Re: [ossec-list] Disk usage monitor not working in RHEL5

Out of curiosity, what is the rule supposed to trigger the alert? The one is see by default looks for full partitions... https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137 On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef

Re: [ossec-list] RootCheck disableing

was meaning to paste this link before sending last email: http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/manual-rootcheck.html On Tue, Apr 19, 2016 at 5:06 PM, Santiago Bassett < santiago.bass...@gmail.com> wrote: > Hi Eyal, > > try setting syscheck.debug=2 in

Re: [ossec-list] RootCheck disableing

Hi Eyal, try setting syscheck.debug=2 in internal_options.conf file. It looks like there are some rootchecks that still run, unless you set those to no, like check_pids, check_dev, check_ports,... see more info at: On Mon, Apr 18, 2016 at 12:13 PM, wrote: >

[ossec-list] Re: USB storage detect & recursive file list

Will try droping the | select -Skip 2 from the Get-Content see if that works or maby a -Raw output arg On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > >

[ossec-list] Re: USB storage detect & recursive file list

I have nominal success with this .. full_command powershell.exe "$USBDrive = Get-WmiObject Win32_Volume -Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" 60 USBDevices

Re: [ossec-list] USB storage detect & recursive file list

Hi, Nice commands, very useful, thanks for sharing. Both commands are working on my labs, the second one prints the full list of files at the terminal and writes into C:\temp\test.txt file (watch out the last *" *quotes before ). I am not sure if you need to merge the two commands output into

[ossec-list] USB storage detect & recursive file list

I have a basic Windows agent setting to alert me when a storage device is detected using Power shell.. full_command powershell.exe -command "gwmi win32_diskdrive | select Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > C:\temp\usbdetect.txt ; (gc

[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

So the final result was as follows, the first step i exported the agent list and updated the list ( i basically erased 1000 agents that were no longer used (#***) and then saved it in csv format. Following that i used the script managed_agents -f to reimport the whole agent list with new IDS.

Re: [ossec-list] Windows Agent Compilation

Hi Kumar. As you wrote: rc\win-pkg>"C:\MinGW\bin\gcc.exe" -o "ossec-agent" -Wall > -DARGV0=\"ossec-agent\ > " -DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c > zlib-1. > 2.8/*.c config/*.c shared/*.c os_execd/*.c os_crypto/blowfish/*.c > os_crypto/md5/ > *.c

[ossec-list] Re: ossec service in windows 10

Hi Diego. How do you start the service, with the UI or from Services? Does OSSEC print something into the file "ossec.log"? Best regards. Victor Fernandez. On Tuesday, April 19, 2016 at 12:15:49 PM UTC+2, Diego Arranz wrote: > > Hi all, > >I´m testing wazuh server on CentOS and ossec

[ossec-list] ossec service in windows 10

Hi all, I´m testing wazuh server on CentOS and ossec 2.8.3 as agent in windows 10 profesional (spanish language), the problem is when i try to start the ossec service as local account, the service don´t run with error 5: acces deny error, if i setup any administrator account to run the

[ossec-list] Re: UTF-8/16 support

Didn't hear about that before. According to the error maybe is because the UTF-8/16 like you said, we can find in logcollector read_multiline log or at syslog collector