On Sun, 12 Oct 2014, David Masters wrote:
Ok...here is the log file from a freshly installed agent (shutdown ossec
server, removed all rid files, no rid files on agent system, manually
entererd key and server address):
This is the log file from same machine after pushing out key
Hi,ALL
i use posegresql database for ossec,but i look the tables signature
is null,so how do i import all rules into signature
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails
On Mon, Oct 13, 2014 at 5:02 AM, r...@cnmoker.org wrote:
Hi,ALL
i use posegresql database for ossec,but i look the tables signature is
null,so how do i import all rules into signature
Perhaps that functionality doesn't exist yet. Are there alerts in the
database? If yes, that's
Assuming agent key and IP are distinct for each server, please put the
ossec-control into debug on the server and look for errors such as not
allowed and so forth
On Monday, October 13, 2014 8:04:41 AM UTC-4, Antonio Querubin wrote:
On Sun, 12 Oct 2014, David Masters wrote:
Ok...here is
I'm exploring the use of OSSEC and I've got a question the docs I've read
aren't yet answering. I think it's going to be quicker to just ask...
I have a single Linux box which runs in the DMZ. It has a few services,
with Apache and Squid being the main ones. I want to put OSSEC on it
primarily
Hello Derek,
just install ossec in local mode, this should be best for you.
Brgds
Jan
On Mon, Oct 13, 2014 at 3:06 PM, de...@scratters.com wrote:
I'm exploring the use of OSSEC and I've got a question the docs I've read
aren't yet answering. I think it's going to be quicker to just ask...
Yes, removed all rid files before restarting the server
On Monday, October 13, 2014 7:04:41 AM UTC-5, Antonio Querubin wrote:
On Sun, 12 Oct 2014, David Masters wrote:
Ok...here is the log file from a freshly installed agent (shutdown ossec
server, removed all rid files, no rid files on
On Mon, Oct 13, 2014 at 9:06 AM, de...@scratters.com wrote:
I'm exploring the use of OSSEC and I've got a question the docs I've read
aren't yet answering. I think it's going to be quicker to just ask...
I have a single Linux box which runs in the DMZ. It has a few services, with
Apache and
On Mon, Oct 13, 2014 at 10:32 AM, David Masters
dmast...@24-7intouch.com wrote:
Yes, removed all rid files before restarting the server
Have you checked the ossec.log on the manager?
Is each agent key unique?
Are the packets making it to the manager?
So they appear to be coming from the correct
Goodness, I'm nowhere near clued up enough to suggest how to improve things
just yet. I haven't read enough of it!
But note that neither yours nor Jan's posts actually answer my question
(although I completely appreciate your good intentions).
When I look at the basic information, here:
On Mon, Oct 13, 2014 at 10:50 AM, de...@scratters.com wrote:
Goodness, I'm nowhere near clued up enough to suggest how to improve things
just yet. I haven't read enough of it!
But note that neither yours nor Jan's posts actually answer my question
(although I completely appreciate your good
2014/10/13 10:19:11 ossec-remoted(1403): ERROR: Incorrectly formated
message from 'any'.
2014/10/13 10:19:13 ossec-remoted(1408): ERROR: Invalid ID for the source
ip: '10.50.107.21'.
2014/10/13 10:19:16 ossec-remoted(1408): ERROR: Invalid ID for the source
ip: '10.50.107.20'.
2014/10/13
No not allowed messages. Saw it run through a debug scan. Only error
messages coming up are:
2014/10/13 10:15:56 ossec-remoted(1403): ERROR: Incorrectly formated
message from 'any'.
2014/10/13 10:16:02 ossec-remoted(1403): ERROR: Incorrectly formated
message from 'any'.
2014/10/13 10:16:06
Yes, each agent key is unique, appears to be coming from the correct ip
address.
Error message from log:
2014/10/13 10:15:56 ossec-remoted(1403): ERROR: Incorrectly formated
message from 'any'.
2014/10/13 10:16:02 ossec-remoted(1403): ERROR: Incorrectly formated
message from 'any'.
2014/10/13
On Mon, Oct 13, 2014 at 11:21 AM, David Masters
dmast...@24-7intouch.com wrote:
2014/10/13 10:19:11 ossec-remoted(1403): ERROR: Incorrectly formated message
from 'any'.
2014/10/13 10:19:13 ossec-remoted(1408): ERROR: Invalid ID for the source
ip: '10.50.107.21'.
Try readding the key to one of
yes,alert is Normal insertinto the database。but if i want wirte WUI for
ossec,can not acquire rule description。。
在 2014年10月13日星期一UTC+8下午8时11分47秒,dan (ddpbsd)写道:
On Mon, Oct 13, 2014 at 5:02 AM, ro...@cnmoker.org javascript: wrote:
Hi,ALL
i use posegresql database for
On Mon, Oct 13, 2014 at 11:35 AM, r...@cnmoker.org wrote:
yes,alert is Normal insertinto the database。but if i want wirte WUI for
ossec,can not acquire rule description。。
Then work on ossec-dbd first. :)
在 2014年10月13日星期一UTC+8下午8时11分47秒,dan (ddpbsd)写道:
On Mon, Oct 13, 2014 at 5:02 AM,
The whole purpose of this exercise is to not have to go to each individual
machine to input the key and configuration. We have over 3000 machines so
that really is just not feasible. If the key server is input manually
when the software is installed it works fine. When the key file and
Hi,
I've googled this a lot and looked through a lot of the group's posts but I
can find if there's a way to check that a given service is running. It
would be a service that has an init script.
Is there a way to do this?
Many thanks :)
Felicity
--
---
You received this message because
On Mon, Oct 13, 2014 at 12:27 PM, felicity.ratcli...@missguided.co.uk wrote:
Hi,
I've googled this a lot and looked through a lot of the group's posts but I
can find if there's a way to check that a given service is running. It would
be a service that has an init script.
Is there a way to
Many people have created an automated deployment script successfully, so no
need to worry there. How are you exporting the agent keys from the manager?
More to the point, WHICH key are you using in your group policy script? If you
really are using the same key that you would use in the GUI, as
I am acquiring the keys originally from the server (cat client.keys) then
copying that information directly from the putty.log file into a
spreadsheet. The key files I am creating are being created directly from
the spreadsheet. I manually verify the information in the keys file before
it is
David
You wrote -- The key files I am creating are being created directly from
the spreadsheet
You are not creating the keys yourself are you?
when you run manage-agents and add a new agent, a key gets put into
client.keys, that key is associated with the hostname of the sending device
and
This is what we did last year
Entered in the machines manually to the server to create the account/key on
the ossec server
once all of the machines were entered, we ran cat client.keys on the ossec
server, which reads/prints out all the keys to the screen
the session was being recorded to
All agents are using the any IP address now because our systems move
subnets quite a bit depending on client load.
Port 1514 is open because I can manually install the client on a machine
and manually enter the information and the client will connect with the
server. The same machine (with no
Do this for about 5 non communicating servers at random.
On the OSSEC-SERVER
run 'tcpdump -i eth0 host ip of server in question port 1514'
see if the connection even makes it to the server
Also, note that OSSEC has to be installed as local admin or domain admin,
else UAC kind of kills the
Just note that there is no magic here - it does not work because your
automated way does not 100% replicate the manual way (how to add an agent /
the client.keys / the ossec.conf / the agent installation...)
My guess is that the key file is not created correctly - preventing the
client-server
client is installed on Win7 machine with admin credentials (logged in as
domain admin and ran as administrator to install, group policy
installation runs under system credentials before login).
tcpdump gives me a : syntax error on each IP address I have tried it on.
On Monday, October 13,
I guessed at your eth interface
the command is sound, I just dont know what your OS looks like
SO
tcpdump -i replace this with the interface name, like eth0 host replace
this with the IP of the sending WIn7 platform and port 1514 -vvv
Make sense?
Grant Leonard
Castra Consulting, LLC
On 10/13/2014 11:18 AM, David Masters wrote:
The whole purpose of this exercise is to not have to go to each
individual machine to input the key and configuration. We have over
3000 machines so that really is just not feasible. If the key server
is input manually when the software is
The exact command I typed is was:
tcpdump -i eth1 host xxx.xxx.xxx.xxx port 1514
No other ethernet ports are active on the machine. Did I miss something
when I typed it in?
On Monday, October 13, 2014 7:43:23 PM UTC-5, Grant L wrote:
I guessed at your eth interface
the command is sound,
I will try the process you suggest tomorrow.
As for the rest:
there are no duplicate IP's (all agents have been added with the any IP
configuration) or ID's (all keys were deleted from the client.keys file
(except 001) in order to prevent duplicates)(all rid's were deleted
afterwards to make
32 matches
Mail list logo