Re: [ossec-list] OSSEC MSSQL Audit log

If you have not done it already, try enabling "logall" option in the ossec manager configuration file (global section). Then check your /var/ossec/logs/archives/archives.log and see if those are getting there. If that is the case, then agent is forwarding the logs but they are just not triggering

Re: [ossec-list] syscheck not working with restrict option

Are you sure your config is not working? I just tested this and it works for me: /root I created three test files: root@vpc-ossec-manager:~# ls test.txt* test.txt1 test.txt2 test.txt3 And this is what I get in my syscheck file: root@vpc-ossec-manager:~# cat

Re: [ossec-list] decoder prematch (regex) issue

Agree with Dan, also double check the regexes, as it looks like there are some inconsistencies at the end. I don't think that \D+ is in the right place. Best On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp) wrote: > > On Jan 27, 2016 10:06 AM, "Fredrik"

[ossec-list] Re: Integrity checksum size changed to 0 or from 0 - false positive

Hola Daniel, Yes, that was my first try. Problem was that the result of an iptables command was too large and the content was truncated mostly of the time. Therefore, it was triggering false positives. Do you think of another way of perform an iptables -S check diff in real time? El

Re: [ossec-list] firewall.log and ICMP?

I'll patch my analysisd to provide srcport and dstport with a value of "0" if the protocol is "ICMP"... I need to keep traces of such events... /x On Tue, Jan 26, 2016 at 11:40 PM, Brent Morris wrote: > Good catch! > > I think the ASA provides ports just as part of

Re: [ossec-list] Log file not triggering alert

Because now the problem is we have new log files created daily. Is this something OSSEC is not capable of? On Wednesday, January 27, 2016 at 10:43:52 AM UTC-5, Greg Burns wrote: > > That worked! I think I was not testing it properly. I used the tail -f as > you said and added the line with the

Re: [ossec-list] firewall.log and ICMP?

Is this worth submitting as an issue to github? https://github.com/ossec/ossec-hids/issues On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote: > > I'll patch my analysisd to provide srcport and dstport with a value of "0" > if the protocol is "ICMP"... I need to keep

Re: [ossec-list] Log file not triggering alert

That worked! I think I was not testing it properly. I used the tail -f as you said and added the line with the alert. I really appreciate your help. I have one more question. Is there anyway to monitor new log files as they appear? This is the naming convention: BatchLog_LT_01192016203220

Re: [ossec-list] decoder prematch (regex) issue

Thanks Dan! I obviously didn't realize that this was the case :( This means that I should create a regex that take the missing entry part into account and hence matches: Jan 27 9:32:28 st4600fw01n1 not the full string I was aiming for? This would then explain the, from my point of view,

Re: [ossec-list] decoder prematch (regex) issue

Hi Santiago! Thanks for your input. As you pointed out the \D+ is out of place and I couldn't figure out why that would match whereas the latter regex, that I believed to be more complete, wouldn't. With input from Dan and yourself, I realize that OSSEC is offering a helping hand in stripping

[ossec-list] Testing integratord

I have been working on the integrator daemon (ossec-integratord) to allow OSSEC to easily integrate with external APIs to send alerts & notifications. I have pushed it to my personal fork and I am looking for testers, and people interested to try it out to help flush out any bugs/issues. So far,

Re: [ossec-list] Testing integratord

Thanks Daniel! I'll definitely try the integration with Slack. Cool stuff. On Wed, Jan 27, 2016 at 10:57 AM, Daniel Cid wrote: > I have been working on the integrator daemon (ossec-integratord) to allow > OSSEC > to easily integrate with external APIs to send alerts &

Re: [ossec-list] Testing integratord

Hi Daniel, This is great! I don't have time right now for testing but I have a suggestion: the next step should be the integration with RT and RTIR. Thank you for this work. Best regards, Alberto Mijares On Wed, Jan 27, 2016 at 2:27 PM, Daniel Cid wrote: > I have

[ossec-list] How to ignore mail alerts for alert logic security servers which are testing the infrastructure for vulnarabilities

Hi Team, I have ossec server running in my infrastructure, we have two alert logic servers which tests our infrastructure by doing brute force attack and all kinds of attacks and ossec is sending lot of mail alerts, I want to drop those alert mails if the attack is from those two server, how

Re: [ossec-list] OSSEC and Postgres Install Error

I had some time last night to work on this more. I found another library that I didn't have installed. When I installed the libpq-dev package, I was able to run the setdb and install with Postgres support. When installing OSSEC with Postgres support, one needs to make sure this library is

[ossec-list] Re: How to ignore mail alerts for alert logic security servers which are testing the infrastructure for vulnarabilities

Instead of using i'd recommend using Mine configuration for that kind of periodic security assessments: 6 10.32.0.9 10.32.0.8 IP address of the automatic scan - Security team Automatic Scan IP from pentesting network whitelisted - 01.07.2015 El miércoles, 27 de

[ossec-list] OSSEC MSSQL audit log

I have enabled audit on MS SQL Server 2014, logs are sent to Windows Application log. I can see the audit logs from Event Viewer, but I'm unable to see the logs on OSSEC server. OSSEC agent is configured to monitor Windows Application logs. Any help would be greatly appreciated. -- --- You

[ossec-list] OSSEC MSSQL Audit log

I have enabled audit os MSSQL Server 2014 and audit logs are sent to Windows Application Log. I can see the audit logs from event viewer. But I'm unable to see the audit logs from OSSEC server. OSSEC agent is configured to analyze Application event log. Any help would be greatly appreciated.

[ossec-list] decoder prematch (regex) issue

HI All, Been working on a regex to match highlighted part of the (event) string below: *Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application Control; service: http; s_port: 58579; product_family: Network; ...

Re: [ossec-list] OSSEC MSSQL audit log

On Jan 27, 2016 10:06 AM, "Fayax" wrote: > > I have enabled audit on MS SQL Server 2014, logs are sent to Windows Application log. > I can see the audit logs from Event Viewer, but I'm unable to see the logs on OSSEC server. > OSSEC agent is configured to monitor Windows

Re: [ossec-list] OSSEC and Postgres Install Error

On Jan 27, 2016 9:21 AM, "Jason Aleksi" wrote: > > I had some time last night to work on this more. I found another library that I didn't have installed. When I installed the libpq-dev package, I was able to run the setdb and install with Postgres support. > > When