Awesome! Many thanks, this is exactly what I was looking for.
On Friday, July 29, 2016 at 12:16:35 PM UTC-7, Victor Fernandez wrote:
>
> Hi Graeme.
>
> I agree, it would be great to print on the log that the agent became
> disconnected. The SEC_ERROR definition is shared between manager and
> ag
Hi Graeme.
I agree, it would be great to print on the log that the agent became
disconnected. The SEC_ERROR definition is shared between manager and
agents, but it's possible to extend some other messages. In fact, the line
at sendmsg.c that tests if the agent is disconnected (more than 20 minu
Its been a while, but few years (I forgot the version) it was required to
have separate OSSEC Managers per ruleset/alerting deployment. For example
if I have 2x completely deployments (OS + applications installed + alerting
threshold) - would I need 2x separate OSSEC Managers to receive events.
Thank you Victor for the response.
On Thursday, July 28, 2016 at 5:52:54 PM UTC-7, Victor Fernandez wrote:
>
> Hi Chanti.
>
> By default, OSSEC doesn't allow to add an agent with a removed agent's ID.
> When OSSEC adds a new agent, the information about it is written at
> /var/ossec/etc/client.
Delving into Sysmon event log parsing reveals just how monumental a task it is
to parse out useful information from Windows event logs. The challenge is that
nearly each and every Event ID has a different log format, which essentially
means that almost every Event ID needs its own decoder... I m
Hi Victor,
Huge thanks for the detail, this would explain exactly why we're seeing
this; our OSSEC managers are likely overloaded.
It would be very helpful to include the agentid in the logfile to
understand / track where this is occurring and the number of unique agents
that are impacted, per
I've tried to figure that out, but it was nigh on impossible. The closest
is that file descriptor, "10" but that doesn't mean much. I didn't see a
filename.
It turns out that it wasn't *just* "\0\0\0\0" over and over -- there were
some other escape sequences in there as well. But nothing that l
Am Freitag, 29. Juli 2016 14:20:41 UTC+2 schrieb dan (ddpbsd):
>
> On Fri, Jul 29, 2016 at 2:50 AM, Dominik >
> wrote:
> >
> >
> > Am Donnerstag, 28. Juli 2016 17:51:23 UTC+2 schrieb dan (ddpbsd):
> >>
> >> On Thu, Jul 28, 2016 at 11:25 AM, Dominik wrote:
> >> > Dear all
> >> > somehow I
On Thu, Jul 28, 2016 at 2:28 PM, JDS wrote:
> We discovered that ossec-syscheckd is freaking out on one single node, in a
> particular way. I'm looking for advice on how to troubleshoot this.
>
> I found ossec-sysckeckd was consuming 99 to 100% CPU on the box.
>
> I purged the ossec-hids-agent pac
On Tue, Jul 26, 2016 at 2:41 PM, Craig wrote:
> Thanks Dan,
> Yes, my server is running Ubuntu 16.04 with OSSEC 2.9RC2
> I have a Windows 7 2.9RC2 agent installed, registered, and communicating
> with the OSSEC Ubuntu server
> For some reason, though, I can't get it to pull the agent.conf file fro
On Fri, Jul 29, 2016 at 2:50 AM, Dominik wrote:
>
>
> Am Donnerstag, 28. Juli 2016 17:51:23 UTC+2 schrieb dan (ddpbsd):
>>
>> On Thu, Jul 28, 2016 at 11:25 AM, Dominik wrote:
>> > Dear all
>> > somehow I'm missing something fundamental on Active Response - it just
>> > does
>> > not work for me.
On Thu, Jul 28, 2016 at 11:24 PM, Craig wrote:
> I am currently running 2.9RC2 on both client and server:
>
> What is the best way to go about testing an eventchannel log? I have the
> following set in my local ossec.conf on my windows agent:
>
>
>
>
> Microsoft-Windows-Sysmon/Operational
>
>
Got it running with the following:
31530
web-accesslog
zabbix/zabbix.php
Ignore all zabbix views
This is fun :-)
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails f
Hi all, and thanks for reading.
I am new to ossec, however, I've got my system up and running without any
problems. Now I have to finetune it for my network, and here is where my
troubles start.
I am getting alerts that I need to ignore. Most local rules work fine, but
one alert is giving me a
14 matches
Mail list logo