On 2010-04-22, rafael.gomes rafael.go...@ufba.br wrote:
I added a new host in OSSEC environment, but I don`t works.
Did you restarted the server after adding a new agent?
--
http://nk99.org/
--
Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
Hello All,
Does anybody know where the below message come from ?
And where are they are generated from.?
I don't have an hda device...?
-
Regards,
Bradley Radjoo
Anyone who has never made a mistake has never tried anything new. — Albert
Einstein.
Begin forwarded message:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yes, I restarted the agent and the server.
Atenciosamente,
Rafael Brito Gomes
Analista de Segurança
LPIC-1 MCSO
DISUP/CPD/UFBA
Tel : +55 71 3283 6100
Em 23-04-2010 02:19, Nerijus Krukauskas escreveu:
On 2010-04-22, rafael.gomes
Bradley,
these are coming from servername.example.com and were found in the
monitored logfile /var/log/messages. I think you already figured that
out :-)
rule 1002 creates a level 2 alert when any of the following words are
found in a message :
Is there an optical drive in the system? Does it happen to be hda?
On Fri, Apr 23, 2010 at 8:06 AM, Bradley Radjoo bradley.rad...@is.co.za wrote:
Hello All,
Does anybody know where the below message come from ?
And where are they are generated from.?
I don't have an hda device...?
Strange. I haven't seen these alerts myself, so excuse any silly
questions. Is the offending username included in the alert?
Any complaints in the logs about this rule?
Try running the various ossec daemons with the -d flag. This puts
them in a debug mode.
Maybe try something like this:
rule
Hi Paul,
It took me some times to apply your suggestion but finally it did it and it
works perfectly!
Thanks a LOT!
On Mon, Apr 12, 2010 at 3:31 AM, Paul Southerington sout...@gmail.comwrote:
Probably the Splunk side. I'm assuming you're using Splunk 4.x and the 4.x
OSSEC app. If not, ignore
On Thu, Apr 15, 2010 at 9:28 PM, Paul Southerington sout...@gmail.com wrote:
That sounds like Splunk's automatic sourcetype assignment. How do you have
the data coming in? (syslog? Direct to a Splunk listening port? Or pointed
directly to the OSSEC alerts file on the local machine?)
Sorry,
Do all registered hosts have unique IP addresses?
Is the agent communicating with the server on the correct IP?
Have you tried re-entering the key on the client?
Tried removing the client on the server and re-adding it?
What OS/arch are the server and agent?
On Fri, Apr 23, 2010 at 9:28 AM,
I would like to treat one Rule violation different from the rest. I'll
duplicate the scripts for firewall drop under a different name and add
commands in ossec.conf for the new script.
Instead of Level 7 or above triggering the command, I'd like to have a
specific postfix rule be the trigger.
10 matches
Mail list logo