Re: [ossec-list] Re: Custom decoder failing to load
On Mon, Mar 23, 2020 at 8:35 AM Olivier Ragain wrote: > > Hi > Sorry for the delay in answering. > > The error I get: > 2020/03/23 12:28:25 ossec-testrule: INFO: Reading decoder file > etc/custom/local_decoder.xml. > 2020/03/23 12:28:25 ossec-analysisd(2106): ERROR: Error adding decoder plugin. > The configuration: > > etc/custom > ... Are you planning on using the shipped decoder.xml file? If so, you'll need to add it to the config. > > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c942ab6b-6d80-4e24-8b37-6a31d8d196cf%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMoPftx83328Q9c9Ui5cj%2B0Y9ABthGn_bAzroZR4AW4xfA%40mail.gmail.com.
Re: [ossec-list] regex help/clarification - specify all files with a given extension
On Thu, Mar 19, 2020 at 4:59 PM Leroy Tennison wrote: > > Running v3.3.0 on the server and v3.2.0 on the client, trying to exclude > *.bz2 in a given directory, I tried: > > > > /path/to/.bz2$ I think this will ignore '/path/to/.bz2' and only that file. > > > > based on another post. I obviously don't understand how to do it because > it's not working. /var/ossec/etc/shared/agent.conf shows the above and > ossec.conf on the client has: > > > > 10.22.14.11 > bfr, cfg, ubuntu > > > I've also tried the above with the qcow2 extension and get the same result. > > In general, how do I write an OSSEC specification to exclude all files with a > given extension? Thanks for your help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/6b541572-515d-4346-9fc7-cc57a5f2b76b%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMr2daWp-F8hD1uK_jGy6QnSB6%3D4EF_zM2Ld0Ga9Zf7Hvw%40mail.gmail.com.
Re: [ossec-list] limit forwarded logs on ossec
On Tue, Mar 24, 2020 at 7:48 AM AHMED ADEWUYI wrote: > > Hi, > > Please is there a way to reduce or manage numbers of forwarded events on the > ossec agent to Alienvault sensor. > Not really. The Windows agent can filter some things out with eventchannel, but that's about it. > Thanks. > > Ahmed. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/11efc678-fa31-421b-8357-20f246c82095%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMohQ-LE0R6edDnwCtctGodmg2951wE_91DfutKcY10jww%40mail.gmail.com.