Re: [ossec-list] Problem to add a new client

On 2010-04-22, rafael.gomes rafael.go...@ufba.br wrote: I added a new host in OSSEC environment, but I don`t works. Did you restarted the server after adding a new agent? -- http://nk99.org/ -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en

[ossec-list] Where do these come from ?

Hello All, Does anybody know where the below message come from ? And where are they are generated from.? I don't have an hda device...? - Regards, Bradley Radjoo Anyone who has never made a mistake has never tried anything new. — Albert Einstein. Begin forwarded message:

Re: [ossec-list] Problem to add a new client

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, I restarted the agent and the server. Atenciosamente, Rafael Brito Gomes Analista de Segurança LPIC-1 MCSO DISUP/CPD/UFBA Tel : +55 71 3283 6100 Em 23-04-2010 02:19, Nerijus Krukauskas escreveu: On 2010-04-22, rafael.gomes

Re: [ossec-list] Where do these come from ?

Bradley, these are coming from servername.example.com and were found in the monitored logfile /var/log/messages. I think you already figured that out :-) rule 1002 creates a level 2 alert when any of the following words are found in a message :

Re: [ossec-list] Where do these come from ?

Is there an optical drive in the system? Does it happen to be hda? On Fri, Apr 23, 2010 at 8:06 AM, Bradley Radjoo bradley.rad...@is.co.za wrote: Hello All, Does anybody know where the below message come from ? And where are they are generated from.? I don't have an hda device...?

Re: [ossec-list] Re: Rule: 18152 fired (level 10) - Multiple Windows Logon Failures.

Strange. I haven't seen these alerts myself, so excuse any silly questions. Is the offending username included in the alert? Any complaints in the logs about this rule? Try running the various ossec daemons with the -d flag. This puts them in a debug mode. Maybe try something like this: rule

Re: [ossec-list] OSSEC Splunk integration

Hi Paul, It took me some times to apply your suggestion but finally it did it and it works perfectly! Thanks a LOT! On Mon, Apr 12, 2010 at 3:31 AM, Paul Southerington sout...@gmail.comwrote: Probably the Splunk side. I'm assuming you're using Splunk 4.x and the 4.x OSSEC app. If not, ignore

Re: [ossec-list] Re: OSSEC Splunk integration

On Thu, Apr 15, 2010 at 9:28 PM, Paul Southerington sout...@gmail.com wrote: That sounds like Splunk's automatic sourcetype assignment. How do you have the data coming in? (syslog? Direct to a Splunk listening port? Or pointed directly to the OSSEC alerts file on the local machine?) Sorry,

Re: [ossec-list] Problem to add a new client

Do all registered hosts have unique IP addresses? Is the agent communicating with the server on the correct IP? Have you tried re-entering the key on the client? Tried removing the client on the server and re-adding it? What OS/arch are the server and agent? On Fri, Apr 23, 2010 at 9:28 AM,

[ossec-list] Active Responses

I would like to treat one Rule violation different from the rest. I'll duplicate the scripts for firewall drop under a different name and add commands in ossec.conf for the new script. Instead of Level 7 or above triggering the command, I'd like to have a specific postfix rule be the trigger.