On Feb 10, 2017 8:13 AM, "Chris Snyder" wrote:
My only counter argument to your response is that if I do the same tests
with a 2.8.3 ossec server all the tests pass with the expected match of a
windows log type. So something changed somewhere in the ossec server.
Whether
On Thu, Feb 9, 2017 at 4:09 PM, Chris Snyder wrote:
> update on your new code.
>
> I replaced the following code:
>
>
> windows
> ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
>
> ^\.+: (\w+)\((\d+)\): (\.+):
> (\.+): \.+: (\S+):
> status, id,
On Thu, Feb 9, 2017 at 3:25 PM, Chris Snyder wrote:
> You're new windows decoder rules work great! I'm going to throw them at my
> hosts right now (better than what I've got at the moment!).
>
> However, I'm thinking there's a bug somewhere in some pattern matching code
>
On Thu, Feb 9, 2017 at 9:48 AM, Quintin Beukes wrote:
> Hi group,
>
> Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 UTC
> 2017
Thanks for pointing this out. It's definitely shown me a(nother) gap
in our rules testing setup.
I'm guessing a 2.9.1 will be coming in shortly with the changes we
made to the windows decoders backported from master.
Here are the new decoders if you want to give them a spin:
windows
On Wed, Feb 8, 2017 at 2:06 PM, Nil wrote:
> so i can't interact with the file that triggered the alert? seems kinda
> pointless then
>
Feel free to submit a pull request adding the functionality.
>
> El martes, 7 de febrero de 2017, 18:45:39 (UTC+1), Nil escribió:
>>
>> Hi,
On Mon, Feb 6, 2017 at 1:49 PM, Steve Dimoff wrote:
> Hey everyone,
>
> I've been searching through this group and I couldn't find any reference of
> someone explaining the difference between global / local and then saved.
>
> I'm trying to figure out WHY the duplicate
On Wed, Feb 8, 2017 at 7:36 AM, Quintin Beukes wrote:
> Hi group,
>
> I'm trying to debug why my agent's are always showing disconnected. They
> would work for a bit, and then randomly stop working. Some agents will
> disconnect permanently, some intermittently switch
On Tue, Feb 7, 2017 at 12:40 PM, Nil wrote:
> Hi, I would like to know how can i reference the file that triggered an
> alert in order to use it with the commands
> i.e If file X were modified, I would like to do a `cp /full/path/of/X
> /some/other/path`
>
I don't believe
On Feb 7, 2017 6:28 AM, "Dominik" wrote:
I would like to write a decoder for a logfile with entries of the following
kind:
27.01.2017,09:06:17 [INFO] Engine-Version: 8.3.42.156
27.01.2017,09:06:17 [INFO] VDF-Version: 8.12.150.34
27.01.2017,09:06:17 [INFO] APC-Version:
On Wed, Feb 1, 2017 at 1:12 PM, wrote:
> Just a note, I have had /var/ossec/etc/shared/agent.conf go from having
> content back to being blank a number of times here without having any
> interaction on the server. Has anyone else experienced this?
>
Did you install OSSEC
On Wed, Feb 1, 2017 at 12:25 PM, wrote:
> Hello All,
>
> I am currently working on a central ossec.conf file which contains our
> Windows and Linux configurations for all clients. Here are a few background
> details:
>
> 1. We currently only have a few Linux deployments
On Wed, Feb 1, 2017 at 7:14 AM, Tibor Luth wrote:
> Nothing at all. That's why I thought to monitor a command output. Primarily
> in the mentioned (ossec-server side) appliance. Thanks the reply. (I havent
> figured out any solution yet).
>
Well there should be alerts when an
On Tue, Jan 31, 2017 at 11:15 AM, SternData
wrote:
> I'm getting hammered by probes for non-existent PHP files.
>
> Received From: sugaree->/var/log/httpd/xxx.c om_error_log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the
On Tue, Jan 31, 2017 at 7:06 AM, Abhijit Tikekar
wrote:
> Hi,
>
> I am unable to make work on our OSSEC instance for few
> directories which are set for Real Time monitoring. OSSEC Agent version is
> 2.8.3 and server is currently on 2.8.1.
>
Start by correcting this
On Fri, Jan 27, 2017 at 11:00 AM, Daniel B. wrote:
>
> Yes, via ./ossec-control -r
>
root@ossec-test:/var/ossec/etc# /var/ossec/bin/ossec-control -r
Usage: /var/ossec/bin/ossec-control {start|stop|restart|status|enable|disable}
Try `/var/ossec/bin/ossec-control
On Mon, Jan 30, 2017 at 9:54 AM, Eli Tunkel wrote:
> Hi Guys
>
>
> I am looking to create a new custom ossec rult to capture specific phrase in
> a log.
> I have added the required directory to the ossec.conf
> monitoring.
>
> LOG Sample:
>
> 2016-07-24 11:43:22,707 INFO
On Mon, Jan 30, 2017 at 10:46 AM, Bertrand Danos wrote:
> Hello,
>
> I still have some problems with my customes rules.
> How to generate 3 differents alerts depending on the messages.
>
>
> Here are my steps :
>
> 1) Add log file to monitor
> * Edit the file etc/ossec.conf
On Sun, Jan 29, 2017 at 2:54 PM, wrote:
> My web servers logs are being decoded as 'pure-transfer' instead of as an
> apache log due to the time format, which includes a dash '-". If I remove
> the dash, then the logs are decoded as apache logs. I believe I have to
>
On Mon, Jan 30, 2017 at 9:14 AM, Tibor Luth wrote:
> Hi all!
>
> I have a few datasources sending remote syslog to an OSSIM appliance running
> Rsyslog (udp or tcp/514) and OSSEC server and local agent. First I would
> like to generate alerts or see in logs if a datasource
On Thu, Jan 26, 2017 at 4:41 PM, Daniel B. wrote:
>
>
>
> full_log:
>
> Files hidden inside directory
> '/var/lib/docker/aufs/mnt/545d04c068f0f7ce19361a94d1c43b0c6686a0dfdd45e1803ccee569acc1767b/usr/share/locale'.
> Link count does not match number of files (54,70).
On Wed, Jan 25, 2017 at 3:05 PM, Kat wrote:
> My bad - I should have explained "bind" a bit more. This is actually part
> of the FUSE filesystem (http://bindfs.org)
> You will need to install fuse utils and Userspace programs -- example:
>
> #yum search fuse
>
>
>
On Thu, Jan 5, 2017 at 11:07 AM, Lisa Li wrote:
> As an update, some incomplete rsyslog related alerts are seen so that makes
> me ask if my issue is related to decoders or even rules. These alerts are
> generated by server-1 and not its 100 clients. Client alerts are not
On Tue, Jan 24, 2017 at 2:12 PM, Kat wrote:
> There is a work-around which I have used.
> Dan is correct - you can't get to the folder outside of the chroot-ed jail.
> You can however, bring the folder in via:
>
> mount --bind /var/ossec/logs /data/logs/ossec
>
> The trick
logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo'
>
> **Phase 2: Completed decoding.
>No decoder matched.
>
> **Phase 3: Completed filtering (rules).
>Rule id: '2501'
>Level: '5'
>Description: 'User authentication failure.'
> **Alert to be g
On Jan 22, 2017 4:16 PM, "Kat" wrote:
The Wazuh fork is actually newer, but regardless there should never be a
conflict from 2.x to 2.x with agent and server. When
*With the caveat that this isn't explicitly tested.
you say "conflict" - can you be more specific on the
On Fri, Jan 20, 2017 at 8:25 AM, Kat wrote:
> I already did. :-)
> #1027
>
Thanks, I missed it. It's been merged.
> On Thursday, January 19, 2017 at 12:15:14 PM UTC-6, dan (ddpbsd) wrote:
>>
>> On Tue, Jan 17, 2017 at 3:06 PM, Kat wrote:
>> > The
On Tue, Jan 17, 2017 at 3:06 PM, Kat wrote:
> The problem is simple - the install.sh is where this is taken care of, but
> no one ever bothered to add the code when they added the variable of
> USER_AGENT_CONFIG_PROFILE.
>
If you submit a pull request I'll bother with it
On Thu, Jan 19, 2017 at 12:20 PM, Marianne Härdh wrote:
> Hello,
>
> I have a question about changing the date format in alerts.log if possible.
> At the moment, I get this as an alert:
>
> ** Alert 1484784302.1529: - pam,syslog,
> 2017 Jan 19 00:05:02
On Thu, Jan 19, 2017 at 11:18 AM, Bertrand Danos wrote:
> Hello,
>
> Is it possible to generate alerts on events that are outside a specific time
> slot?
>
> By sample, detect each user that connect on a computer outside the (08:00 -
> 20:00) timeslot.
>
>> Jan 19 07:00:00
On Wed, Jan 18, 2017 at 3:27 PM, Nikki S wrote:
> Hi,
>
> I have a couple of questions regarding FIM/System Integrity check. I'm
> hoping this would help others as well starting off with OSSEC.
>
> When a new agent is installed does it run the system integrity check
>
On Tue, Jan 17, 2017 at 2:53 PM, Daniel B. wrote:
> We use weave which periodically causes a network interface to enter
> promiscuous mode to sniff network traffic. This is expected behavior, and as
> such, I'm looking to ignore it.
>
> For reference, the iptables
On Jan 16, 2017 3:25 PM, "Nikki S" wrote:
I read through some of the posts already on the list regarding this topic
but I would still like some clarification on this please.
I have added all the system integrity options of 'include' and 'ignore' in
OSSEC.conf. Do I
On Jan 13, 2017 2:28 PM, "Joel" wrote:
hi all,
man, not having a good day.
I was starting to run out of space on my / volume as a result of ossec logs
piling up. i need to keep the logs, so i added a new drive (to the ossec
VMW vm) mounted it and then moved the logs/
On Fri, Jan 13, 2017 at 11:40 AM, Joel wrote:
> Thanks Dan
>
Sorry I didn't have better news.
If you want to open an issue on the github
(https://github.com/ossec/ossec-hids), we can keep it in mind when we
find time to work on features.
I think having more options might
On Fri, Jan 13, 2017 at 10:26 AM, Joel wrote:
> Hi all,
>
> I've been using osssec for a while now and I really like it.
>
> I'm now trying to integrate ossec with a monitoring application. I'd like
> to have ossec send Alerts to a remote host via syslog.
>
> I have it
On Jan 11, 2017 3:10 PM, "Mike" wrote:
Hi did anyone figure out how to do this. We just started using OSSEC and I
have the same question as Ali?
I must be misunderstanding the question, but what happens when you point it
at the local syslog listener and setup syslog to log
On Tue, Jan 10, 2017 at 1:57 AM, Rimvydas wrote:
> Hi,
>
> I noticed one strange thing on one of my Debian 8 box'es. I saw that I'm not
> seeing mail notifications from ossec. Everything worked in the past on this
> server with this ossec installation. I checked process
On Mon, Jan 9, 2017 at 10:01 AM, Adam Tworkowski
wrote:
> Hi,
>
> I am collecting OSSEC logs via JSON on several log collection systems (ELK,
> Graylog2) and am attempting to accomplish some basic reporting with respects
> to determining which host triggered an Active
On Thu, Jan 5, 2017 at 6:59 PM, Sean Roe wrote:
> Hi all,
>
> I am having some problems keeping ossec-dbd connected. I am connecting to a
> mariadb 10.0.24 database and I am running ossec 2.8.3
>
Are there any clues in your mariadb logs?
> here is the info from the logs:
>
On Jan 8, 2017 8:19 AM, "Mike Hammett" wrote:
My current centralized logging environment stores syslog in MySQL. Can
OSSEC watch a SQL database instead of a file?
Not at this time
--
---
You received this message because you are subscribed to the Google Groups
On Tue, Dec 20, 2016 at 1:41 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Dec 20, 2016 at 1:40 PM, David Breise <dbre...@eticainc.com> wrote:
>> [root@turpentine ossec]# cat /etc/*release
>> CentOS release 6.8 (Final)
>> LSB_VERSION=base-4.0-amd64:base-4
On Sun, Dec 18, 2016 at 9:36 PM, Mohd Zainal Abidin Mamat
wrote:
> I'm getting same error using ver 2.8.3 on centos 7. Still seeking solution.
>
Verify that you have the devel packages installed.
I just setup a Centos 7 VM, added the mysql community packages, and
installed
ing else), so I'll try
with that first.
Thanks for the info!
> On Tue, Dec 20, 2016 at 10:31 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>> On Tue, Dec 20, 2016 at 1:19 PM, David Breise <dbre...@eticainc.com>
>> wrote:
>> > Tested commands manually, no e
On Tue, Dec 20, 2016 at 1:19 PM, David Breise wrote:
> Tested commands manually, no errors returned. This is still a problem for
> us.
>
Which distribution are you using? I'm wondering why mktemp isn't being
used (or why it's failing).
> On Wednesday, January 21, 2015 at
On Dec 18, 2016 8:37 AM, "Nish" wrote:
Hi,
Are changes made to the *OSSEC.conf *file logged somewhere in the system?
Asking because an admin inadvertently changed the notification email
address and we stopped getting the alerts for sometime and then corrected
it later...I
It's email_alert_level, I think. It's in the ossec.conf syntax documentation
On Dec 17, 2016 8:19 AM, "Mohd Zainal Abidin Mamat"
wrote:
> Hi,
>
> I want to receive email alert from level 10 and upward. How to set in
> ossec.conf?
>
> Thanks.
>
> --
>
> ---
> You received
On Wed, Dec 14, 2016 at 7:20 AM, Francesco Raimondi
wrote:
> Greetings,
>
> I have some problem trying to detect a process running on the machine.
> Specifically, I want to detect the process "tor.exe" by using
> win_applications_rcl.txt
> Here's my directive:
>
>
proto: 'ssh'", 19 proto: 'ssh') = 19
> write(2, "\n", 1
> ) = 1
> write(2, " srcip: '192.168.10.2'", 28 srcip: '192.168.10.2') = 28
> write(2, "\n", 1
> ) = 1
> write(2, &quo
On Thu, Dec 15, 2016 at 8:04 AM, Benbrahim Anass
wrote:
> hi everyone,
>
> i have an ossec Forwarding Logs to a graylog in format CEF, the port on
> graylog is open, ossec telling me it's forwarding logs but when i check w\
> netstat, i dont see any connection
If you run
On Fri, Dec 16, 2016 at 7:54 AM, Benbrahim Anass
wrote:
> What a Groupe Guys, Responding is so fast. well DONE!!
>
Well now I definitely want to help you.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To
On Tue, Dec 13, 2016 at 9:11 AM, Chris Decker wrote:
> Victor,
>
> I'm at the point where my agents all have valid keys, so I'm unsure as to
> why I have ~ 750 clients and only ~225 are reported as "active" at any one
> time (all of the machines are alive and well, and
On Mon, Dec 12, 2016 at 7:35 PM, wrote:
> Hi,
>
> There hasn't been any action on this topic for over a year but it was never
> answered and I'm running into the same issue. What libraries is it looking
> for? Is there somewhere that I can look at, possibly edit the list? Why
>
On Tue, Dec 13, 2016 at 6:37 AM, flippery_fish wrote:
> Hi,
>
> Google Compute Engine does not allow outbound connections on ports 25, 465,
> and 587.
>
> As recommended by GCE, I have setup mailjet on 2525 which works fine for
> outbound mail relay.
>
> Is there a way to
On Dec 9, 2016 11:56 AM, "Bill Price" wrote:
We monitor a large variety of sites using ossec.
We were asked to monitor a Centos 7.2 site that is using journalctl.
Does Ossec 2.8.1 support log monitoring on a system using journalctl?
If not, will 2.9 or any later
On Dec 9, 2016 5:51 AM, "Bertrand Danos" wrote:
Hello Dan,
Thank you very much for your help.
I've a problem with the following decoder and sample. Its generates a
segfault in ossec-logtest :
netasq
logtype="filter"
^id=(\S+) time=\.+ fw="(\w+)" \.+
On Dec 9, 2016 9:17 AM, "Chris Decker" wrote:
Victor,
On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote:
>
> Hi,
>
> Agents should send a keepalive each 10 minutes (600 seconds) by default,
> and this should be enough. But you can go down that time
On Dec 8, 2016 4:41 PM, "Chris Decker" wrote:
All,
I have an OSSEC instance (running the latest/greatest Wuzuh code cloned
from GitHub) that has about 1k active hosts. I've noticed recently that
hosts are flipping back and forth between *Active* and *Disconnected*.
On Wed, Dec 7, 2016 at 12:39 PM, Omar M wrote:
> Did anyone find a solution to this problem?
>
> I've compiled the CDB and created the rules but cannot seem to get the
> lookup to work
>
I'd really need more information than this to help you.
--
---
You received
On Wed, Dec 7, 2016 at 5:26 AM, 1kn0 wrote:
> Greetings,
>
> I'm new to OSSEC and I didn't find an answer to my problem on the list.
> I've appliance firewalls (netasq and stormshield) on a network. These
> firewalls exports their log to the computer where OSSEC is installed.
On Dec 3, 2016 4:54 PM, "Eponymous -" wrote:
Hi all,
I've had many problems getting the OSSEC agent to start up correctly on
FreeBSD 10.3 (see: https://groups.google.com/forum/#!topic/ossec-list/
VDT4cTObDPQ - "Chroot directory change option.) I figured it would best to
On Mon, Nov 28, 2016 at 7:47 AM, Julio Cesar wrote:
> Hello. I have a file with more than 1000 IP's blacklisted.
> Have any way to include a syntax like this on custom ossec rule?
>
>>
>> /etc/blacklist/list.txt
>> Black-listed IP address
>>
>
This is an easy use case
On Mon, Nov 21, 2016 at 8:09 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch
> <ke...@branchnetconsulting.com> wrote:
>> Rule 18257 appears to be prone to misfire. I see it tripping for things
>> like this:
>>
>> 2
On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch
wrote:
> Rule 18257 appears to be prone to misfire. I see it tripping for things
> like this:
>
> 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no
> user): no domain: BNC-O9020: Music.UI
make more sense.
>
> Christina
>
> On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt <w...@transpect.com> wrote:
>>
>> Hi Dan,
>>
>> Since I skipped answering this:
>>
>> On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote:
>>
>&g
On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt <w...@transpect.com> wrote:
> Hi Dan,
>
> Since I skipped answering this:
>
> On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote:
>
>> > Except in a context of anon FTP servers (does anyone run those any
On Mon, Nov 21, 2016 at 7:34 AM, Yousif Johny wrote:
> Hi all,
>
> I've been having this weird issue with OSSEC. I setup an agent in one
> server, and things seem okay at first.
>
> When I modify a file that is being monitored (/etc/passwd) I'd have to wait
> a significant
On Nov 19, 2016 3:40 PM, "Zach Ogden" wrote:
>
> Hello,
>
> I am running the Windows Linux Subsystem on Windows 10. I installed ossec
on the debian bash system. I ran the ./install.sh file my normal user with
sudo in front of the script. Installation was successful. I cannot
On Fri, Nov 18, 2016 at 5:23 AM, Kevin COUSIN wrote:
>
>
> Le jeudi 17 novembre 2016 18:15:57 UTC+1, dan (ddpbsd) a écrit :
>>
>> On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN
>> wrote:
>> > Hi list,
>> >
>> > I try to use agentless on cisco ios
On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN wrote:
> Hi list,
>
> I try to use agentless on cisco ios switches. I add in ossec.conf
>
>
> ssh_pixconfig_diff
> 300
> user@switch
> periodic_diff
>
>
> I have ossec-agentlessd: INFO: Test passed for
Did you restart the ossec processes after adding the new localfile entry?
Try running the logs through ossec-logtest.
On Thu, Nov 17, 2016 at 5:39 AM, Arthur Hidalgo
wrote:
> In the file "/var/log/secure" :
>
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]:
On Mon, Nov 14, 2016 at 10:51 AM, Whit Blauvelt <w...@transpect.com> wrote:
> On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote:
>> On Nov 11, 2016 4:11 PM, "Whit Blauvelt" <w...@transpect.com> wrote:
>> >
>> > With a default agent ins
On Mon, Nov 14, 2016 at 10:40 AM, Whit Blauvelt wrote:
> On Sat, Nov 12, 2016 at 11:17:19AM -0800, Dave Stoddard wrote:
>> If OSSEC is chrooting to /var/ossec, copy your /etc/services and
>> /etc/hosts
>> files to the /var/ossec/etc directory. Do not use a symlink or
On Nov 11, 2016 3:52 PM, "Whit Blauvelt" <w...@transpect.com> wrote:
>
> On Tue, Nov 08, 2016 at 04:37:04AM -0500, dan (ddp) wrote:
>
> > Have you tried 127.0.0.1?
>
> 127.0.0.1 does work.
>
> So this has something to do with chrooting in the current ver
On Nov 11, 2016 3:54 PM, "Whit Blauvelt" wrote:
>
> On Wed, Nov 09, 2016 at 10:19:21AM -0800, Dave Stoddard wrote:
> > If you are getting that message with getaddrinfo, it is likely you do
not have
> > an /etc/services file on your system, or smtp is not defined in the
/etc/
>
On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote:
>
> With a default agent installation of 2.9rc3 with active response
included, I
> was surprised by a few things:
>
> 1. Too frequent connections, even successful ones with valid logins, to an
>ftp or sftp server are
On Fri, Nov 11, 2016 at 1:16 PM, 'James Vernon' via ossec-list
<ossec-list@googlegroups.com> wrote:
>
>
> On Friday, 11 November 2016 17:39:18 UTC, dan (ddpbsd) wrote:
>>
>> On Fri, Nov 11, 2016 at 12:37 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> > On Fr
On Fri, Nov 11, 2016 at 12:31 PM, 'James Vernon' via ossec-list
wrote:
>
> http://imgur.com/a/efxLo
>
> If you follow that screenshot, you can see what I mean. These options were
> added in 2.8.1, and I have 2.8.3 yet they are invalid. Am I missing something
>
On Fri, Nov 11, 2016 at 12:37 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Fri, Nov 11, 2016 at 12:31 PM, 'James Vernon' via ossec-list
> <ossec-list@googlegroups.com> wrote:
>>
>> http://imgur.com/a/efxLo
>>
>> If you follow that screenshot, you can see
On Fri, Nov 11, 2016 at 10:41 AM, Keith wrote:
> I have a new OSSEC install on a 2012r2 box and have set up on directory I
> need to monitor in realtime for any changes or modifications to this one
> specific folder. It does not appear to be working so any suggestions on
>
On Wed, Nov 9, 2016 at 1:19 PM, Dave Stoddard wrote:
> If you are getting that message with getaddrinfo, it is likely you do not
> have an /etc/services file on your system, or smtp is not defined in the
> /etc/services file. Alternatively, it could be referring to localhost -
On Nov 8, 2016 9:53 AM, "Derek Day" wrote:
>
> If i have a system that has an ossec agent running, and the system needs
to be rebuilt or replaced, using same name and addresses space etc, just a
pc refresh. do i need to generate a new ID and client.keys on the server
side or
On Tue, Nov 8, 2016 at 9:13 AM, Kumar G wrote:
> Don't know if this falls under same issue. We are getting same error messages
> on one of the ossec server A, no new agents addition via manage_agents or
> ossec_authd were changing the status from "Never connected" to Active
On Nov 8, 2016 4:35 AM, "Whit Blauvelt" wrote:
>
> Hi,
>
> There have been multiple past discussions of email problems. Yet none seem
> to cover this exactly. Here's what's logging, repeatedly:
>
> 2016/11/04 18:33:53 getaddrinfo: Name or service not known
> 2016/11/04
have to. You might need to generate new keys, but I'm
not positive about that (you might be able to modify client.keys and
restart the OSSEC processes on the OSSEC server).
Or, if you use routing, nothing should have to change beyond that.
> On Fri, Nov 4, 2016 at 9:06 AM, dan (ddp) <
On Fri, Nov 4, 2016 at 6:25 AM, Jesus Linares wrote:
> Hi Matthew,
>
> Of course, you can do the "same" procedure from OSSEC-HIDS but Wazuh is
> doing a great effort to centralize, test and maintain decoders and rules
> submitted by Open Source contributors and create new ones.
>
On Fri, Nov 4, 2016 at 8:43 AM, Stephen LuShing wrote:
> I was able to install an osec agent to a solaris 10 server and everything
> seems to be working. The only issue is I am getting this error and I think
> is because the network interface has a primary and a 2 virtual
On Thu, Nov 3, 2016 at 12:50 PM, Jit Tank <jitt...@gmail.com> wrote:
> Dan - thanks for your time ... which version of ESXi are you testing
> against?
>
5.5
> On Thu, Nov 3, 2016 at 4:44 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>> On Thu, Nov 3, 2016 at 1
On Thu, Nov 3, 2016 at 12:44 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 12:31 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) &
On Thu, Nov 3, 2016 at 12:31 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank
On Thu, Nov 3, 2016 at 12:18 PM, john homer alvero wrote:
> Hello,
>
> Is there a way for ossec-authd to establish TLS1.2 only? The reason im
> asking is that our vulnerability scanner is flagging the ossec-authd port
> 1515 as insecure because of support for RC4 and other
On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jitt...@gmail.com> wrote:
>>> Can anyone confirm the ssh_integrit
On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jitt...@gmail.com> wrote:
>> Can anyone confirm the ssh_integrity_check_linux agentless script works on
>> the ESXi 4.x, 5.x and 6.x platforms?
>>
>
On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank wrote:
> Can anyone confirm the ssh_integrity_check_linux agentless script works on
> the ESXi 4.x, 5.x and 6.x platforms?
>
If you have an ESXi box, you can.
>
>
> On Thursday, November 3, 2016 at 12:45:45 PM UTC, dan (ddpbsd) wrote:
On Thu, Nov 3, 2016 at 5:50 AM, Jit Tank wrote:
> I note that OSSEC agent only supports VMWare ESX 3.0,3.5.
>
> Is it possible to perform file integrity checks on VMware vSphere ESXi 4.x,
> 5.x and 6.x?
>
> If possible, how is this completed? By agentless monitoring or by
/local/ossec-hids/queue/rids to
>> > be
>> > owned by the ossec user.
>> >
>> > I've no idea how this installer managed to mess this up.
>> >
>> > Just for reference, what should the permissions for the processes and
>> > chroot di
On Wed, Nov 2, 2016 at 12:00 PM, Matthew Casperson
wrote:
> I've been trying to track down where it details how often signatures are
> updated for OSSEC. Are new signatures part of each version? E.g. if I am
> on 2.8.2 and want to have the most up to date signatures
t;
The users for the processes look correct, but I don't know the permissions
off hand. I'll try to look them up later.
> Thanks!
>
>
> On Tuesday, November 1, 2016 at 6:03:31 PM UTC, dan (ddpbsd) wrote:
>>
>> On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) <ddp...@gmail
On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - <the.e...@gmail.com> wrote:
>>>> To a process chrooted to /usr/local/ossec-hids, /var/run and
>>>> /usr/local/ossec-hids/var/run are the same
On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - wrote:
>>> To a process chrooted to /usr/local/ossec-hids, /var/run and
>>> /usr/local/ossec-hids/var/run are the same thing. The process' root
>>> directory (/) is now /usr/local/ossec-hids. So /usr/local/ossec-hids/var/run
>>>
701 - 800 of 5855 matches
Mail list logo