Re: [ossec-list] rootcheck_files, rootcheck_trojans, and system_audit don't appear to fire when using /var/ossec/etc/shared/agent.conf

On Wed, Apr 26, 2017 at 3:31 PM, Phil Porada wrote: > Hi, > > I'm running OSSEC 2.9.0. I'm unable to get the rootcheck to run the > rootcheck_files, rootcheck_trojans,a and system_audit on an agent that has > its config pushed out via the server. I'm not sure what I'm doing

Re: [ossec-list] ossec-remoted high CPU utlization

On Wed, Apr 26, 2017 at 9:51 PM, Nikki Sridhar wrote: > There shouldn't be! Only system integrity configuration is enabled and that > runs every 20 hours . Real time system integrity check is enabled for 3 > directories. > Turn on the log all option on the server and

Re: [ossec-list] OSSEC UDP Ports

On Thu, Apr 27, 2017 at 12:08 PM, Anoop Perayil wrote: > Observed that the server initiates a connection to the client when we > restart Syscheck/Rootcheck on an agent like - > ./agent_control -r -u 001 > > a tcpdump on the agent shows - > 15:59:22.034966 IP x.x.x.x.1514 >

Re: [ossec-list] Active Response not working at all

For anyone curious it was an incredibly simple fix :(. Apparently if any active-responses in your ossec.config file are disabled, it will disable all of the active responses. I had 4 enabled and 1 disabled, but because of that 1, they all were disabled. On Wednesday, April 19, 2017 at 3:42:46

Re: [ossec-list] OSSEC UDP Ports

Observed that the server initiates a connection to the client when we restart Syscheck/Rootcheck on an agent like - ./agent_control -r -u 001 a tcpdump on the agent shows - 15:59:22.034966 IP x.x.x.x.1514 > x.x.x.x.48902: UDP, length 73 -- --- You received this message because you are

Re: [ossec-list] ossec-remoted high CPU utlization

It may be worth investigating an upgrade to OSSEC 2.9.0. According to the changelog, there's 2 potentially useful fixes that may help you out https://github.com/ossec/ossec-hids/releases - Avoids computing hashes multiple times to improve performance - Syscheck improvements

Re: [ossec-list] ossec-remoted high CPU utlization

OSSEC HIDS v2.8.3. 8 GB of RAM and 4 CPU cores VM. On Wednesday, April 26, 2017 at 10:23:02 PM UTC-4, Phil Porada wrote: > > What version of OSSEC are you running? What specs does the server node > have? > -- --- You received this message because you are subscribed to the Google Groups

Re: [ossec-list] i dos'd myself but ossec did not record it

OSSEC will detect the DoS attack only if it is monitoring a log file which contains an event related to DoS and probably you will have to create some decoders/rules. Regards. On Wednesday, April 26, 2017 at 9:35:44 PM UTC+2, dan (ddpbsd) wrote: > > On Wed, Apr 26, 2017 at 3:27 PM, Sargeras