Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered
I stopped them all (which appeared to work fine) and start again. Here is the rule and decoder I made for this (I want to alert only once if the same ID (filepath) has alerted in the past minute): 510 This is meant to reduce noise as these events happen in batches with not much difference in meaning. DECODER: ^(\.+) (\p/filepath\.+) (/filepath/\.+/mnt/\.+/) id Logtest returns the id I am looking for to match and that part works fine. It only gets to the first 2 steps though, and does not match it with a rule in logtest. On Wednesday, April 5, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams > wrote: > > Yes I have, I've also tried to disable all the relevant changes I've > made, > > restart, and still have the same issue. > > > > Try stopping the ossec processes, verify that ossec-analysisd has > stopped (sometimes it doesn't and causes issues), and start it back > up. > Can you also post the changes you made? > > > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: > >> > >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams > wrote: > >> > Hi all, > >> > > >> > I'm running into an issue where rule 510 is triggering and I'm > getting > >> > spammed with alerts but I can't seem to tune it correctly. What's > weird > >> > is > >> > that I am still getting alerted for rule 510 for this log, but I > can't > >> > figure out how to get that to show in logtest. Basically, I am > getting > >> > spammed with rule 510 and trying to filter it down more and here is > what > >> > happens when I enter the log in logtest: any ideas on how to > fix > >> > this? > >> > > >> > **Phase 1: Completed pre-decoding. > >> > > >> >full event: 'File '/filepath/' is owned by root and has > written > >> > permissions to anyone.' > >> > > >> >hostname: 'hostname' > >> > > >> >program_name: '(null)' > >> > > >> >log: 'File '/filepath/' is owned by root and has written > >> > permissions > >> > to anyone.' > >> > > >> > > >> > **Phase 2: Completed decoding. > >> > > >> >decoder: 'sample_decoder_setup' > >> > > >> >id: '/filepath/' > >> > > >> > >> Did you restart the OSSEC processes on the server after making your > >> modifications? > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered
On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote: > Yes I have, I've also tried to disable all the relevant changes I've made, > restart, and still have the same issue. > Try stopping the ossec processes, verify that ossec-analysisd has stopped (sometimes it doesn't and causes issues), and start it back up. Can you also post the changes you made? > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote: >> > Hi all, >> > >> > I'm running into an issue where rule 510 is triggering and I'm getting >> > spammed with alerts but I can't seem to tune it correctly. What's weird >> > is >> > that I am still getting alerted for rule 510 for this log, but I can't >> > figure out how to get that to show in logtest. Basically, I am getting >> > spammed with rule 510 and trying to filter it down more and here is what >> > happens when I enter the log in logtest: any ideas on how to fix >> > this? >> > >> > **Phase 1: Completed pre-decoding. >> > >> >full event: 'File '/filepath/' is owned by root and has written >> > permissions to anyone.' >> > >> >hostname: 'hostname' >> > >> >program_name: '(null)' >> > >> >log: 'File '/filepath/' is owned by root and has written >> > permissions >> > to anyone.' >> > >> > >> > **Phase 2: Completed decoding. >> > >> >decoder: 'sample_decoder_setup' >> > >> >id: '/filepath/' >> > >> >> Did you restart the OSSEC processes on the server after making your >> modifications? >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered
Yes I have, I've also tried to disable all the relevant changes I've made, restart, and still have the same issue. On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams > wrote: > > Hi all, > > > > I'm running into an issue where rule 510 is triggering and I'm getting > > spammed with alerts but I can't seem to tune it correctly. What's weird > is > > that I am still getting alerted for rule 510 for this log, but I can't > > figure out how to get that to show in logtest. Basically, I am getting > > spammed with rule 510 and trying to filter it down more and here is what > > happens when I enter the log in logtest: any ideas on how to fix > > this? > > > > **Phase 1: Completed pre-decoding. > > > >full event: 'File '/filepath/' is owned by root and has written > > permissions to anyone.' > > > >hostname: 'hostname' > > > >program_name: '(null)' > > > >log: 'File '/filepath/' is owned by root and has written > permissions > > to anyone.' > > > > > > **Phase 2: Completed decoding. > > > >decoder: 'sample_decoder_setup' > > > >id: '/filepath/' > > > > Did you restart the OSSEC processes on the server after making your > modifications? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered
On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote: > Hi all, > > I'm running into an issue where rule 510 is triggering and I'm getting > spammed with alerts but I can't seem to tune it correctly. What's weird is > that I am still getting alerted for rule 510 for this log, but I can't > figure out how to get that to show in logtest. Basically, I am getting > spammed with rule 510 and trying to filter it down more and here is what > happens when I enter the log in logtest: any ideas on how to fix > this? > > **Phase 1: Completed pre-decoding. > >full event: 'File '/filepath/' is owned by root and has written > permissions to anyone.' > >hostname: 'hostname' > >program_name: '(null)' > >log: 'File '/filepath/' is owned by root and has written permissions > to anyone.' > > > **Phase 2: Completed decoding. > >decoder: 'sample_decoder_setup' > >id: '/filepath/' > Did you restart the OSSEC processes on the server after making your modifications? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Rule 510 is triggering events but logtest is not showing any rules that should be triggered
Hi all, I'm running into an issue where rule 510 is triggering and I'm getting spammed with alerts but I can't seem to tune it correctly. What's weird is that I am still getting alerted for rule 510 for this log, but I can't figure out how to get that to show in logtest. Basically, I am getting spammed with rule 510 and trying to filter it down more and here is what happens when I enter the log in logtest: any ideas on how to fix this? **Phase 1: Completed pre-decoding. full event: 'File '/filepath/' is owned by root and has written permissions to anyone.' hostname: 'hostname' program_name: '(null)' log: 'File '/filepath/' is owned by root and has written permissions to anyone.' **Phase 2: Completed decoding. decoder: 'sample_decoder_setup' id: '/filepath/' -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Alert for rule 510 is being generated, but logtest is not showing that any alert should be generated.
Hi all, I'm running into an issue where rule 510 is triggering and I'm getting spammed with alerts but I can't seem to tune it correctly. What's weird is that I am still getting alerted for rule 510 for this log, but I can't figure out how to get that to show in logtest. Basically, I am getting spammed with rule 510 and trying to filter it down more and here is what happens when I enter the log in logtest: any ideas on how to fix this? **Phase 1: Completed pre-decoding. full event: 'File '/var/lib/docker/devicemapper/mnt/acbc57824bbcbeae3b511a861c7d4aafc7c4f2351ff2c1125d29f06cdb0e4b84/rootfs/opt/apps-server/.cache/Tradeshift.Offline.css' is owned by root and has written permissions to anyone.' hostname: 'hostname' program_name: '(null)' log: 'File '/filepath/' is owned by root and has written permissions to anyone.' **Phase 2: Completed decoding. decoder: 'docker_root' id: '/filepath/' -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Redundancy manager (backup)
Hello Victor, I tried to run a second manager and I've the same file /var/ossec/etc/client.keys on it and on the first manager. I've copied the local_rules, ossec.conf, local_decoder as well. And I've specified on the agents to listen on him as you told me ; 10.0.0.1 10.0.0.2 My first manager (10.0.0.1 here) is shutdown and none the agents are listening on 10.0.0.2. What sould I look into ? Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] When doing rootchecks, OSSEC does not get the full information for the log
I'm not server if this is a problem with the OSSEC configuration or the host itself, but there are some events where the logs or full message only have some of the information I need. For example, this will be the full message I receive (2016-02-03 14:16:35 status installed some_package). The email alert will give me the agent name it sent it from, but I am not receiving the hostname as well. It seems to be that most events do give the full message, but I'm starting to notice some that don't so wondering if I should be looking to fix this on the OSSEC side or making sure the system is fully logging or sending everything over. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.
Hello, I have alerts coming in huge batches for rule 510. The batches of alerts are essentially all the same event and the file path of the area that's causing this is essentially identical in each batch except for the last file. I'm trying to setup a rule that would look at the ID I setup in my decoder, which is a file path that takes the path except for the last file in order to match the batches of events. I want to alert only on the first one and ignore the rest with that same ID for 5 minutes. First of all, does the rule below look ok for this? Does frequency="0" work as I know the frequency essentially adds 2 to it? Also, I'm having another issue with this in particular is that ossec-logtest does not test this rule correctly at all. Even when I paste the message, it doesn't even show up as something that would trigger rule 510, which is what the alerts are coming as. So that is also making it hard to troubleshoot this. Any ideas? Thanks! 510 my_decoder *TEST* - Only alert on the first docker root event for the same host and file path in a 60 second range. *TEST* - This is meant to reduce noise as docker root events typically happen in batches with not much difference in meaning. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.