[ossec-list] Re: OSSEC csyslogd truncates Windows Security Event ID: 4627.
Difference between your setup and mine is that I am forwarding events in CEF format, you seem to be forwarding the OSSEC multi-line format. Can you please rerun your test with CEF format in syslog_output? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Question on agent authentication and use of counters
Hi, We recently migrated one of our OSSEC instance to a new server. We are using Linux(CentOS) as the platform. Post migration, we noticed that none of the agents were connected to the server and agents had the following error in the logs: 2016/09/15 09:05:56 ossec-agentd: INFO: Trying to connect to server (X.X.X.X:1514). 2016/09/15 09:05:56 ossec-agentd: INFO: Using IPv4 for: X.X.X.X . 2016/09/15 09:05:57 ossec-agentd(1214): WARN: Problem receiving message from X.X.X.X. 2016/09/15 09:06:06 ossec-agentd(1214): WARN: Problem receiving message from X.X.X.X We were able to fix this by removing the files under /var/ossec/queue/rids ( on the agent ), corresponding agent file on server then doing the restarts. Agent immediately connected after this, but I wanted to know which steps could have caused this to happen? There are 2 agents which did connect by themselves without needing the fix, but it took few hours. Others are still in the error state and most likely will require the manual correction. Entire directory structure was copied as it is from the old server, followed by OSSEC install over those files by choosing upgrade option. The content and permissions on these RIDS files were not changed during the copy and IP address for the server is the same. It would be good to know what goes on between agent-server as far as these counters are concerned and if there is a way to avoid this manual fix? Many Thanks, ~ Abhi -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC - sudo
Hi team, We are in the process of getting the sudo rules worked out for OSSEC environment. However there came up a question like if we can have the ossec user have read/write access on them.(eg: /var/ossec/rules, /var/ossec/etc - ossec accountshould have the write permission). Is it advisable to change the chmod permissions of files / folders under /var/ossec directory? Any one has the list of sudo commands required on the OSSEC server / agent t? Thanks Kumar -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Windows Eventlogs
Hi Jesus, Apologize for the late reply. Was away from the OSSEC for a while. The configuration for eventlog ID was implemented however, I started getting some of the new message in ossec logs on the agent box. Do you think if these are normal? 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2016/09/06 07:04:43 ossec-agent: INFO: Started (pid: 3572). 2016/09/06 07:04:45 ossec-agent: INFO: Lock free. Continuing... 2016/09/06 07:04:59 ossec-agent: ERROR: Could not move (tmp/Security-a11968) to (bookmarks/Security) which returned (5) 2016/09/06 07:04:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a11968) to (bookmarks/Security) for (Security) 2016/09/06 07:05:01 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:01 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:05:21 ossec-agent: ERROR: Could not move (tmp/Security-a14540) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:21 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security) 2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck scan (forwarding database). 2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck database (pre-scan). 2016/09/06 07:05:37 ossec-agent: INFO: Initializing real time file monitoring (not started). 2016/09/06 07:05:37 ossec-agent: INFO: Real time file monitoring started. 2016/09/06 07:05:37 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed). 2016/09/06 07:05:47 ossec-agent: INFO: Ending syscheck scan (forwarding database). 2016/09/06 07:05:59 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:05:59 ossec-agent: ERROR: Could not move (tmp/Security-a14540) to (bookmarks/Security) which returned (5) 2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security) 2016/09/06 07:06:07 ossec-agent: ERROR: Could not move (tmp/Security-a14540) to (bookmarks/Security) which returned (5) 2016/09/06 07:06:07 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security) 2016/09/06 07:06:37 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:06:37 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:06:55 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:06:55 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:07:15 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) 2016/09/06 07:07:15 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security) 2016/09/06 07:07:27 ossec-agent: ERROR: Could not move (tmp/Security-a20532) to (bookmarks/Security) which returned (5) This is another set of logs I see in the ossec.log file. "Error waiting mutex (timeout)" 2016/09/06 11:51:46 ossec-agent: INFO: Trying to connect to server (XX.XX.XX.XX:). 2016/09/06 11:51:46 ossec-agent: INFO: Using IPv4 for: XX.XX.XX.XX . 2016/09/06 11:52:48 ossec-agent: Error waiting mutex (timeout). 2016/09/06 11:55:03 ossec-agent: Error waiting mutex (timeout). 2016/09/06 11:56:35 ossec-agent: Error waiting mutex (timeout). 2016/09/06 11:57:03 ossec-agent(1114): ERROR: Unable to select(). Regards Kumar On 22 August 2016 at 14:20, Jesus Linareswrote: > Hi Kumar, > > I think you can use other operators in the query (=, !=, <, >), so it > could be useful for you to define an interval: > Event/System[EventID> and EventID<] > > Anyway, I don't think that a query with "35 EventID" affects the > performance, but I have never tried it. > > Also, you must define the * setting* in the ossec.conf of each > agent or use */var/ossec/shared/agent.conf* in case you want to configure > your agents from the manager. This way, only the events that you need will > be sent to the Manager. > > Regards. > > > On Friday, August 19, 2016 at 11:40:42 PM UTC+2, Kumar G wrote: >> >> Hi Team, >> >> >> Need your help on this. >> >> We have a couple of Windows Active Directory machines on
Re: [ossec-list] OSSEC Agentless Questions
On Thu, Sep 15, 2016 at 10:35 AM, Keithwrote: > Hey Everyone, > > I have two questions related to agentless configurations. I can't seem to > find a good answer on either. > > First Question: > > How do I removed a host from the ossecagentless config. I did remove it > from ossec.conf and from .passlist but the hosts are still showing. Two of > them were typos I'd like to remove..output from syscheck: > > # ./bin/syscheck_control -l > > OSSEC HIDS syscheck_control. List of available agents: > > > List of agentless devices: >ID: na, Name: (ssh_asa-fwsmconfig_diff) ssecbackups@X.X.X.X, IP: X.X.X.X, > agentless >ID: na, Name: (ssh_pixconfig_diff) ssecbackups@X.X.X.X, IP: X.X.X.X, > agentless >ID: na, Name: (ssh_asa-fwsmconfig_diff) ossecbackups@X.X.X.X, IP: > X.X.X.X, agentless > > The red devices I need to remove as they are typo's. > Do files exist for these systems in /var/ossec/queue/syscheck? If so, remove the files (you may have to restart the OSSEC processes on the server). > Second Question: > > The final host in the agentless output is correct but ossec is not logging > into the host. I am getting the following error: > # ./agentless/ssh_asa-fwsmconfig_diff ossecbacksup@X.X.X.X > ERROR: Password for 'ossecbacksup@X.X.X.X' not found. > > Output from the .passlist file > # cat agentless/.passlist > ossecbacksups@X.X.X.X| > Is there a pipe ("|") at the end of that line? If not, that seems to provide that error for me. > Manually logging into the target switch using the ossec account > # ssh ossecbackups@X.X.X.X > > Password: > router# exit > Connection to X.X.X.X closed. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC Agentless Questions
Hey Everyone, I have two questions related to agentless configurations. I can't seem to find a good answer on either. First Question: How do I removed a host from the ossecagentless config. I did remove it from ossec.conf and from .passlist but the hosts are still showing. Two of them were typos I'd like to remove..output from syscheck: # ./bin/syscheck_control -l OSSEC HIDS syscheck_control. List of available agents: List of agentless devices: ID: na, Name: (ssh_asa-fwsmconfig_diff) ssecbackups@X.X.X.X, IP: X.X.X.X, agentless ID: na, Name: (ssh_pixconfig_diff) ssecbackups@X.X.X.X, IP: X.X.X.X, agentless ID: na, Name: (ssh_asa-fwsmconfig_diff) ossecbackups@X.X.X.X, IP: X.X.X.X, agentless The red devices I need to remove as they are typo's. Second Question: *The final host in the agentless output is correct but ossec is not logging into the host. I am getting the following error:* # ./agentless/ssh_asa-fwsmconfig_diff ossecbacksup@X.X.X.X ERROR: Password for 'ossecbacksup@X.X.X.X' not found. *Output from the .passlist file* # cat agentless/.passlist ossecbacksups@X.X.X.X| *Manually logging into the target switch using the ossec account* # ssh ossecbackups@X.X.X.X Password: router# exit Connection to X.X.X.X closed. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.
On Thu, Sep 15, 2016 at 6:01 AM, dan (ddp)wrote: > On Thu, Sep 15, 2016 at 1:13 AM, InfoSec wrote: >> Regardless of the syslog RFC, they all allow messages up to 1024 bytes. The >> entire message is 1017 bytes. >> >> I think csyslogd is choking on the \r\n\t\t (carriage return, line feed, and >> two tabs) that precede every group SID. The event is being truncated just >> before the first \r\n\t\t. >> >> I do not know which other events include any of the above characters and are >> most likely to suffer from the same fate. >> >> AFAIC this is a serious flaw that precludes the use of OSSEC in the >> environment. >> > > IIRC, csyslogd isn't vert big. It shouldn't be too difficult to poke > around and try to debug this. > And looking into it briefly I see in the alerts.log: ** Alert 1473948303.87655: mail - local,syslog, 2016 Sep 15 10:05:03 ix->/var/log/messages Rule: 73 (level 10) -> 'BIG alert' User: Desktop Sep 15 10:05:02 ix WinEvtLog: Security: AUDIT_SUCCESS(4627): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: DESKTOP 0x18d6fc DESKTOP 0x67537fa5 2 1 1 \\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-xxx}\\r\\n\\t\\t%{S-1-1-0}\\r\\n\\t\\t%{S-1-5-114}\\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-}\\r\\n\\t\\t%{S-1-5-32-555}\\r\\n\\t\\t%{S-1-5-32-545}\\r\\n\\t\\t%{S-1-5-32-544}\\r\\n\\t\\t%{S-1-5-4}\\r\\n\\t\\t%{S-1-2-1}\\r\\n\\t\\t%{S-1-5-11}\\r\\n\\t\\t%{S-1-5-15}\\r\\n\\t\\t%{S-1-5-113}\\r\\n\\t\\t%{S-1-2-0}\\r\\n\\t\\t%{S-1-5-64-10}\\r\\n\\t\\t%{S-1-16-8192} And on the receiving end (using nc to receive the data): <132>Sep 15 10:05:01 ix ossec: Alert Level: 2; Rule: 1002 - Unknown problem somewhere in the system.; Location: ix->/var/log/messages; classification: syslog,errors,; Sep 15 10:05:01 ix syslogd: loghost "@tcp4://192.168.18.61:2514" connection error: Broken pipe<132>Sep 15 10:05:03 ix ossec: Alert Level: 10; Rule: 73 - BIG alert; Location: ix->/var/log/messages; classification: local,syslog,; user: Desktop; Sep 15 10:05:02 ix WinEvtLog: Security: AUDIT_SUCCESS(4627): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: DESKTOP 0x18d6fc DESKTOP 0x67537fa5 2 1 1 \\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-xxx}\\r\\n\\t\\t%{S-1-1-0}\\r\\n\\t\\t%{S-1-5-114}\\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-}\\r\\n\\t\\t%{S-1-5-32-555}\\r\\n\\t\\t%{S-1-5-32-545}\\r\\n\\t\\t%{S-1-5-32-544}\\r\\n\\t\\t%{S-1-5-4}\\r\\n\\t\\t%{S-1-2-1}\\r\\n\\t\\t%{S-1-5-11}\\r\\n\\t\\t%{S-1-5-15}\\r\\n\\t\\t%{S-1-5-113}\\r\\n\\t\\t%{S-1-2-0}\\r\\n\\t\\t%{S-1-5-64-10}\\r\\n\\t\\t%{S-1-16-8192} So it looks to me like it's passing the entire log message. >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Best way to whitelist installed RPM / packages
Thanks for the help that's perfect. On Thursday, September 15, 2016 at 5:20:21 AM UTC-4, Jesus Linares wrote: > > Hi Shawn, > > by default OSSEC triggers an alert when a package is > installed/removed/updated: > > *command* > yum install valgrind.x86_64 > > *archives.log* > 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10 > -0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64 > > *alerts.log* > ** Alert 1473930524.4047: mail - syslog,yum,config_changed,pci_dss_10.6.1 > ,pci_dss_10.2.7, > 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages > Rule: 2932 (level 7) -> 'New Yum package installed.' > Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0- > 16.el7.x86_64 > > > If you want a whitelist of packages: > >1. Create a decoder for yum in order to extract the package name in a >field (*extra_data *for example) >2. Create a *CDB list* with the white list packages >3. Create a child rule of 2932 in* local_rules.xml* with level 0 and >check if extra_data (the package name) is in the CDB list. In this way, > you >will see only alerts for packages which are not in the list. > > I hope it helps. > Regards. > > On Wednesday, September 14, 2016 at 10:27:07 PM UTC+2, Shawn Wiley wrote: >> >> Is there a way with OSSEC to create a white list of packages that should >> be installed on my Red Hat server and create an ongoing alert that's >> triggered if an unauthorized package (non-white-list) is installed? My >> concern is if someone installs an unauthorized package and I miss the alert >> or the alert is cleared would the package be able to continue to run >> without any new alerts being generated? Can I use OSSEC in this test case >> or is there another tool I need to use? Thanks in advance for any advice. >> >> -Shawn >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] How to run ossec server by default?
On Thu, Sep 15, 2016 at 7:11 AM, Daiyue Wengwrote: > Hi, I am wondering how to run ossec server by default as a daemon in Linux > (Arch). For example, > > systemctl enable ossec-control ? > > I haven't done any serious testing (avoiding systemd mostly), but these PRs might help: https://github.com/ossec/ossec-hids/pull/895 https://github.com/ossec/ossec-hids/pull/894 > > > cheers > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] How to run ossec server by default?
Hi, I am wondering how to run ossec server by default as a daemon in Linux (Arch). For example, systemctl enable ossec-control ? cheers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.
On Thu, Sep 15, 2016 at 1:13 AM, InfoSecwrote: > Regardless of the syslog RFC, they all allow messages up to 1024 bytes. The > entire message is 1017 bytes. > > I think csyslogd is choking on the \r\n\t\t (carriage return, line feed, and > two tabs) that precede every group SID. The event is being truncated just > before the first \r\n\t\t. > > I do not know which other events include any of the above characters and are > most likely to suffer from the same fate. > > AFAIC this is a serious flaw that precludes the use of OSSEC in the > environment. > IIRC, csyslogd isn't vert big. It shouldn't be too difficult to poke around and try to debug this. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Best way to whitelist installed RPM / packages
Hi Shawn, by default OSSEC triggers an alert when a package is installed/removed/updated: *command* yum install valgrind.x86_64 *archives.log* 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0 -0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64 *alerts.log* ** Alert 1473930524.4047: mail - syslog,yum,config_changed,pci_dss_10.6.1, pci_dss_10.2.7, 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Rule: 2932 (level 7) -> 'New Yum package installed.' Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0- 16.el7.x86_64 If you want a whitelist of packages: 1. Create a decoder for yum in order to extract the package name in a field (*extra_data *for example) 2. Create a *CDB list* with the white list packages 3. Create a child rule of 2932 in* local_rules.xml* with level 0 and check if extra_data (the package name) is in the CDB list. In this way, you will see only alerts for packages which are not in the list. I hope it helps. Regards. On Wednesday, September 14, 2016 at 10:27:07 PM UTC+2, Shawn Wiley wrote: > > Is there a way with OSSEC to create a white list of packages that should > be installed on my Red Hat server and create an ongoing alert that's > triggered if an unauthorized package (non-white-list) is installed? My > concern is if someone installs an unauthorized package and I miss the alert > or the alert is cleared would the package be able to continue to run > without any new alerts being generated? Can I use OSSEC in this test case > or is there another tool I need to use? Thanks in advance for any advice. > > -Shawn > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: log_alert_levels versus syslog_output > level?
Alerts --> Alert level has to do with the event level threshold below which events are dropped and not placed in the alerts file. Syslog --> Level has to do with the event level threshold below which events are not forwarded via csyslogd to syslog receiver. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.