If you have not done it already, try enabling "logall" option in the ossec
manager configuration file (global section). Then check your
/var/ossec/logs/archives/archives.log and see if those are getting there.
If that is the case, then agent is forwarding the logs but they are just
not triggering
Are you sure your config is not working?
I just tested this and it works for me:
/root
I created three test files:
root@vpc-ossec-manager:~# ls test.txt*
test.txt1 test.txt2 test.txt3
And this is what I get in my syscheck file:
root@vpc-ossec-manager:~# cat
Agree with Dan, also double check the regexes, as it looks like there are
some inconsistencies at the end. I don't think that \D+ is in the right
place.
Best
On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp) wrote:
>
> On Jan 27, 2016 10:06 AM, "Fredrik"
Hola Daniel,
Yes, that was my first try. Problem was that the result of an iptables
command was too large and the content was truncated mostly of the time.
Therefore, it was triggering false positives.
Do you think of another way of perform an iptables -S check diff in real
time?
El
I'll patch my analysisd to provide srcport and dstport with a value of "0"
if the protocol is "ICMP"... I need to keep traces of such events...
/x
On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris
wrote:
> Good catch!
>
> I think the ASA provides ports just as part of
Because now the problem is we have new log files created daily. Is this
something OSSEC is not capable of?
On Wednesday, January 27, 2016 at 10:43:52 AM UTC-5, Greg Burns wrote:
>
> That worked! I think I was not testing it properly. I used the tail -f as
> you said and added the line with the
Is this worth submitting as an issue to github?
https://github.com/ossec/ossec-hids/issues
On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote:
>
> I'll patch my analysisd to provide srcport and dstport with a value of "0"
> if the protocol is "ICMP"... I need to keep
That worked! I think I was not testing it properly. I used the tail -f as
you said and added the line with the alert. I really appreciate your help.
I have one more question. Is there anyway to monitor new log files as they
appear?
This is the naming convention:
BatchLog_LT_01192016203220
Thanks Dan! I obviously didn't realize that this was the case :( This means
that I should create a regex that take the missing entry part into account
and hence matches: Jan 27 9:32:28 st4600fw01n1 not the full string I
was aiming for? This would then explain the, from my point of view,
Hi Santiago!
Thanks for your input. As you pointed out the \D+ is out of place and I
couldn't figure out why that would match whereas the latter regex, that I
believed to be more complete, wouldn't. With input from Dan and yourself, I
realize that OSSEC is offering a helping hand in stripping
I have been working on the integrator daemon (ossec-integratord) to allow
OSSEC
to easily integrate with external APIs to send alerts & notifications.
I have pushed it to my personal fork and I am looking for testers, and
people interested to try it out to help flush out any bugs/issues.
So far,
Thanks Daniel! I'll definitely try the integration with Slack. Cool stuff.
On Wed, Jan 27, 2016 at 10:57 AM, Daniel Cid wrote:
> I have been working on the integrator daemon (ossec-integratord) to allow
> OSSEC
> to easily integrate with external APIs to send alerts &
Hi Daniel,
This is great! I don't have time right now for testing but I have a
suggestion: the next step should be the integration with RT and RTIR.
Thank you for this work.
Best regards,
Alberto Mijares
On Wed, Jan 27, 2016 at 2:27 PM, Daniel Cid wrote:
> I have
Hi Team,
I have ossec server running in my infrastructure, we have two alert logic
servers which tests our infrastructure by doing brute force attack and all
kinds of attacks and ossec is sending lot of mail alerts, I want to drop
those alert mails if the attack is from those two server, how
I had some time last night to work on this more. I found another library
that I didn't have installed. When I installed the libpq-dev package, I
was able to run the setdb and install with Postgres support.
When installing OSSEC with Postgres support, one needs to make sure this
library is
Instead of using i'd recommend using
Mine configuration for that kind of periodic security assessments:
6
10.32.0.9
10.32.0.8
IP address of the automatic scan - Security
team
Automatic Scan IP from pentesting network whitelisted
- 01.07.2015
El miƩrcoles, 27 de
I have enabled audit on MS SQL Server 2014, logs are sent to Windows
Application log.
I can see the audit logs from Event Viewer, but I'm unable to see the logs
on OSSEC server.
OSSEC agent is configured to monitor Windows Application logs.
Any help would be greatly appreciated.
--
---
You
I have enabled audit os MSSQL Server 2014 and audit logs are sent to
Windows Application Log.
I can see the audit logs from event viewer. But I'm unable to see the audit
logs from OSSEC server.
OSSEC agent is configured to analyze Application event log.
Any help would be greatly appreciated.
HI All,
Been working on a regex to match highlighted part of the (event) string
below:
*Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application
Control; service: http; s_port: 58579; product_family: Network;
...
On Jan 27, 2016 10:06 AM, "Fayax" wrote:
>
> I have enabled audit on MS SQL Server 2014, logs are sent to Windows
Application log.
> I can see the audit logs from Event Viewer, but I'm unable to see the
logs on OSSEC server.
> OSSEC agent is configured to monitor Windows
On Jan 27, 2016 9:21 AM, "Jason Aleksi" wrote:
>
> I had some time last night to work on this more. I found another library
that I didn't have installed. When I installed the libpq-dev package, I
was able to run the setdb and install with Postgres support.
>
> When
21 matches
Mail list logo