[ossec-list] OSSEC Missing Logs

2018-02-16 Thread Eric 
I'm using OSSEC in a slightly unconventional manner where I have it 
installed on a centralized syslog server and it's tripping correlations 
from multiple servers with just one agent. A small snippet of the setup is 
below.

ossec-server.domain.com monitoring:

   - /logs/networking/*.log
   - /logs/windows/*.log
   - /logs/unix/*.log

Overall this has worked pretty good for a low key correlation system for 
some alerts but I recently added a few more logs to it and I feel like 
OSSEC is missing some entries now. For example, I see alerts being 
tripped /var/ossec/logs/alerts/alerts.log for some events, but others are 
not. I know for a fact while tailing the alerts.log file, I should have 
received the alert below as I was also tailing the logs OSSEC was 
monitoring. Below shows that the format is correct and it's 
decoding/alerting correctly when running the test. Therefore my only 
conclusion is OSSEC is potentially getting overwhelmed and missing some. Is 
there a way to check that or any other reason this wouldn't of tripped for 
me?

Feb 16 13:04:34 server1 sudo:   user_name : command not allowed ; TTY=pts/0 
; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root


**Phase 1: Completed pre-decoding.
   full event: 'Feb 16 13:04:34 server1 sudo:   user_name : command not 
allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su 
root'
   hostname: 'server1'
   program_name: 'sudo'
   log: '  user_name : command not allowed ; TTY=pts/0 ; 
PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root'

**Phase 2: Completed decoding.
   decoder: 'sudo'
   dstuser: 'user_name'

**Phase 3: Completed filtering (rules).
   Rule id: '100012'
   Level: '10'
   Description: 'User attempted to run a command that was not allowed.'
**Alert to be generated.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec agent installation issue on AIX Server's

2018-02-16 Thread braulio 


Hi Sardar,

to build AIX packages, I use several versions to test that everything works 
fine and the installation works, so, when I saw your questions I tried to 
compile ossec-hids 2.7.1 and it works for me in AIX 6.1. The gcc version 
that I use is gcc 4.8.2 and gmake 4.2.1.

You can find these packages in http://www.oss4aix.org/download/RPMS/.

Also, to check which gcc is your AIX system using, you can run the 
following command.

which gcc

It will tell you the path of the gcc that your system is using. In my case, 
I get this:

# which gcc
/opt/freeware/bin/gcc

# which gmake
/opt/freeware/bin/gmake

I hope it helps.

Regards,
Braulio.

On Friday, February 16, 2018 at 12:15:29 PM UTC+1, Sardar Salim Shaikh 
wrote:
>
> Hi dan, 
>
> Thanks for your reply, 
>
> Can you please tell me how I can check which compiler is used by make or 
> AIX server ???
>
> Actually I don't know much about the AIX Server's.
>
> Thanks and Best regards, 
> Sardar S. 
>
> On Thursday, February 15, 2018 at 5:39:26 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>> My best guess (also not having access to AIX) is that the script is 
>> picking up the wrong compiler and maybe make. 
>>
>>
>> On Mon, Feb 12, 2018 at 4:12 AM, Sardar Salim Shaikh 
>>  wrote: 
>> > Hi Eero, 
>> > 
>> > Thanks for your reply !!! 
>> > 
>> > The gcc version on AIX 6.1 is : gcc-4.8.3-1 
>> > 
>> > Please help me with this issue, I'm stuck at this. 
>> > 
>> > Thanks and best Regards, 
>> > Sardar S. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec agent installation issue on AIX Server's

2018-02-16 Thread Sardar Salim Shaikh 
Hi dan, 

Thanks for your reply, 

Can you please tell me how I can check which compiler is used by make or 
AIX server ???

Actually I don't know much about the AIX Server's.

Thanks and Best regards, 
Sardar S. 

On Thursday, February 15, 2018 at 5:39:26 PM UTC+5:30, dan (ddpbsd) wrote:
>
> My best guess (also not having access to AIX) is that the script is 
> picking up the wrong compiler and maybe make. 
>
>
> On Mon, Feb 12, 2018 at 4:12 AM, Sardar Salim Shaikh 
>  wrote: 
> > Hi Eero, 
> > 
> > Thanks for your reply !!! 
> > 
> > The gcc version on AIX 6.1 is : gcc-4.8.3-1 
> > 
> > Please help me with this issue, I'm stuck at this. 
> > 
> > Thanks and best Regards, 
> > Sardar S. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.