[ossec-list] Re: OSSEC csyslogd truncates Windows Security Event ID: 4627.

[InfoSec]

Difference between your setup and mine is that I am forwarding events in 
CEF format, you seem to be forwarding the OSSEC multi-line format.

Can you please rerun your test with CEF format in syslog_output?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Question on agent authentication and use of counters

[Abhijit Tikekar]

Hi,

We recently migrated one of our OSSEC instance to a new server. We are
using Linux(CentOS) as the platform. Post migration, we noticed that none
of the agents were connected to the server and agents had the following
error in the logs:

2016/09/15 09:05:56 ossec-agentd: INFO: Trying to connect to server
(X.X.X.X:1514).
2016/09/15 09:05:56 ossec-agentd: INFO: Using IPv4 for: X.X.X.X .
2016/09/15 09:05:57 ossec-agentd(1214): WARN: Problem receiving message
from X.X.X.X.
2016/09/15 09:06:06 ossec-agentd(1214): WARN: Problem receiving message
from X.X.X.X

We were able to fix this by removing the files under /var/ossec/queue/rids
( on the agent ), corresponding agent file on server then doing the
restarts. Agent immediately connected after this, but I wanted to know
which steps could have caused this to happen? There are 2 agents which did
connect by themselves without needing the fix, but it took few hours.
Others are still in the error state and most likely will require the manual
correction.

Entire directory structure was copied as it is from the old server,
followed by OSSEC install over those files by choosing upgrade option. The
content and permissions on these RIDS files were not changed during the
copy and IP address for the server is the same.

It would be good to know what goes on between agent-server as far as these
counters are concerned and if there is a way to avoid this manual fix?

Many Thanks,

~ Abhi

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC - sudo

[Kumar G]

Hi team,

We are in the process of getting the sudo rules worked out for OSSEC
environment. However there came up a question like if we can have the ossec
user have read/write access on them.(eg: /var/ossec/rules, /var/ossec/etc -
ossec accountshould have the write permission). Is it advisable to change
the chmod permissions of files / folders under /var/ossec directory?

Any one has the list of sudo commands required on the OSSEC server / agent
t?


Thanks
Kumar

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Windows Eventlogs

[Kumar G]

Hi Jesus,

Apologize for the late reply. Was away from the OSSEC for a while.

The configuration for eventlog ID was implemented however, I started
getting some of the new message in ossec logs on the agent box. Do you
think if these are normal?


2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log:
'Application'.
2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log:
'Security'.
2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log:
'Security'.
2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'System'.
2016/09/06 07:04:43 ossec-agent: INFO: Started (pid: 3572).
2016/09/06 07:04:45 ossec-agent: INFO: Lock free. Continuing...
2016/09/06 07:04:59 ossec-agent: ERROR: Could not move
(tmp/Security-a11968) to (bookmarks/Security) which returned (5)
2016/09/06 07:04:59 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a11968) to (bookmarks/Security) for (Security)
2016/09/06 07:05:01 ossec-agent: ERROR: Could not move
(tmp/Security-a20532) to (bookmarks/Security) which returned (5)
2016/09/06 07:05:01 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
2016/09/06 07:05:21 ossec-agent: ERROR: Could not move
(tmp/Security-a14540) to (bookmarks/Security) which returned (5)
2016/09/06 07:05:21 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security)
2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck scan (forwarding
database).
2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck database
(pre-scan).
2016/09/06 07:05:37 ossec-agent: INFO: Initializing real time file
monitoring (not started).
2016/09/06 07:05:37 ossec-agent: INFO: Real time file monitoring started.
2016/09/06 07:05:37 ossec-agent: INFO: Finished creating syscheck database
(pre-scan completed).
2016/09/06 07:05:47 ossec-agent: INFO: Ending syscheck scan (forwarding
database).
2016/09/06 07:05:59 ossec-agent: ERROR: Could not move
(tmp/Security-a20532) to (bookmarks/Security) which returned (5)
2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
2016/09/06 07:05:59 ossec-agent: ERROR: Could not move
(tmp/Security-a14540) to (bookmarks/Security) which returned (5)
2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security)
2016/09/06 07:06:07 ossec-agent: ERROR: Could not move
(tmp/Security-a14540) to (bookmarks/Security) which returned (5)
2016/09/06 07:06:07 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security)
2016/09/06 07:06:37 ossec-agent: ERROR: Could not move
(tmp/Security-a20532) to (bookmarks/Security) which returned (5)
2016/09/06 07:06:37 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
2016/09/06 07:06:55 ossec-agent: ERROR: Could not move
(tmp/Security-a20532) to (bookmarks/Security) which returned (5)
2016/09/06 07:06:55 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
2016/09/06 07:07:15 ossec-agent: ERROR: Could not move
(tmp/Security-a20532) to (bookmarks/Security) which returned (5)
2016/09/06 07:07:15 ossec-agent: ERROR: Could not rename_ex() temporary
bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
2016/09/06 07:07:27 ossec-agent: ERROR: Could not move
(tmp/Security-a20532) to (bookmarks/Security) which returned (5)


This is another set of logs I see in the ossec.log file. "Error waiting
mutex (timeout)"
2016/09/06 11:51:46 ossec-agent: INFO: Trying to connect to server
(XX.XX.XX.XX:).
2016/09/06 11:51:46 ossec-agent: INFO: Using IPv4 for: XX.XX.XX.XX .
2016/09/06 11:52:48 ossec-agent: Error waiting mutex (timeout).
2016/09/06 11:55:03 ossec-agent: Error waiting mutex (timeout).
2016/09/06 11:56:35 ossec-agent: Error waiting mutex (timeout).
2016/09/06 11:57:03 ossec-agent(1114): ERROR: Unable to select().

Regards
Kumar

On 22 August 2016 at 14:20, Jesus Linares  wrote:

> Hi Kumar,
>
> I think you can use other operators in the query (=, !=, <, >), so it
> could be useful for you to define an interval:
> Event/System[EventID> and EventID<]
>
> Anyway, I don't think that a query with "35 EventID" affects the
> performance, but I have never tried it.
>
> Also, you must define the * setting* in the ossec.conf of each
> agent or use */var/ossec/shared/agent.conf* in case you want to configure
> your agents from the manager. This way, only the events that you need will
> be sent to the Manager.
>
> Regards.
>
>
> On Friday, August 19, 2016 at 11:40:42 PM UTC+2, Kumar G wrote:
>>
>> Hi Team,
>>
>>
>> Need your help on this.
>>
>> We have a couple of Windows Active Directory machines on 

Re: [ossec-list] OSSEC Agentless Questions

[dan (ddp)]

On Thu, Sep 15, 2016 at 10:35 AM, Keith  wrote:
> Hey Everyone,
>
> I have two questions related to agentless configurations. I can't seem to
> find a good answer on either.
>
> First Question:
>
> How do I removed a host from the ossecagentless  config. I did remove it
> from ossec.conf and from .passlist but the hosts are still showing. Two of
> them were typos I'd like to remove..output from syscheck:
>
> # ./bin/syscheck_control -l
>
> OSSEC HIDS syscheck_control. List of available agents:
> 
>
> List of agentless devices:
>ID: na, Name: (ssh_asa-fwsmconfig_diff) ssecbackups@X.X.X.X, IP: X.X.X.X,
> agentless
>ID: na, Name: (ssh_pixconfig_diff) ssecbackups@X.X.X.X, IP: X.X.X.X,
> agentless
>ID: na, Name: (ssh_asa-fwsmconfig_diff) ossecbackups@X.X.X.X, IP:
> X.X.X.X, agentless
>
> The red devices I need to remove as they are typo's.
>

Do files exist for these systems in /var/ossec/queue/syscheck? If so,
remove the files (you may have to restart the OSSEC processes on the
server).

> Second Question:
>
> The final host in the agentless output is correct but ossec is not logging
> into the host. I am getting the following error:
> # ./agentless/ssh_asa-fwsmconfig_diff ossecbacksup@X.X.X.X
> ERROR: Password for 'ossecbacksup@X.X.X.X' not found.
>
> Output from the .passlist file
> # cat agentless/.passlist
> ossecbacksups@X.X.X.X|
>

Is there a pipe ("|") at the end of that line? If not, that seems to
provide that error for me.

> Manually logging into the target switch using the ossec account
> # ssh ossecbackups@X.X.X.X
> 
> Password:
> router# exit
> Connection to X.X.X.X closed.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC Agentless Questions

[Keith]

Hey Everyone,

I have two questions related to agentless configurations. I can't seem to 
find a good answer on either.

First Question:

How do I removed a host from the ossecagentless  config. I did remove it 
from ossec.conf and from .passlist but the hosts are still showing. Two of 
them were typos I'd like to remove..output from syscheck:

# ./bin/syscheck_control -l

OSSEC HIDS syscheck_control. List of available agents:


List of agentless devices:
   ID: na, Name: (ssh_asa-fwsmconfig_diff) ssecbackups@X.X.X.X, IP: 
X.X.X.X, agentless
   ID: na, Name: (ssh_pixconfig_diff) ssecbackups@X.X.X.X, IP: X.X.X.X, 
agentless
   ID: na, Name: (ssh_asa-fwsmconfig_diff) ossecbackups@X.X.X.X, IP: 
X.X.X.X, agentless

The red devices I need to remove as they are typo's.

Second Question:

*The final host in the agentless output is correct but ossec is not logging 
into the host. I am getting the following error:*
# ./agentless/ssh_asa-fwsmconfig_diff ossecbacksup@X.X.X.X
ERROR: Password for 'ossecbacksup@X.X.X.X' not found.

*Output from the .passlist file*
# cat agentless/.passlist 
ossecbacksups@X.X.X.X|

*Manually logging into the target switch using the ossec account*
# ssh ossecbackups@X.X.X.X

Password: 
router# exit
Connection to X.X.X.X closed.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.

[dan (ddp)]

On Thu, Sep 15, 2016 at 6:01 AM, dan (ddp)  wrote:
> On Thu, Sep 15, 2016 at 1:13 AM, InfoSec  wrote:
>> Regardless of the syslog RFC, they all allow messages up to 1024 bytes. The
>> entire message is 1017 bytes.
>>
>> I think csyslogd is choking on the \r\n\t\t (carriage return, line feed, and
>> two tabs) that precede every group SID. The event is being truncated just
>> before the first \r\n\t\t.
>>
>> I do not know which other events include any of the above characters and are
>> most likely to suffer from the same fate.
>>
>> AFAIC this is a serious flaw that precludes the use of OSSEC in the
>> environment.
>>
>
> IIRC, csyslogd isn't vert big. It shouldn't be too difficult to poke
> around and try to debug this.
>

And looking into it briefly I see in the alerts.log:
** Alert 1473948303.87655: mail  - local,syslog,
2016 Sep 15 10:05:03 ix->/var/log/messages
Rule: 73 (level 10) -> 'BIG alert'
User: Desktop
Sep 15 10:05:02 ix WinEvtLog: Security: AUDIT_SUCCESS(4627):
Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop:
   DESKTOP 0x18d6fc 
 DESKTOP 0x67537fa5 2 1 1
\\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-xxx}\\r\\n\\t\\t%{S-1-1-0}\\r\\n\\t\\t%{S-1-5-114}\\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-}\\r\\n\\t\\t%{S-1-5-32-555}\\r\\n\\t\\t%{S-1-5-32-545}\\r\\n\\t\\t%{S-1-5-32-544}\\r\\n\\t\\t%{S-1-5-4}\\r\\n\\t\\t%{S-1-2-1}\\r\\n\\t\\t%{S-1-5-11}\\r\\n\\t\\t%{S-1-5-15}\\r\\n\\t\\t%{S-1-5-113}\\r\\n\\t\\t%{S-1-2-0}\\r\\n\\t\\t%{S-1-5-64-10}\\r\\n\\t\\t%{S-1-16-8192}


And on the receiving end (using nc to receive the data):
<132>Sep 15 10:05:01 ix ossec: Alert Level: 2; Rule: 1002 - Unknown
problem somewhere in the system.; Location: ix->/var/log/messages;
classification:  syslog,errors,; Sep 15 10:05:01 ix syslogd: loghost
"@tcp4://192.168.18.61:2514" connection error: Broken pipe<132>Sep 15
10:05:03 ix ossec: Alert Level: 10; Rule: 73 - BIG alert;
Location: ix->/var/log/messages; classification:  local,syslog,; user:
Desktop; Sep 15 10:05:02 ix WinEvtLog: Security: AUDIT_SUCCESS(4627):
Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop:
   DESKTOP 0x18d6fc 
 DESKTOP 0x67537fa5 2 1 1
\\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-xxx}\\r\\n\\t\\t%{S-1-1-0}\\r\\n\\t\\t%{S-1-5-114}\\r\\n\\t\\t%{S-1-5-21-xx-xx-xx-}\\r\\n\\t\\t%{S-1-5-32-555}\\r\\n\\t\\t%{S-1-5-32-545}\\r\\n\\t\\t%{S-1-5-32-544}\\r\\n\\t\\t%{S-1-5-4}\\r\\n\\t\\t%{S-1-2-1}\\r\\n\\t\\t%{S-1-5-11}\\r\\n\\t\\t%{S-1-5-15}\\r\\n\\t\\t%{S-1-5-113}\\r\\n\\t\\t%{S-1-2-0}\\r\\n\\t\\t%{S-1-5-64-10}\\r\\n\\t\\t%{S-1-16-8192}

So it looks to me like it's passing the entire log message.

>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Best way to whitelist installed RPM / packages

[Shawn Wiley]

Thanks for the help that's perfect.

On Thursday, September 15, 2016 at 5:20:21 AM UTC-4, Jesus Linares wrote:
>
> Hi Shawn,
>
> by default OSSEC triggers an alert when a package is 
> installed/removed/updated:
>
> *command*
> yum install valgrind.x86_64
>
> *archives.log*
> 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10
> -0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64
>
> *alerts.log*
> ** Alert 1473930524.4047: mail  - syslog,yum,config_changed,pci_dss_10.6.1
> ,pci_dss_10.2.7,
> 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages
> Rule: 2932 (level 7) -> 'New Yum package installed.'
> Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-
> 16.el7.x86_64
>
>
> If you want a whitelist of packages:
>
>1. Create a decoder for yum in order to extract the package name in a 
>field (*extra_data *for example)
>2. Create a *CDB list* with the white list packages
>3. Create a child rule of 2932 in* local_rules.xml* with level 0 and 
>check if extra_data (the package name) is in the CDB list. In this way, 
> you 
>will see only alerts for packages which are not in the list.
>
> I hope it helps.
> Regards.
>
> On Wednesday, September 14, 2016 at 10:27:07 PM UTC+2, Shawn Wiley wrote:
>>
>> Is there a way with OSSEC to create a white list of packages that should 
>> be installed on my Red Hat server and create an ongoing alert that's 
>> triggered if an unauthorized package (non-white-list) is installed? My 
>> concern is if someone installs an unauthorized package and I miss the alert 
>> or the alert is cleared would the package be able to continue to run 
>> without any new alerts being generated? Can I use OSSEC in this test case 
>> or is there another tool I need to use? Thanks in advance for any advice.
>>
>> -Shawn
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How to run ossec server by default?

[dan (ddp)]

On Thu, Sep 15, 2016 at 7:11 AM, Daiyue Weng  wrote:
> Hi, I am wondering how to run ossec server by default as a daemon in Linux
> (Arch). For example,
>
> systemctl enable ossec-control ?
>
>

I haven't done any serious testing (avoiding systemd mostly), but
these PRs might help:
https://github.com/ossec/ossec-hids/pull/895
https://github.com/ossec/ossec-hids/pull/894


>
>
> cheers
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] How to run ossec server by default?

[Daiyue Weng]

Hi, I am wondering how to run ossec server by default as a daemon in Linux 
(Arch). For example, 

systemctl enable ossec-control ?




cheers

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.

[dan (ddp)]

On Thu, Sep 15, 2016 at 1:13 AM, InfoSec  wrote:
> Regardless of the syslog RFC, they all allow messages up to 1024 bytes. The
> entire message is 1017 bytes.
>
> I think csyslogd is choking on the \r\n\t\t (carriage return, line feed, and
> two tabs) that precede every group SID. The event is being truncated just
> before the first \r\n\t\t.
>
> I do not know which other events include any of the above characters and are
> most likely to suffer from the same fate.
>
> AFAIC this is a serious flaw that precludes the use of OSSEC in the
> environment.
>

IIRC, csyslogd isn't vert big. It shouldn't be too difficult to poke
around and try to debug this.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Best way to whitelist installed RPM / packages

[Jesus Linares]

Hi Shawn,

by default OSSEC triggers an alert when a package is 
installed/removed/updated:

*command*
yum install valgrind.x86_64

*archives.log*
2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0
-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64

*alerts.log*
** Alert 1473930524.4047: mail  - syslog,yum,config_changed,pci_dss_10.6.1,
pci_dss_10.2.7,
2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages
Rule: 2932 (level 7) -> 'New Yum package installed.'
Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-
16.el7.x86_64


If you want a whitelist of packages:

   1. Create a decoder for yum in order to extract the package name in a 
   field (*extra_data *for example)
   2. Create a *CDB list* with the white list packages
   3. Create a child rule of 2932 in* local_rules.xml* with level 0 and 
   check if extra_data (the package name) is in the CDB list. In this way, you 
   will see only alerts for packages which are not in the list.

I hope it helps.
Regards.

On Wednesday, September 14, 2016 at 10:27:07 PM UTC+2, Shawn Wiley wrote:
>
> Is there a way with OSSEC to create a white list of packages that should 
> be installed on my Red Hat server and create an ongoing alert that's 
> triggered if an unauthorized package (non-white-list) is installed? My 
> concern is if someone installs an unauthorized package and I miss the alert 
> or the alert is cleared would the package be able to continue to run 
> without any new alerts being generated? Can I use OSSEC in this test case 
> or is there another tool I need to use? Thanks in advance for any advice.
>
> -Shawn
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: log_alert_levels versus syslog_output > level?

[InfoSec]

Alerts --> Alert level has to do with the event level threshold below which 
events are dropped and not placed in the alerts file.
Syslog --> Level has to do with the event level threshold below which 
events are not forwarded via csyslogd to syslog receiver.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.