Rajjab
There is an ossec.log or ossec.json on the agent and on the server in the
ossec directory. The location depends on the operating system that you are
running.
Mine is in /var/ossec/logs/ossec.json. Most of the entries will be "Info".
You are looking for "critical", "Warning", or "error" in
Hello,
If it helps, we use labels (Wazuh) on every agent so that we have the host name
for every log, even if the host name and ip are not in the logs. We have our
own agent that installs the ossec, Nessus and all beats agents and populates
the labels automatically for all of our customers.
I thought that These come in by default...
OSSEC HIDS Notification.
2013 Nov 05 15:05:13
Received From: ip-10-xx-x0-xx/var/log/messages
Rule: 2932 fired (level 7) - New Yum package installed.
Portion of the log(s):
Nov 5 15:05:13 ip-10-xx-xx-xx yum[13394]: Installed:
I see this in my environment too when logs are not configured for log
rotation properly. Every time the agent is restarted and reads the log, I
get events for all of the entries that are in the log file. It has taken a
lot of work with native application log rotation as well as logrotate to
I would start off with the log rotation as the first step. Unless your
application is generating events in the past, I believe that this will fix
most of your issues. I still have not been able to get the change order
approved for the server referenced below, but when I look at other similar
http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html
Try... do_not_delay /
Level 15 alerts from agent007 without delay or grouping:
email_alerts email_tob...@example.com/email_to
event_locationagent007/event_location level15/level do_not_delay /
do_not_group / /email_alerts
hmmm. kiss.. keep it simple smart.
Thanks Dan.
On Wed, Oct 2, 2013 at 9:23 AM, dan (ddp) ddp...@gmail.com wrote:
decoder name=D2C_WAP
prematch^\d\d:\d\d:\d\d,\d\d\d ERROR /prematch
/decoder
decoder name=D2C_WAP_Fetch_Failed
parentD2C_WAP/parent
regex
at 9:29 AM, Jared Greene jaredgreene...@gmail.com
wrote:
hmmm. kiss.. keep it simple smart.
Thanks Dan.
The logs were similar enough that the decoding engine couldn't quite
see the differences between them well enough (or I didn't have the
patience to figure it out). So this seemed like
Chris,
Agent / Client = 1 client.keys file with a single entry in it.
C:\Program Files (x86)\ossec-agent\client.keys = 1 entry
Server / Manager = 1 client.keys files with an entry for every agent that
is registered.
/var/ossec/etc/client.keys
If you are tying to copy the client.keys file from
Thank you again!
...[rowsFetched=(\d+)/regex got rid of the ]
Jared
On Wed, Sep 18, 2013 at 12:03 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Sep 18, 2013 at 11:37 AM, Jared jaredgreene...@gmail.com wrote:
I have the following log entry ( and the [ was not my idea):
18-Sep-2013
I too use AlienVault and (outside of some AWS cloud anomalies) it works
fine. I dowbt seriously that 400 servers would put a dent in the
application. I use powershell to push all of the agents, update the server
type specific profiles in ossec.conf settings, as well as configure
integrity
Option: add if_sid30116/if_sid (you will need the parent of 30116 as
well).
Restart ossec and make sure that ossec.log is clean. You could also use
ossec-logtest to see what the logs are being decoded as to write the
correct rules.
On Fri, Aug 30, 2013 at 10:09 AM, Robert Pyzalski
/var/ossec/bin/ossec-control stop
ps aux | grep ossec
kill -9 (the PID of the remaining process(s) that was not stopped)
repeat until there are no more ossec processes
/var/ossec/bin/ossec-control start
I believe that ././ar is for active response, do you have that enabled?
On Tue, Aug 27,
Many Thanks!
@Janelle
Here are the permissions (keep in mind this is Alienvault)
alienvault4sim:~# ls -ls /var/ossec/
total 52
4 dr-xr-x--- 3 root ossec 4096 Sep 12 2012 active-response
4 drwxr-x--- 2 www-data ossec 4096 Jul 18 17:52 agentless
4 dr-xr-x--- 2 www-data ossec 4096
That is why I posted, because the verify-agent-config script does not
report an error. I use the logtest and verify-agent... daily.
looks like www-data owns /etc/shared and agent.conf
alienvault4sim:~# ls -ls /var/ossec/etc/
total 160
4 -r--r- 1 www-data ossec 1834 Aug 15 13:31
Sadly, the same result.
2013/08/04 18:30:16 ossec-testrule: INFO: Reading local decoder file.
2013/08/04 18:30:16 ossec-testrule: INFO: Started (pid: 19878).
ossec-testrule: Type one log per line.
[2013-08-03 23:45:24,461] javax.mail.AuthenticationFailedException
**Phase 1: Completed
Yes, it is one of many that I am working on. I really appreciate the
support... and on a weekend no less. Once you see it, it makes a lot of
sense, it is just seeing it... :)
Jared
On Sun, Aug 4, 2013 at 9:37 PM, Michael Starks ossec-l...@michaelstarks.com
wrote:
On 08/04/2013 01:46 PM,
Negative, no quotes. This is what a log looks like.
As to the regex, I am able to regex the contents of the files (when renamed
to standard naming conventions) just fine, However I cant sort out the
logic on agent.conf file to use regex to determine the file name.
Indeed. Bit hard to take this seriously when this is the starting point...
but it is the task of the day.
Thanks for the feedback.
Jared
On Tue, Jul 30, 2013 at 11:57 AM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 30.07.2013 09:38, dan (ddp) wrote:
And maybe convince the
19 matches
Mail list logo
