OSSEC seems to be ignoring Postgres during the install. This is running on
Ubuntu 14.04 LTS.
I already have Postgres and postgres-client installed.
sudo apt-get -y install postgresql postgresql-client postgresql-contrib
I get an error when I run setdb (notice it doesn't say anything about
I'm collected firewall logs from many Ubuntu servers (basically the
/var/log/ufw.log).
In this log, I can see events about TCP, UDP and ICMP traffic (allowed or
dropped).
But, on my OSSEC server, in my firewall.log, I don't see any event related
to the ICMP protocol...
/x
On Sat, Jan 23, 2016 at
Yes, that would be an issue. Have you tried not sending the output to a
file and using the check_diff option on the rules itself?
You could do:
full_command
iptables -S
iptables_status
3600
And then write a rule to alert on changes:
530
ossec: output:
On Jan 26, 2016 7:02 AM, "Jason Aleksi" wrote:
>
> OSSEC seems to be ignoring Postgres during the install. This is running
on Ubuntu 14.04 LTS.
>
> I already have Postgres and postgres-client installed.
> sudo apt-get -y install postgresql postgresql-client
Thanks for the response.
I ran log test with the following output:
ossec-testrule: Type one log per line.
2016-01-20T17:49:19 Error validating xml data against the schema on line 272
Content of element "litleTxnId" is incomplete
**Phase 1: Completed pre-decoding.
full event:
I just had this same alert happen on our build server. This system has a
copy of svchost.exe in:
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356
So something caused windows to install a side-by-side copy. The actual exe
is the
Xavier,
I'm collecting logs from my ASA and I do see ICMP traffic in my
firewall.log -
2016 Jan 26 12:00:50 ossec->192.168.168.168 CLOSED ICMP
1.2.3.4:10254->external.addr:10254
2016 Jan 26 12:00:54 ossec->192.168.168.168 CLOSED ICMP
1.2.3.4:10510->external.addr:10510
2016 Jan 26 12:00:57
Hi Brent,
I think that I found the problem! Here is an sample of my ossec-logtest
output:
**Phase 2: Completed decoding.
decoder: 'iptables'
action: 'AUDIT'
srcip: '92.222.185.1'
dstip: '51.254.36.238'
proto: 'ICMP'
But, while diving into the source code (in
Good catch!
I think the ASA provides ports just as part of internal processing of the
IP translation. Perhaps they're a sequence number or provide some internal
function for IOS. They seem completely random. They change to the real
port in the logs when using TCP or UDP. Here are the
If I use:
/var/www/vhosts/
syscheck logs no changes to any file.
If I use:
/var/www/vhosts/
Works fine and logs changes to any file.
Am I missing something when using the *restrict *option?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list"
10 matches
Mail list logo