Re: [ossec-list] manage_agents -f :Unable to open file

2012-11-26 Thread dan (ddp)
Put the file in the ossec dir somewhere, and rederence it by that chroot point. For instance, put it in /var/ossec and run /var/ossec/bin/manage_agents -f /FILE The documentation has been updated to reflect this, but hasn't been pushed live yet. On Nov 26, 2012 11:15 PM, "peng lin" wrote: > how

[ossec-list] manage_agents -f :Unable to open file

2012-11-26 Thread peng lin
how to use -f ? i have some error: # ./manage_agents -f test.csv Bulk load file: test.csv Opening: [test.csv] Failed.: No such file or directory 2012/11/27 11:45:14 manage_agents(1103): ERROR: Unable to open file 'test.csv'. in test.csv #vi test.csv 192.168.1.1,IDS1 Is that something wrong ?

Re: [ossec-list] Re: Large scale deployment

2012-11-26 Thread JJ Yu
Hi, Scott Klauminzer Many thanks, about this method described in automatically-creating-and-setting-up-the-agent-keys ,I has been tried but I got a trouble that agent unable to connect to ossec server. this is my det

Re: [ossec-list] Ossec 2.7 agent installer broken on Ubuntu 10.04

2012-11-26 Thread Jb Cheng
>From dcid's patch posted by dan on ossec-dev, change install.sh line 372: -if [[ "X${USER_AGENT_SERVER_IP}" = "X" && "X${USER_AGENT_SERVER_NAME}" = "X" ]]; then +if [ "X${USER_AGENT_SERVER_IP}" = "X" -a "X${USER_AGENT_SERVER_NAME}" = "X" ]; then On Thursday, November 22, 2012 7:54:19

[ossec-list] Re: Problems after running OSSEC server upgrade 2.6 to 2.7,

2012-11-26 Thread Jb Cheng
How many agents were configured on this server? Were the agents running version 2.6? Are you using agent-auth? Does your etc/client.keys showing agent IP addresses, or ANY in place of aaa.bbb.ccc.ddd? On Tuesday, November 20, 2012 8:09:00 AM UTC-8, Francisco Jelves wrote: > > After running OSS

[ossec-list] RFC/T : Accumulator for OSSEC-HIDS

2012-11-26 Thread Brad Lhotsky
I've spent a few months fine tuning and correcting problems with a new feature I required to analyze logs from OpenLDAP. I'm now looking for comments and testers as the patch has been running stably and has been invaluable to me. The write-up is here: http://db0.us/article/2012/11/26/ossec-hi

Re: [ossec-list] Simplest question ever (?) - timestamp

2012-11-26 Thread Michael Starks
On 26.11.2012 11:42, jponsano wrote: I don't understand how that's such a problem; or at least why it's a problem to at least merely include the original timestamps. I don't think it's a problem, either. The Windows decoder would likely have to be changed, too, but that's not hard. Remember, t

Re: [ossec-list] OSSEC w/ Nagios/MRTG trouble

2012-11-26 Thread dan (ddp)
On Mon, Nov 26, 2012 at 12:48 PM, Sue wrote: > Thanks for your consideration. Without the report_changes option can I still > get an alert if there is a diff in a file? Using a rule perhaps? If so, how > do I go about seeing what the change was? > You will still get alerts that a file has changed

Re: [ossec-list] OSSEC w/ Nagios/MRTG trouble

2012-11-26 Thread Sue
Thanks for your consideration. Without the report_changes option can I still get an alert if there is a diff in a file? Using a rule perhaps? If so, how do I go about seeing what the change was? On Monday, November 26, 2012 7:44:23 AM UTC-6, dan (ddpbsd) wrote: > > On Fri, Nov 23, 2012 at 3:46 P

Re: [ossec-list] Simplest question ever (?) - timestamp

2012-11-26 Thread jponsano
I don't understand how that's such a problem; or at least why it's a problem to at least merely include the original timestamps. I'm trying to use OSSEC in conjunction with Logstash, and am using Logstash to parse out the timestamp. When pulling Windows event logs, OSSEC doesn't even appear t

Re: [ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread Frank
LOL. where's the "LIKE" button when you need one. :) documentation is fine. people just need to read it more carefully. Frank On Monday, November 26, 2012 8:27:08 AM UTC-6, dan (ddpbsd) wrote: > > On Mon, Nov 26, 2012 at 9:21 AM, rezgui mohamed > > > wrote: > > so on the background ossec server

Re: [ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread alfredo tapia
How to unsubscribe from this group sucks Alfredo Tapia Sabogal Enviado desde mi BlackBerry de Claro. -Original Message- From: "dan (ddp)" Date: Mon, 26 Nov 2012 14:26:57 To: Subject: Re: [ossec-list] /var/ossec/bin/agent_control -R 22 On Mon, Nov 26, 2012 at 9:21 AM, rezgui mohamed

Re: [ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread dan (ddp)
On Mon, Nov 26, 2012 at 9:21 AM, rezgui mohamed wrote: > so on the background ossec server connect through ssh to the remote machine > then start the agent No. Why would it use SSH? The server and the agent already communicate. The OSSEC server will trigger a restart of the OSSEC processes on th

Re: [ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread rezgui mohamed
so on the background ossec server connect through ssh to the remote machine then start the agent

Re: [ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread dan (ddp)
On Mon, Nov 26, 2012 at 9:14 AM, rezgui mohamed wrote: > > i know ,this command is to restart the agent on the remote machine? > Best regards agent_control OSSEC HIDS agent_control: Control remote agents. -R Restarts agent.

Re: [ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread rezgui mohamed
i know ,this command is to restart the agent on the remote machine? Best regards

Re: [ossec-list] Re: help with writing decoder rules for clavister firewall

2012-11-26 Thread dan (ddp)
On Sun, Nov 25, 2012 at 7:29 PM, Kristy Truong wrote: > how do you use this? > Add the decoders to /var/ossec/etc/local_decoder.xml, rules to /var/ossec/rules/local_rules.xml, and restart the OSSEC processes. > > On Wednesday, November 14, 2012 8:49:10 AM UTC-6, Michiel van Es wrote: >> >> Hello

Re: [ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread dan (ddp)
On Mon, Nov 26, 2012 at 5:39 AM, rezgui mohamed wrote: > Dear support, > > if i do /var/ossec/bin/agent_control -R 22 > this line is to run the agent on the machine distant or on local? > Best regards You run that command on the OSSEC server.

Re: [ossec-list] OSSEC w/ Nagios/MRTG trouble

2012-11-26 Thread dan (ddp)
On Fri, Nov 23, 2012 at 3:46 PM, Sue wrote: > The ignores are just the defaults; I am under the impression that an ignore > doesn't stop the check, but only the reporting of the check. so I am > guessing that wouldn't keep the files from being copied... > > > > 79200 > > yes > >

[ossec-list] Re: help with writing decoder rules for clavister firewall

2012-11-26 Thread Kristy Truong
On Wednesday, November 14, 2012 8:49:10 AM UTC-6, Michiel van Es wrote: > > Hello, > > I am trying to set up a local_decoder.xml entry to decode our Clavister > log entries. > The clavister logfiles show only outgoing dropped traffic, for example: > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:2

[ossec-list] /var/ossec/bin/agent_control -R 22

2012-11-26 Thread rezgui mohamed
Dear support, if i do /var/ossec/bin/agent_control -R 22 this line is to run the agent on the machine distant or on local? Best regards