[ossec-list] Re: Create custom rule for OSSEC 2.8.3, to capture specific phrase in application log

Hi, you should create decoders and rules for that event. Check out the documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/analysis.html Also. you can use the binary /var/ossec/bin/ossec-logtest to test your own decoders/rules. On Monday, January 30, 2017 at 7:04:34 AM UTC-8, Eli

Re: [ossec-list] need help with a rule

On Tue, Jan 31, 2017 at 11:15 AM, SternData wrote: > I'm getting hammered by probes for non-existent PHP files. > > Received From: sugaree->/var/log/httpd/xxx.c om_error_log > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the

[ossec-list] need help with a rule

I'm getting hammered by probes for non-existent PHP files. Received From: sugaree->/var/log/httpd/xxx.c om_error_log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): [Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid 25770] [client

Re: [ossec-list] Unable to capture file integrity changes more than 3 times with auto_ignore

On Tue, Jan 31, 2017 at 7:06 AM, Abhijit Tikekar wrote: > Hi, > > I am unable to make work on our OSSEC instance for few > directories which are set for Real Time monitoring. OSSEC Agent version is > 2.8.3 and server is currently on 2.8.1. > Start by correcting this

Re: [ossec-list] Re: Alerts generated despite level '0' rule being hit

On Fri, Jan 27, 2017 at 11:00 AM, Daniel B. wrote: > > Yes, via ./ossec-control -r > root@ossec-test:/var/ossec/etc# /var/ossec/bin/ossec-control -r Usage: /var/ossec/bin/ossec-control {start|stop|restart|status|enable|disable} Try `/var/ossec/bin/ossec-control

Re: [ossec-list] OSSEC 2.8.3 create custom rule

On Mon, Jan 30, 2017 at 9:54 AM, Eli Tunkel wrote: > Hi Guys > > > I am looking to create a new custom ossec rult to capture specific phrase in > a log. > I have added the required directory to the ossec.conf > monitoring. > > LOG Sample: > > 2016-07-24 11:43:22,707 INFO

Re: [ossec-list] Create rules for custom decoder (netasq/stomshield firewall)

On Mon, Jan 30, 2017 at 10:46 AM, Bertrand Danos wrote: > Hello, > > I still have some problems with my customes rules. > How to generate 3 differents alerts depending on the messages. > > > Here are my steps : > > 1) Add log file to monitor > * Edit the file etc/ossec.conf

Re: [ossec-list] how to modify the apache log decoder to accept dash in time

On Sun, Jan 29, 2017 at 2:54 PM, wrote: > My web servers logs are being decoded as 'pure-transfer' instead of as an > apache log due to the time format, which includes a dash '-". If I remove > the dash, then the logs are decoded as apache logs. I believe I have to >

Re: [ossec-list] Monitoring syslog activity/traffic

On Mon, Jan 30, 2017 at 9:14 AM, Tibor Luth wrote: > Hi all! > > I have a few datasources sending remote syslog to an OSSIM appliance running > Rsyslog (udp or tcp/514) and OSSEC server and local agent. First I would > like to generate alerts or see in logs if a datasource

Re: [ossec-list] How to automate configuration of OSSEC Agent on Windows?

I'm using 2.8.3. I managed to add agent key using the command below: echo y | "D:\Program Files (x86)\ossec-agent\manage_agents.exe" -i As for server IP, I used the following PowerShell snippet (it would be nice if manage_agents.exe handled that as well): $ossec_config_file =

[ossec-list] Unable to capture file integrity changes more than 3 times with auto_ignore

Hi, I am unable to make work on our OSSEC instance for few directories which are set for Real Time monitoring. OSSEC Agent version is 2.8.3 and server is currently on 2.8.1. I have tried to set no on both server and the agent, but OSSEC still keeps ignoring the checksum change after 3rd time.

Re: [ossec-list] Regular OSSEC vs OSSEC Wazuh

hi Wazuh has rules update and a nice integration of PCI DSS compliance. More and more Wazuh is different from ossec, but i think they contribute on it too. I still using ossec with our ELK, but ELK is a pain in the ass to upgrade, so i think graylog is better for searching logs. there is