Usually there are warning or error messages in ossec.log file (check those
both in the agent and manager).
On Mon, Jan 4, 2016 at 11:06 AM, Cal wrote:
> Found a solution, thinking it might be a key issue. On one server, I had
> to chmod the keys file, which allowed
How about using Comp-\S+? I would also recommend to use a variable like
this (taken from syslog rules):
core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
On Mon, Dec 28, 2015 at 10:22 AM, wrote:
>
Maxim I would recommend you to use a separate log management system, as I
would not say OSSEC covers all a system like this does.
For example you can use Splunk or ELK Stack (my preferred choice as it is
also free Open Source), or SIEM systems (AlienVault, Arcsight,...)
I hope that helps,
Found a solution, thinking it might be a key issue. On one server, I had to
chmod the keys file, which allowed the agent to connect. I tried re-adding
the existing key to the other agents and configuring the permissions
without anything working. Finally, I re-issued the keys for the disconnect
Can I feed ossec server with log files or just is possible to feed the
agents?
On Thursday, December 31, 2015 at 11:56:10 AM UTC+1, Alberto Mijares wrote:
>
> You can use syslog. Tell syslogd to write a specific file and ossec
> agent to read that file.
>
> Read about syslog format and
On Mon, Jan 4, 2016 at 8:46 AM, Joao T. wrote:
> Can I feed ossec server with log files or just is possible to feed the
> agents?
>
If those logfiles exist on the server, the OSSEC processes there
should be able to read them.
> On Thursday, December 31, 2015 at 11:56:10 AM
I have about 20 OSSEC agents connected to my OSSEC server without issue.
There are approximately 6 however that cannot connect. I'm using a
non-default port of 1520. Note: All IPs replaced here for OPSEC.
Logs:
- Agent:
- 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for:
Also, from agent:
# netstat -panu | grep 1520
udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED
30669/ossec-agentd
On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote:
>
> I have about 20 OSSEC agents connected to my OSSEC server without issue.
> There are