Thanks everyone for the feedback and support. It all made sense and your
comment did guide me to resolve it, wasn't any harder then updating the
section and add agent ID, e.g.:
ossec-slack
local,AGENT.ID
7
Have a nice day and,
Kind regards
Fredrik
Den tisdag
I think I'm just really confused as to what "regex" and "match" are
actually matching against. Given the following log event:
2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck
File
'/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_
Unfortunately, it's still not working, and I'm not sure what else I can
try... This is what I'm doing:
The log entries that I want to ignore all look like this (from
archives.log):
2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck
File
'/var/lib/docker/volumes/d758587e8
I am going to update my Linux servers and I tried to disable the
ossec-agent for this time.
I was the following workarounds:
1. stop agent on a host
2. run /var/ossec/bin/syscheck_control -u AGENT_ID
3. update
4. up agent
But after start agent I got lots of trigger "new files in the server"
I see your point.. I thought you were talking about the *integratord*.
I never tried it using AR, but in your active-response configuration I see:
> local
It means that OSSEC is going to execute the script in the agent that
generated the event. So, you must to configure your slack script in ev
Hello again Jesus,
As I did state, so we're not misunderstanding each other, I do not run the
wazuh forked version, but the 2.9.0 OSSEC version.
This is the configuration settings i've got:
ossec-slack.sh
SLACKUSER="ossec"
CHANNEL="#channel"
SITE="https://hooks.slack.com/services/...";
SOURC
Hi Fredrik,
this is the flow:
- The integrator reads the alerts from alerts*.log *filtering by
*rule_id*, *level*, *group *or *event_location*.
- It executes the script using the arguments *hook_url *and *api_key*.
- The slack script send the alert to slack.
Clarification: The host
Clarification: The host specific alerts are sent to slack but the agent
alerts are being ignored.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list
Hello and thanks Jesus,
I've read the documentation, however I do not use the forked wazuh version
of OSSEC so i'm not sure that the integrator applies? What I want to
clarify regarding my issue, so I do not misunderstand the approach. The
OSSEC server (host) is the one responsible for sending
Hi,
I'm glad to hear that. Here some useful links:
- Installation
guide: https://documentation.wazuh.com/current/installation-guide/index.html
- Authd
guide:
https://documentation.wazuh.com/current/user-manual/agents/registering-agents/register-agent-authd.html
Regards.
On Tuesda
Thank you! This is a huge help. The upgrade to 2.0 locally was painless
*and* fixed my authd issues. Now to production.
On Mon, May 22, 2017 at 7:19 PM, Jesus Linares wrote:
> Hi,
>
> it is a known issue in that version (1.1.1). It is related with the
> algorithm that assigns an agent ID. This i
11 matches
Mail list logo
