On Mon, Nov 28, 2016 at 7:47 AM, Julio Cesar wrote:
> Hello. I have a file with more than 1000 IP's blacklisted.
> Have any way to include a syntax like this on custom ossec rule?
>
>>
>> /etc/blacklist/list.txt
>> Black-listed IP address
>>
>
This is an easy use case for a cdb list:
https:
On Mon, Nov 21, 2016 at 8:09 AM, dan (ddp) wrote:
> On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch
> wrote:
>> Rule 18257 appears to be prone to misfire. I see it tripping for things
>> like this:
>>
>> 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION
On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch
wrote:
> Rule 18257 appears to be prone to misfire. I see it tripping for things
> like this:
>
> 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no
> user): no domain: BNC-O9020: Music.UI (25428)
> {87E550B7-AD4D-40F7-BE5E-263
more sense.
>
> Christina
>
> On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt wrote:
>>
>> Hi Dan,
>>
>> Since I skipped answering this:
>>
>> On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote:
>>
>> > > Except in a context
On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt wrote:
> Hi Dan,
>
> Since I skipped answering this:
>
> On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote:
>
>> > Except in a context of anon FTP servers (does anyone run those any more?)
>> > blocking
On Mon, Nov 21, 2016 at 7:34 AM, Yousif Johny wrote:
> Hi all,
>
> I've been having this weird issue with OSSEC. I setup an agent in one
> server, and things seem okay at first.
>
> When I modify a file that is being monitored (/etc/passwd) I'd have to wait
> a significant time for it to trigger a
On Nov 19, 2016 3:40 PM, "Zach Ogden" wrote:
>
> Hello,
>
> I am running the Windows Linux Subsystem on Windows 10. I installed ossec
on the debian bash system. I ran the ./install.sh file my normal user with
sudo in front of the script. Installation was successful. I cannot start
the services co
On Fri, Nov 18, 2016 at 5:23 AM, Kevin COUSIN wrote:
>
>
> Le jeudi 17 novembre 2016 18:15:57 UTC+1, dan (ddpbsd) a écrit :
>>
>> On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN
>> wrote:
>> > Hi list,
>> >
>> > I try to use agentless on cisco ios switches. I add in ossec.conf
>> >
>> >
>> >
On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN wrote:
> Hi list,
>
> I try to use agentless on cisco ios switches. I add in ossec.conf
>
>
> ssh_pixconfig_diff
> 300
> user@switch
> periodic_diff
>
>
> I have ossec-agentlessd: INFO: Test passed for 'ssh_pixconfig_diff'. in log
Did you restart the ossec processes after adding the new localfile entry?
Try running the logs through ossec-logtest.
On Thu, Nov 17, 2016 at 5:39 AM, Arthur Hidalgo
wrote:
> In the file "/var/log/secure" :
>
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth):
> authentication fai
On Mon, Nov 14, 2016 at 10:51 AM, Whit Blauvelt wrote:
> On Fri, Nov 11, 2016 at 07:10:51PM -0500, dan (ddp) wrote:
>> On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote:
>> >
>> > With a default agent installation of 2.9rc3 with active response included,
>
On Mon, Nov 14, 2016 at 10:40 AM, Whit Blauvelt wrote:
> On Sat, Nov 12, 2016 at 11:17:19AM -0800, Dave Stoddard wrote:
>> If OSSEC is chrooting to /var/ossec, copy your /etc/services and
>> /etc/hosts
>> files to the /var/ossec/etc directory. Do not use a symlink or a
>> hardlink
>>
On Nov 11, 2016 3:52 PM, "Whit Blauvelt" wrote:
>
> On Tue, Nov 08, 2016 at 04:37:04AM -0500, dan (ddp) wrote:
>
> > Have you tried 127.0.0.1?
>
> 127.0.0.1 does work.
>
> So this has something to do with chrooting in the current version? I do
have
> local
On Nov 11, 2016 3:54 PM, "Whit Blauvelt" wrote:
>
> On Wed, Nov 09, 2016 at 10:19:21AM -0800, Dave Stoddard wrote:
> > If you are getting that message with getaddrinfo, it is likely you do
not have
> > an /etc/services file on your system, or smtp is not defined in the
/etc/
> > services file. Alt
On Nov 11, 2016 4:11 PM, "Whit Blauvelt" wrote:
>
> With a default agent installation of 2.9rc3 with active response
included, I
> was surprised by a few things:
>
> 1. Too frequent connections, even successful ones with valid logins, to an
>ftp or sftp server are considered an attack and bloc
On Fri, Nov 11, 2016 at 1:16 PM, 'James Vernon' via ossec-list
wrote:
>
>
> On Friday, 11 November 2016 17:39:18 UTC, dan (ddpbsd) wrote:
>>
>> On Fri, Nov 11, 2016 at 12:37 PM, dan (ddp) wrote:
>> > On Fri, Nov 11, 2016 at 12:31 PM, 'James Vernon&
On Fri, Nov 11, 2016 at 12:31 PM, 'James Vernon' via ossec-list
wrote:
>
> http://imgur.com/a/efxLo
>
> If you follow that screenshot, you can see what I mean. These options were
> added in 2.8.1, and I have 2.8.3 yet they are invalid. Am I missing something
> really simple here?
>
When in doub
On Fri, Nov 11, 2016 at 12:37 PM, dan (ddp) wrote:
> On Fri, Nov 11, 2016 at 12:31 PM, 'James Vernon' via ossec-list
> wrote:
>>
>> http://imgur.com/a/efxLo
>>
>> If you follow that screenshot, you can see what I mean. These options were
>> added i
On Fri, Nov 11, 2016 at 10:41 AM, Keith wrote:
> I have a new OSSEC install on a 2012r2 box and have set up on directory I
> need to monitor in realtime for any changes or modifications to this one
> specific folder. It does not appear to be working so any suggestions on
> this would be appreciat
On Wed, Nov 9, 2016 at 1:19 PM, Dave Stoddard wrote:
> If you are getting that message with getaddrinfo, it is likely you do not
> have an /etc/services file on your system, or smtp is not defined in the
> /etc/services file. Alternatively, it could be referring to localhost - in
> that case, make
On Nov 8, 2016 9:53 AM, "Derek Day" wrote:
>
> If i have a system that has an ossec agent running, and the system needs
to be rebuilt or replaced, using same name and addresses space etc, just a
pc refresh. do i need to generate a new ID and client.keys on the server
side or can i use the same id/
On Tue, Nov 8, 2016 at 9:13 AM, Kumar G wrote:
> Don't know if this falls under same issue. We are getting same error messages
> on one of the ossec server A, no new agents addition via manage_agents or
> ossec_authd were changing the status from "Never connected" to Active after
> adding them.
On Nov 8, 2016 4:35 AM, "Whit Blauvelt" wrote:
>
> Hi,
>
> There have been multiple past discussions of email problems. Yet none seem
> to cover this exactly. Here's what's logging, repeatedly:
>
> 2016/11/04 18:33:53 getaddrinfo: Name or service not known
> 2016/11/04 18:33:53 ossec-maild(122
d to generate new keys, but I'm
not positive about that (you might be able to modify client.keys and
restart the OSSEC processes on the OSSEC server).
Or, if you use routing, nothing should have to change beyond that.
> On Fri, Nov 4, 2016 at 9:06 AM, dan (ddp) wrote:
>>
>> On
On Fri, Nov 4, 2016 at 6:25 AM, Jesus Linares wrote:
> Hi Matthew,
>
> Of course, you can do the "same" procedure from OSSEC-HIDS but Wazuh is
> doing a great effort to centralize, test and maintain decoders and rules
> submitted by Open Source contributors and create new ones.
>
Wow, just wow.
On Fri, Nov 4, 2016 at 8:43 AM, Stephen LuShing wrote:
> I was able to install an osec agent to a solaris 10 server and everything
> seems to be working. The only issue is I am getting this error and I think
> is because the network interface has a primary and a 2 virtual network
> interface. Here
On Thu, Nov 3, 2016 at 12:50 PM, Jit Tank wrote:
> Dan - thanks for your time ... which version of ESXi are you testing
> against?
>
5.5
> On Thu, Nov 3, 2016 at 4:44 PM, dan (ddp) wrote:
>>
>> On Thu, Nov 3, 2016 at 12:31 PM, dan (ddp) wrote:
>> > On Thu,
On Thu, Nov 3, 2016 at 12:44 PM, dan (ddp) wrote:
> On Thu, Nov 3, 2016 at 12:31 PM, dan (ddp) wrote:
>> On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) wrote:
>>> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) wrote:
>>>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank wrote
On Thu, Nov 3, 2016 at 12:31 PM, dan (ddp) wrote:
> On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) wrote:
>> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) wrote:
>>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank wrote:
>>>> Can anyone confirm the ssh_integrity_check_l
On Thu, Nov 3, 2016 at 12:18 PM, john homer alvero wrote:
> Hello,
>
> Is there a way for ossec-authd to establish TLS1.2 only? The reason im
> asking is that our vulnerability scanner is flagging the ossec-authd port
> 1515 as insecure because of support for RC4 and other non-tls1.2 protocols.
>
On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) wrote:
> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) wrote:
>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank wrote:
>>> Can anyone confirm the ssh_integrity_check_linux agentless script works on
>>> the ESXi 4.x, 5.x and 6.x platf
On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) wrote:
> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank wrote:
>> Can anyone confirm the ssh_integrity_check_linux agentless script works on
>> the ESXi 4.x, 5.x and 6.x platforms?
>>
>
> If you have an ESXi box, you can.
>
On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank wrote:
> Can anyone confirm the ssh_integrity_check_linux agentless script works on
> the ESXi 4.x, 5.x and 6.x platforms?
>
If you have an ESXi box, you can.
>
>
> On Thursday, November 3, 2016 at 12:45:45 PM UTC, dan (ddpbsd) wrote:
>>
>> On Thu, Nov 3
On Thu, Nov 3, 2016 at 5:50 AM, Jit Tank wrote:
> I note that OSSEC agent only supports VMWare ESX 3.0,3.5.
>
> Is it possible to perform file integrity checks on VMware vSphere ESXi 4.x,
> 5.x and 6.x?
>
> If possible, how is this completed? By agentless monitoring or by compiling
> new agent bin
>> > be
>> > owned by the ossec user.
>> >
>> > I've no idea how this installer managed to mess this up.
>> >
>> > Just for reference, what should the permissions for the processes and
>> > chroot directory look like?
>> >
&
On Wed, Nov 2, 2016 at 12:00 PM, Matthew Casperson
wrote:
> I've been trying to track down where it details how often signatures are
> updated for OSSEC. Are new signatures part of each version? E.g. if I am
> on 2.8.2 and want to have the most up to date signatures would I have to
> upgrade to
sers for the processes look correct, but I don't know the permissions
off hand. I'll try to look them up later.
> Thanks!
>
>
> On Tuesday, November 1, 2016 at 6:03:31 PM UTC, dan (ddpbsd) wrote:
>>
>> On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) wrote:
>> >
On Tue, Nov 1, 2016 at 1:53 PM, dan (ddp) wrote:
> On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - wrote:
>>>> To a process chrooted to /usr/local/ossec-hids, /var/run and
>>>> /usr/local/ossec-hids/var/run are the same thing. The process' root
>>>> di
On Tue, Nov 1, 2016 at 1:49 PM, Eponymous - wrote:
>>> To a process chrooted to /usr/local/ossec-hids, /var/run and
>>> /usr/local/ossec-hids/var/run are the same thing. The process' root
>>> directory (/) is now /usr/local/ossec-hids. So /usr/local/ossec-hids/var/run
>>> looks like /var/run to th
On Thu, Oct 27, 2016 at 10:10 AM, Gaetan Noel wrote:
> I'll give a try to disable the counter and see how it goes. Is it this
> setting in internal_options ?
>
remoted.verify_msg_id=0
> # Remoted counter io flush.
> remoted.recv_counter_flush=128
>
> Should I set it to 0 ?
>
> Thanks
>
> On Wedn
On Mon, Oct 31, 2016 at 10:55 AM,
wrote:
> Hi, i'm looking to put a wildcard in the tag and saw that you
> can use strftime. But it is not working in tag. Someone would
> have any idea to give me.
>
> It would, for example the following:
> /var/ossec/logs/archives/%Y
>
> In the logs:
> ossec-sy
On Mon, Oct 31, 2016 at 1:55 PM, Eponymous - wrote:
> Hmm are you sure it's hard-coded to /var/ossec in some cases?
>
> The only reason I ask is that this is for a FreeBSD based system and the
> package, by default, installs OSSEC into /usr/local/ossec-hids. If what
> you're saying is true then su
On Mon, Oct 31, 2016 at 2:02 PM, Brad wrote:
> Nice find Pedro! That was the problem. I wish the documentation had said
> that it was regex based. Lol. At least it's working now. :) Many thanks
>
I've created a pull request to hopefully fix the documentation:
https://github.com/ossec/ossec-
On Tue, Nov 1, 2016 at 3:11 AM, Thanh Luân Võ wrote:
> Hello all,
> i need help about the script for AR
> I'm building requirements OSSEC that:
> when a user runs an application, the user will check OSSEC and applications
> that they're in the position to allow or not. Check for a list of availabl
On Thu, Oct 27, 2016 at 9:49 AM, Jon Goodgion wrote:
> I'd like the logcollector on the agents to send logs as quickly as possible.
> I know by default the loop timeout is 2 (checking every 2 seconds for log
> file changes) - set in internal_options.conf. The minimum that you can set
> here seems
On Thu, Oct 27, 2016 at 8:20 AM, Gaetan Noel wrote:
> I have tried running in debug (both with internal_option.conf and with
> ossec-control enable debug but the results don't give me much to work on.
>
> I don't think there is such a process although it definitely looks like
> there is something
On Wed, Oct 26, 2016 at 2:03 PM, Gaetan Noel wrote:
> Hello,
>
> We are having an issue that makes me want to pull my hair out.
>
> Since about two days we get what seems to be a random number of agents that
> become disconnected. On that particular environment we have a total of about
> 1200+ key
On Wed, Oct 26, 2016 at 11:23 AM, Rui Da-Costa wrote:
>
> On Monday, 3 October 2016 13:47:30 UTC+2, dan (ddpbsd) wrote:
>>
>>
>> Is this in the decoder.xml file? I saw different errors when I changed
>> that file.
>
>
> Yes it is - still stuck, have quite a bit to read and learn on this to try
> f
On Wed, Oct 26, 2016 at 5:59 AM, Topper Bowers
wrote:
> Hello all,
>
> I'm using ossec 2.8.3 from wazzuh and I can't seem to get the agents to talk
> to the host. It is exactly as described here:
> https://botbot.me/freenode/ossec/2016-07-21/?msg=70001778&page=1.
>
> I've also put both the agent
On Tue, Oct 25, 2016 at 1:05 PM, Matt wrote:
> I posted the agent ossec.conf on the windows server in my first posting,
> here is how it's presently configured.
>
>
>
>
> 16200
If the agent isn't respecting the frequency in its ossec.conf, this is
a problem.
Unfortunately I don't hav
On Tue, Oct 25, 2016 at 12:29 PM, Matt wrote:
> It's my understanding it needed to be configure don the agent? Following is
What needed to be configured on the agent? Which specific settings
were you referencing in your previous email?
Some settings get set on the agent, some on the server. Which
On Tue, Oct 25, 2016 at 11:03 AM, Matt wrote:
> I can definitely confirm that the FIM scan ISN'T paying attention to the
> ossec.conf file on the Windows agent. Instead it is running based off the
> config of the OSSEC Master server. Pasting in config from windows agent.
> And I did add the new f
On Tue, Oct 25, 2016 at 8:49 AM, wrote:
> Hi,
>
> Agent to server communication issue is occurring on multiple machines and
> below logs are getting generated on client machine. We have requested
> customer to check packet drop on firewall but according to customer there is
> no packet drop on fi
Mensaje original-
> De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En
> nombre de dan (ddp)
> Enviado el: jueves, 20 de octubre de 2016 05:47 a.m.
> Para: ossec-list@googlegroups.com
> Asunto: Re: [ossec-list] Active response
>
> On Wed, Oct 19, 2016 at
On Fri, Oct 21, 2016 at 6:38 AM, Herman Harperink
wrote:
> I've been testing this, doesnt work.
>
Here's what's working for me:
firewall-drop
all
5712,5718
firewall-drop
server
5712,5718
> On Wednesday, October 19, 2016 at 6:25:33 PM UTC+2, Herman Harperink
On Wed, Oct 19, 2016 at 5:00 PM, Adiel Navarro
wrote:
> Its necessary to monitor /var/log/messages to catch the “illegal user”
> message and the AR script begin to run?
>
>
>
If you're running SSH on Windows, will there even be a /var/log/messages?
We don't have support for SSH on Windows because
On Wed, Oct 19, 2016 at 9:49 PM, wrote:
> I've recently setup my ossec server to output alerts to a json file. I'm
> sending it over to logstash and elasticsearch. I'd like to create a kibana
> dashboard that defines individual ossec agent hosts.
>
> The issue is that the json doesn't have it's
On Thu, Oct 20, 2016 at 6:37 AM, Pedro Sanchez wrote:
> Hi Ron,
>
> If you are using a integration with Elasticseach, try out Wazuh fork based
> on OSSEC, augmented JSON capabilities including the AgentName you need.
Use OSSEC, not OSSEC. OSSEC and OSSEC don't have the same capabilities
as OSSEC
t;
>
> So, I need to create a new rule that match with the message and configure
the active response with that new rule, right?
>
>
Yep. Where are you getting these logs from? I don't think I've seen openssh
logs like this in the past.
>
>
>
>
>
> -Me
On Oct 19, 2016 12:08 PM, "Matt" wrote:
>
> Thank you both, I appreciate it.
>
> I added the config to the global file instead of the local file.
>
> So, I think realtime is behaving now, but not the rest. It's my
understanding the scan frequency for the agent is set on the agent, not the
global l
not necessary.
> -Mensaje original-
> De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En
> nombre de dan (ddp)
> Enviado el: miércoles, 19 de octubre de 2016 11:56 a.m.
> Para: ossec-list@googlegroups.com
> Asunto: Re: [ossec-list] Active response
&g
ilto:ossec-list@googlegroups.com] En
> nombre de dan (ddp)
> Enviado el: miércoles, 19 de octubre de 2016 07:50 a.m.
> Para: ossec-list@googlegroups.com
> Asunto: Re: [ossec-list] Active response
>
> On Wed, Oct 19, 2016 at 8:43 AM, dan (ddp) wrote:
>> On Tue, Oct 18, 2016
saje original-----
> De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En
> nombre de dan (ddp) Enviado el: miércoles, 19 de octubre de 2016 07:50 a.m.
> Para: ossec-list@googlegroups.com
> Asunto: Re: [ossec-list] Active response
>
> On Wed, Oct 19, 2016 at 8:43 A
On Wed, Oct 19, 2016 at 8:43 AM, dan (ddp) wrote:
> On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro wrote:
>> Only I see the next messages in /var/ossec/logs/alers/alerts.log
>>
>> ** Alert 1476724188.107242: mail - syslog,errors,
>>
>> 2016 Oct 17 12:09:48 ixtrtc42
On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro wrote:
> try to configured the next active response:
>
> On Ossec Server:
>
>
>
> firewall-drop
>
> firewall-drop.sh
>
> srcip
>
> yes
>
>
>
>
>
> no
>
> firewall-drop
>
> defined-agent
>
> 021
>
> 5712
>
> 1800
>
>
>
> On Ossec agent. (id 021)
>
>
On Mon, Oct 17, 2016 at 2:32 PM, Herman Harperink
wrote:
> That didn't work. Have to try something else.
>
I'm testing out:
firewall-drop
all
5712,5718
firewall-drop
server
5712,5718
I'll check it later to see if it worked.
> --
>
> ---
> You received this m
On Mon, Oct 17, 2016 at 2:46 PM, Sunny Day wrote:
> Is there a hard limit on the rate at which syscheck will report new/changed
> files?
>
> I have roughly 120 clients reporting to one server. I see frequent
> occasions where new or changed files (sometimes with realtime enabled,
> sometimes not
On Tue, Oct 18, 2016 at 5:28 AM, wrote:
> Hello,
>
> I'm having some trouble writing my own custom decoder for something that
> appears to be very simple (doesn't it always :p).
>
> The log line in question is:
> Oct 17 11:54:10 MY-SERV-01 ovpn-user-server[11780]: 10.40.160.21:62467 [NAME
> Surna
On Fri, Oct 14, 2016 at 5:52 PM, Matt wrote:
> Realtime monitoring seems to be working now that I've adjusted the scan
> frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now
> 20 minutes and realtime now seems to work. I don't claim it makes sense,
> it's just what I'm obse
On Mon, Oct 17, 2016 at 9:02 AM, Herman Harperink
wrote:
>> Been testing a little more with this. With all all
>> agents get updated, except for the server. On the server AR just does not
>> work like that.
>
> Offcourse, with local it works on the server.
>
> So, when you want to protect all you
On Oct 15, 2016 10:51 AM, "Herman Harperink"
wrote:
>
> I've found that AR is working on my agents, but not on my server. AR is
set to ALL on my server.
> Did I miss something?
>
> Version 2.8.3 on Debian. AR log on the server is empty, but not on my
agents.
> Should I have installed the server in
On Oct 15, 2016 10:51 AM, "Herman Harperink"
wrote:
>
> Posted two times here, don't see my posts. Please ignore / delete.
>
I was asleep for the first one, and had a rushy sort of morning. They're
posted now, and I'll try harder in the future.
> --
>
> ---
> You received this message because yo
On Fri, Oct 14, 2016 at 8:55 AM, Kernel Panic wrote:
> Taking a look in /var/ossec/logs/alerts I can see there are lots of things
> registered, no related to the files I modified, but related to ssh login
> failures, sudo stuff and the like but never get an e-mail with that report.
>
Are the file
On Thu, Oct 13, 2016 at 1:09 PM, Kernel Panic wrote:
> Hi
> Does this still apply?
> I have this option enabled: yes along
> with the realtime=yes.
>
> From another post on the list:
>>In the past new files were not alerted in real time. I'm not sure if
>>this has changed. Any of the developers kn
On Thu, Oct 13, 2016 at 9:21 AM, Kernel Panic wrote:
>
> Hi
> Let's see, shouldn't I have to configure on each tag to which directory I
> want to apply it? as in check_all , directories, realtime and which
> directories, or are they global parameters? that's why I included home and
> root on both
On Oct 12, 2016 4:49 PM, "Kernel Panic" wrote:
>
> Hi there guys,
>
> When starting the agent I've get this info:
>
> Starting ossec-hids: 2016/10/12 15:43:05 ossec-agentd: INFO: Using notify
time: 600 and max time to reconnect: 1800
> 2016/10/12 15:43:05 ossec-config(1756): ERROR: Duplicated dire
On Wed, Oct 12, 2016 at 10:30 AM, Kernel Panic wrote:
> Hi guys
> The remote service was not starting, now it up and running, and have to say
> that this was pure pain!!
>
It would be interesting to find out what happened to your setup to
give you such troubles.
> /var/ossec/bin/ossec-remoted -d
On Wed, Oct 12, 2016 at 9:09 AM, Kernel Panic wrote:
>
> chmod 777 /var/ossec/queue/ossec/queue
> z77s-tpuppetm01:/var/ossec/logs# /var/ossec/bin/ossec-syscheckd -df
> 2016/10/12 08:09:05 ossec-syscheckd: DEBUG: Starting ...
> 2016/10/12 08:09:05 ossec-rootcheck: DEBUG: Starting ...
> 2016/10/12 0
On Oct 11, 2016 2:22 PM, "Kernel Panic" wrote:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it
too but I run out of idea.
>
> The log:
>
Are there any errors befoew these messages?
Maybe try starting the daemons manually one at a time (with -df) to see
whic
On Thu, Oct 6, 2016 at 5:40 PM, Adiel Navarro
wrote:
> OK, im turning logall option
>
> Im checking the command and its was an error : last 10
> I change for the correct sentence (last -10) and configure the next rule:
>
>
> 530
> ossec: output: '/usr/bin/last -10
The log sample you pos
On Fri, Oct 7, 2016 at 12:21 PM, Yousif Johny wrote:
> Okay, I'll re-enable it and try to write a rule but,
>
> For now I'd like to know why after commenting it out it's still looking at
> this file.
>
> I made the change in ossec.conf under the local files portion to not look at
> /var/log/messag
On Fri, Oct 7, 2016 at 12:08 PM, Yousif Johny wrote:
> Just to add,
>
> The messages are:
>
> Level:
> 2 - Unknown problem somewhere in the system.
> Rule Id:
> 1002
>
You can write rules to eliminate those issues. In fact, that's my
preferred method to get rid of 1002s.
>
> On Friday, October 7
On Thu, Oct 6, 2016 at 12:45 PM, Yousif Johny wrote:
> I used yum. I believe it was:
> sudo yum install ossec-hids ossec-hids-server
>
Ok, I don't know much about the packages. Try searching for an ossec
database package I guess.
>
> On Thursday, October 6, 2016 at 4:58:20 PM UTC+1, Yousif Johny
On Thu, Oct 6, 2016 at 12:33 PM, Yousif Johny wrote:
> That error was from the ossec.log (only thing there).
>
> As for ossec-dbd, I've been searching for this but there's no binary with
> that name under /var/ossec/bin.
>
There you go. That seems to be the problem.
How did you install OSSEC?
>
On Thu, Oct 6, 2016 at 11:58 AM, Yousif Johny wrote:
> Hi,
>
> I just setup OSSEC and I'm trying to get it to run with MySQL.
>
> I followed the instructions in the documentation,
>
> When I run :
> /var/ossec/bin/ossec-control restart
>
>
> I get:
> ossec-dbd did not start correctly.
>
>
>
> I'm
On Thu, Oct 6, 2016 at 11:06 AM, Yousif Johny wrote:
> I just see under Queue/agentless/ a file created for the host. In the file
> it says "syscheck".
>
> I just made a change to a file in the monitored host (passwd) which is part
> of those that should be checked, and I didn't see a difference i
On Thu, Oct 6, 2016 at 10:50 AM, Yousif Johny wrote:
> Hi Dan,
>
> Thank you for the response.
>
> Interestingly, it just got fixed. I had to modify part of the monitoring
> script as part of was calling main.exp with the wrong path.
>
> Now I'm left wondering. The log says test passed.
>
> How do
On Thu, Oct 6, 2016 at 10:30 AM, Yousif Johny wrote:
> Dear mates,
>
> I'd really appreciate your help with the issue I'm having, trying to get an
> Agentless monitoring working.
>
> I installed OSSEC in CentOS, and I'm trying to monitor a linux host using
> the ssh_integrity_check_linux script.
>
ple, it'll be a lot easier to write a rule that
correctly matches.
>
>
>
> -Mensaje original-
> De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En
> nombre de dan (ddp)
> Enviado el: miércoles, 05 de octubre de 2016 10:01 a.m.
> Para: ossec
ly match the log messages sent
over. I usually use aliases to make this easier.
Also, make sure the output changes. If there are no changes, there
will be no alert.
>
>
> -Mensaje original-
> De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En
> nombr
aje original-
> De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En
> nombre de dan (ddp)
> Enviado el: miércoles, 05 de octubre de 2016 09:40 a.m.
> Para: ossec-list@googlegroups.com
> Asunto: Re: [ossec-list] last -10
>
> On Wed, Oct 5, 2016 at 10:3
the end of a comment. Could you possibly have the rule
currently commented out?
>
> L.I. Adiel Jesús Navarro Rosado
> Analista OyM Seguridad Operativa
> A: adiel.nava...@mail.telcel.com
> . Ext. 5179
> : 5510101509
>
>
> -Mensaje original-
> De: ossec
On Tue, Oct 4, 2016 at 6:21 PM, Aj Navarro wrote:
> i want to monitoring the last connections on a server.
>
> I configuring last -10 command on a ossec.conf client
>
>
> full_command
> last 10
> 60
>
> I need that the output of this command will send to the ossec server, but I
> n
n't last long enough to run into issues like
that, due to testing and whatnot.
>
> Thanks
> Kumar
>
> On 3 October 2016 at 17:18, dan (ddp) wrote:
>>
>> On Fri, Sep 30, 2016 at 4:40 PM, David wrote:
>> >
>> > Greetings --
>> >
>&
al time
>> monitoring: '/etc'.
>>
>> I am waiting diff to populate and I will check if real time it really
>> working
>>
>> back soon :) Thank you so much !
>>
>>
>>
>> 2016-10-03 14:32 GMT-03:00 dan (ddp) :
>>>
>>
On Mon, Oct 3, 2016 at 1:16 PM, R0me0 *** wrote:
> Dan , Just have take a look what you changed and I already did it.
>
> Just for curiosity I will clone and try to compile
>
> :)
>
It Compiles for Me (TM)
> 2016-10-03 13:58 GMT-03:00 dan (ddp) :
>>
>> Found
Found the issue, looks like I forgot to commit a few bits. It should work now.
On Mon, Oct 3, 2016 at 12:54 PM, dan (ddp) wrote:
> On Mon, Oct 3, 2016 at 12:51 PM, R0me0 *** wrote:
>> Hello Dan,
>>
>> I tried to compile the last OSSEC stable release
>> https://
om: http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/
>
> pkg_add inotify-tools-3.14pl0.tgz dependency is libinotify-20160503.tgz
>
Ok, I haven't tried an agent build yet.
>
> Thanks
>
>
>
>
>
> 2016-10-03 8:37 GMT-03:00 dan (ddp) :
>>
>> On Fri,
On Fri, Sep 30, 2016 at 4:40 PM, David wrote:
>
> Greetings --
>
> I see frequent occasions where new or changed files seem to be reported by
> syscheck days, weeks, or even months after they were known to be added or
> modified.
>
> As an example, this is from the ossec server's alert log on Sept
On Fri, Sep 30, 2016 at 11:01 AM, Rui Da-Costa wrote:
> I stripped the default file to try and isolate, the only thing i have in the
> file now is:
>
>
> (pam_unix)$
>
>
> how can I debug this further?
Is this in the decoder.xml file? I saw different errors when I changed
that file.
However,
801 - 900 of 6437 matches
Mail list logo