01 13:50 GMT+02:00 Eduardo Reichert Figueiredo <
> eduardo@hotmail.com >:
>
>> Dear All,
>> i doing installing ossec server in RHEL 6.8, but just ossec-remoted not 
>> running, i do troubleshooting with commands bellow:
>> #gdb /var/ossec-2.9/bin/ossec-remoted
>> ###RESULT###
>> ...
>> Reading symbols from /var/ossec-2.9/bin/ossec-remoted...(no debugging 
>> symbols found)...done.
>> (gdb) set follow-fork-mode child
>> (gdb) run -df
>> Starting program: /var/ossec-2.9/bin/ossec-remoted -df
>> [Thread debugging using libthread_db enabled]
>> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Starting ...
>> 2017/03/01 08:36:40 ossec-remoted: INFO: Started (pid: 88290).
>> [New process 88293]
>> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '1'.
>> 2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
>> [Thread debugging using libthread_db enabled]
>> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '0'.
>> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0
>> '
>> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0
>> '
>> *2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port 
>> '1514'*
>>
>> Program exited with code 01.
>> Missing separate debuginfos, use: debuginfo-install 
>> glibc-2.12-1.192.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64 
>> krb5-libs-1.10.3-57.el6.x86_64 libcom_err-1.41.12-22.el6.x86_64 
>> libselinux-2.0.94-7.el6.x86_64 openssl-1.0.1e-48.el6_8.4.x86_64 
>> zlib-1.2.3-29.el6.x86_64
>> (gdb) Q
>>
>> Can you help me?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted not running

2017-03-01 Thread Eero Volotinen 
Is something runnin on port 1514 already? or ossec already running?

Eero

2017-03-01 13:50 GMT+02:00 Eduardo Reichert Figueiredo <
eduardo.reich...@hotmail.com>:

> Dear All,
> i doing installing ossec server in RHEL 6.8, but just ossec-remoted not
> running, i do troubleshooting with commands bellow:
> #gdb /var/ossec-2.9/bin/ossec-remoted
> ###RESULT###
> ...
> Reading symbols from /var/ossec-2.9/bin/ossec-remoted...(no debugging
> symbols found)...done.
> (gdb) set follow-fork-mode child
> (gdb) run -df
> Starting program: /var/ossec-2.9/bin/ossec-remoted -df
> [Thread debugging using libthread_db enabled]
> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Starting ...
> 2017/03/01 08:36:40 ossec-remoted: INFO: Started (pid: 88290).
> [New process 88293]
> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '1'.
> 2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
> [Thread debugging using libthread_db enabled]
> 2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '0'.
> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0'
> 2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0'
> *2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port
> '1514'*
>
> Program exited with code 01.
> Missing separate debuginfos, use: debuginfo-install
> glibc-2.12-1.192.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64
> krb5-libs-1.10.3-57.el6.x86_64 libcom_err-1.41.12-22.el6.x86_64
> libselinux-2.0.94-7.el6.x86_64 openssl-1.0.1e-48.el6_8.4.x86_64
> zlib-1.2.3-29.el6.x86_64
> (gdb) Q
>
> Can you help me?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-remoted not running

2017-03-01 Thread Eduardo Reichert Figueiredo 
Dear All,
i doing installing ossec server in RHEL 6.8, but just ossec-remoted not 
running, i do troubleshooting with commands bellow:
#gdb /var/ossec-2.9/bin/ossec-remoted
###RESULT###
...
Reading symbols from /var/ossec-2.9/bin/ossec-remoted...(no debugging 
symbols found)...done.
(gdb) set follow-fork-mode child
(gdb) run -df
Starting program: /var/ossec-2.9/bin/ossec-remoted -df
[Thread debugging using libthread_db enabled]
2017/03/01 08:36:40 ossec-remoted: DEBUG: Starting ...
2017/03/01 08:36:40 ossec-remoted: INFO: Started (pid: 88290).
[New process 88293]
2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '1'.
2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
[Thread debugging using libthread_db enabled]
2017/03/01 08:36:40 ossec-remoted: DEBUG: Forking remoted: '0'.
2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0'
2017/03/01 08:36:40 ossec-remoted: Remote syslog allowed from: '0.0.0.0/0'
*2017/03/01 08:36:40 ossec-remoted(1206): ERROR: Unable to Bind port '1514'*

Program exited with code 01.
Missing separate debuginfos, use: debuginfo-install 
glibc-2.12-1.192.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64 
krb5-libs-1.10.3-57.el6.x86_64 libcom_err-1.41.12-22.el6.x86_64 
libselinux-2.0.94-7.el6.x86_64 openssl-1.0.1e-48.el6_8.4.x86_64 
zlib-1.2.3-29.el6.x86_64
(gdb) Q

Can you help me?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.