Re: [ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Santiago Bassett
Usually there are warning or error messages in ossec.log file (check those both in the agent and manager). On Mon, Jan 4, 2016 at 11:06 AM, Cal wrote: > Found a solution, thinking it might be a key issue. On one server, I had > to chmod the keys file, which allowed

Re: [ossec-list] Using Regular Expressions in an OSSEC rule

2016-01-04 Thread Santiago Bassett
How about using Comp-\S+? I would also recommend to use a variable like this (taken from syslog rules): core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted On Mon, Dec 28, 2015 at 10:22 AM, wrote: >

Re: [ossec-list] for what time ossec save logs?

2016-01-04 Thread Santiago Bassett
Maxim I would recommend you to use a separate log management system, as I would not say OSSEC covers all a system like this does. For example you can use Splunk or ELK Stack (my preferred choice as it is also free Open Source), or SIEM systems (AlienVault, Arcsight,...) I hope that helps,

[ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Cal
Found a solution, thinking it might be a key issue. On one server, I had to chmod the keys file, which allowed the agent to connect. I tried re-adding the existing key to the other agents and configuring the permissions without anything working. Finally, I re-issued the keys for the disconnect

Re: [ossec-list] Send my own logs to Ossec server

2016-01-04 Thread Joao T.
Can I feed ossec server with log files or just is possible to feed the agents? On Thursday, December 31, 2015 at 11:56:10 AM UTC+1, Alberto Mijares wrote: > > You can use syslog. Tell syslogd to write a specific file and ossec > agent to read that file. > > Read about syslog format and

Re: [ossec-list] Send my own logs to Ossec server

2016-01-04 Thread dan (ddp)
On Mon, Jan 4, 2016 at 8:46 AM, Joao T. wrote: > Can I feed ossec server with log files or just is possible to feed the > agents? > If those logfiles exist on the server, the OSSEC processes there should be able to read them. > On Thursday, December 31, 2015 at 11:56:10 AM

[ossec-list] Couple of agents unable to connect to server

2016-01-04 Thread Cal
I have about 20 OSSEC agents connected to my OSSEC server without issue. There are approximately 6 however that cannot connect. I'm using a non-default port of 1520. Note: All IPs replaced here for OPSEC. Logs: - Agent: - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for:

[ossec-list] Re: Couple of agents unable to connect to server

2016-01-04 Thread Cal
Also, from agent: # netstat -panu | grep 1520 udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED 30669/ossec-agentd On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: > > I have about 20 OSSEC agents connected to my OSSEC server without issue. > There are