[ossec-list] OSSEC agents spooling
Can somebody give some feedback in relation to the below please ; In the event an OSSEC core server was to go offline for an extended period of time will the agents keep storing syscheck alerts locally until the core comes back online? If the agents do spool alert logs locally the risk is disk space on agents filling up. Any settings to prevent this? Lastly, the local agent log OSSEC.log. Anyway to limit the size! Thanks a lot. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b17e88a1-db72-4063-9a35-1000cde08353%40googlegroups.com.
Re: [ossec-list] running processes without a binary on disk
> On Nov 13, 2019, at 6:17 AM, dan (ddp) wrote: > > On Thu, Nov 7, 2019 at 11:16 AM bill evergreen > wrote: >> >> Hello list, >> >> does Ossec alert if there are processes running without a binary on disk? >> >> Thank's a lot for any feedback >> > > I don't think there's any rules for this. > >> Bill >> I believe you can use Osquery for this. You can integrate Osquery with Wazuh. Phil >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/CAAmYSevq1oU75KESvCPQAA6BVq%2BhRfd_DJLx%2Bryvy_atfDO4%3Dw%40mail.gmail.com. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMqqRs_Bk9LEKbRdGdpkZRQnEHdZ_t8UCPNOCidjWcmwyw%40mail.gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/B9EFDD75-9EBD-42E9-98A4-C0F11EB11DB7%40gmail.com.
Re: [ossec-list] running processes without a binary on disk
On Thu, Nov 7, 2019 at 11:16 AM bill evergreen wrote: > > Hello list, > > does Ossec alert if there are processes running without a binary on disk? > > Thank's a lot for any feedback > I don't think there's any rules for this. > Bill > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAAmYSevq1oU75KESvCPQAA6BVq%2BhRfd_DJLx%2Bryvy_atfDO4%3Dw%40mail.gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqqRs_Bk9LEKbRdGdpkZRQnEHdZ_t8UCPNOCidjWcmwyw%40mail.gmail.com.
Re: [ossec-list] Re: Receiving Syslog from device but OSSEC not logging it
On Tue, Nov 12, 2019 at 7:56 PM Mike wrote: > > Related to this, do you accept Pull Requests to add additional timestamp > formats to your pre-decoding? I forked and added a simple change to > cleanevent.c which has made my parsing much easier for a non-standard syslog > time format. > Yes, we do! Feel free to submit a pull request, and I'll get to it as quickly as my schedule allows. > > > On Friday, 8 November 2019 11:47:23 UTC-8, Mike wrote: >> >> I believe I have found the issues using strace to find out what >> ossec-remoted was doing. I found: >> >> 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have >> write permissions to /var/ossec/logs so ossec-remoted (which runs under user >> "ossecr") could not write anything >> 2. After getting error logged to ossec.log, I found that I had simply >> entered the "allowed IP" incorrectly and so it was being blocked. >> >> >> So as long as Ossec's own logging works, it's relatively simple to figure >> out the problem. >> >> >> On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >>> >>> Hello, >>> >>> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox >>> appliance and everything seemed to run nicely out of the box except... >>> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't >>> see any references to those syslog entries. I have done the following: >>> >>> On the firewall, told it to send syslog files to the static IP of the OSSEC >>> server >>> On the OSSEC server's ossec.conf added a section with a >>> syslog and specified the allowed_ip >>> Also in the ossec.conf, set logall to yes >>> Tested incoming connection using tcpdump -A port 514 and I can see >>> syslog-like entries coming in >>> Because the format is not quite standard syslog, I created a custom decoder >>> and tested it using ossec-logtest. >>> >>> >>> Despite all of these steps (and restarting the service using "ossec-control >>> restart" multiple times) I still do not see any of the remote syslog >>> entries in the archive.log. >>> >>> Am I missing something obvious to make this work? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/b5781be6-a9b3-4e1d-8a27-cc2a56776ed3%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrz2Ln%2BueyjevxYWSQaGH8%2BajbpWPSHO-O4UWjKppj1%3DQ%40mail.gmail.com.
Re: [ossec-list] Re: Receiving Syslog from device but OSSEC not logging it
On Fri, Nov 8, 2019 at 2:47 PM Mike wrote: > > I believe I have found the issues using strace to find out what ossec-remoted > was doing. I found: > > 1. Not sure why, but on the Virtual Appliance the "ossec" group did not have > write permissions to /var/ossec/logs so ossec-remoted (which runs under user > "ossecr") could not write anything > 2. After getting error logged to ossec.log, I found that I had simply entered > the "allowed IP" incorrectly and so it was being blocked. > > > So as long as Ossec's own logging works, it's relatively simple to figure out > the problem. > Nice catch. The virtual appliance isn't really maintained, and I doubt we'll see any updates going forward. > > On Friday, 8 November 2019 01:40:09 UTC-8, Mike wrote: >> >> Hello, >> >> I am new to OSSEC so bare with me. I have setup OSSEC using the VirtualBox >> appliance and everything seemed to run nicely out of the box except... >> I am trying to setup OSSEC to monitor a Syslog from a firewall but I don't >> see any references to those syslog entries. I have done the following: >> >> On the firewall, told it to send syslog files to the static IP of the OSSEC >> server >> On the OSSEC server's ossec.conf added a section with a >> syslog and specified the allowed_ip >> Also in the ossec.conf, set logall to yes >> Tested incoming connection using tcpdump -A port 514 and I can see >> syslog-like entries coming in >> Because the format is not quite standard syslog, I created a custom decoder >> and tested it using ossec-logtest. >> >> >> Despite all of these steps (and restarting the service using "ossec-control >> restart" multiple times) I still do not see any of the remote syslog entries >> in the archive.log. >> >> Am I missing something obvious to make this work? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/eac2b4f9-fc73-4e9c-8f36-7cfb680694b9%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMoHMQeY%3DRvnn6tfe_a_rYD%3Dnf2f479V_RbnY%2BL%3DLo818A%40mail.gmail.com.
