[ossec-list] Re: archives.log under /var/ossec/logs/

2017-07-17 Thread Kazim Koybasi 
Thanks for quick reply.
As I understand agent collect logs with ossec-logcollector and send all off 
them server.Server is analyzing all logs with ossec-analysisd daemon and 
match them according to decoders and rules.Also if I open logall option in 
server it saves all logs under /var/ossec/logs/archives directory.

On Monday, 17 July 2017 09:53:37 UTC+3, Kazim Koybasi wrote:
>
> Is archives.log under /var/ossec/logs/ contains all logs produced at agent 
> host server?I am trying to understand that how OSSEC manager and agent 
> topology works. Agent does not contains rules.
> Is it mean that agent send all logs to manager and it process log files 
> according to decoder and rule files? Is it logs only processed logs as 
> archives.log? Thanks for reading.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Email alerts are sent hourly

2017-07-17 Thread Jesus Linares 
Finally, you got it!.

I think your conclusion makes sense.

Regards.


On Wednesday, July 12, 2017 at 7:49:36 PM UTC+2, Alexis Lessard wrote:
>
> The issue was indeed the email_maxperhour setting. My guess is, because we 
> basically told OSSEC to send every event to noreply@localhost. The default 
> threshold was reached pretty quickly, so all events until the threshold was 
> reach until the end of the hour were sent back to us in a big email. We 
> changed that setting to its maximum value, , and now we receive all 
> alerte we specified we wanted (altough now we might have some tweaking to 
> do in our local_rules to adjust it to our needs), but at least, it works!
>
> tl;dr: Ensure that the email_maxperhour setting in the global config is 
> set to an appropriate value. Default is 12.
>
> 2017-07-12 7:26 GMT-04:00 Jesus Linares :
>
>> Hi Alexis,
>>
>> So, you are receiving alert with level 3 in ourservice@domain, right?. 
>> That doesn't make sense (I understand that email1, email2 or email3 is not 
>> ourservice@domain).
>>
>> Try to use: do_not_delay and do_not_group. Also, the email_maxperhour 
>> is
>>  
>> 12 by default, maybe you should change it.
>>
>> In order to simplify the debug process, use only 1 custom email alert.
>>
>> Also, you can use the report settings 
>> 
>>  
>> instead of the email settings.
>>
>> OSSEC emails options aren't that good...
>>
>>
>>
>> On Tuesday, July 11, 2017 at 10:27:41 PM UTC+2, Alexis Lessard wrote:
>>>
>>> Thanks for the tip! We tested it, but it doesn't seem to be working. 
>>> Here's what the configuration looks like now:
>>>   
>>> yes
>>> noreply@localhost
>>> smtpserver
>>> ossec@domain
>>>   
>>>
>>>   
>>> email1
>>> email2
>>> email3
>>> several, agents, name
>>>   
>>>
>>>   
>>> ourservice@domain
>>> 9
>>> 
>>> 
>>>   
>>>
>>>
>>> *email_alert_level *was also set to 1. We received one level 10 alert 
>>> email by itself. However, there were several others level 10 alerts that we 
>>> didn't receive any notifications from, even tough they appear in the alert 
>>> log. We then received an email report in ourservice@domain mailbox of about 
>>> 10 minutes worth of  events, with several level 10 alerts in it, but mostly 
>>> a lot of alerts we have no need for, like
>>> Rule: 31101 fired (level 5) -> "Web server 400 error code." 
>>>
>>> I don't think that there's anything in my config that would justify 
>>> alerts of level 3 and 5 being sent. Do you know what could be wrong? We 
>>> will probably go back to having an email_alert_level of 7 with no custom 
>>> alerts and work from there. We receive a lot of events to this server; I'd 
>>> say about one every two or three seconds. Could that be a problem?
>>>
>>> Thanks you for the reply, I'll be sure to keep you updated to document 
>>> the issue if anyone else has that problem,
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/ossec-list/7gS_5wxiI8M/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: archives.log under /var/ossec/logs/

2017-07-17 Thread alberto . rodriguez 
Yes, here you'll find a guide with all daemons 
descriptions: 
https://documentation.wazuh.com/current/user-manual/reference/daemons/index.html

Please, let us know if you have any doubt. 
Best regards, 

On Monday, July 17, 2017 at 9:19:04 AM UTC+2, Kazim Koybasi wrote:
>
> Thanks for quick reply.
> As I understand agent collect logs with ossec-logcollector and send all 
> off them server.Server is analyzing all logs with ossec-analysisd daemon 
> and match them according to decoders and rules.Also if I open logall option 
> in server it saves all logs under /var/ossec/logs/archives directory.
>
> On Monday, 17 July 2017 09:53:37 UTC+3, Kazim Koybasi wrote:
>>
>> Is archives.log under /var/ossec/logs/ contains all logs produced at 
>> agent host server?I am trying to understand that how OSSEC manager and 
>> agent topology works. Agent does not contains rules.
>> Is it mean that agent send all logs to manager and it process log files 
>> according to decoder and rule files? Is it logs only processed logs as 
>> archives.log? Thanks for reading.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] archives.log under /var/ossec/logs/

2017-07-17 Thread Kazim Koybasi 
Is archives.log under /var/ossec/logs/ contains all logs produced at agent 
host server?I am trying to understand that how OSSEC manager and agent 
topology works. Agent does not contains rules.
Is it mean that agent send all logs to manager and it process log files 
according to decoder and rule files? Is it logs only processed logs as 
archives.log? Thanks for reading.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: archives.log under /var/ossec/logs/

2017-07-17 Thread alberto . rodriguez 
Hello Kazim

On Monday, July 17, 2017 at 8:53:37 AM UTC+2, Kazim Koybasi wrote:
>
> Is archives.log under /var/ossec/logs/ contains all logs produced at agent 
> host server?I am trying to understand that how OSSEC manager and agent 
> topology works.
>

Yes, if you have configured your ossec.conf (Manager side) with the option 
"log_all" to yes. 
 

> Agent does not contains rules.
> Is it mean that agent send all logs to manager and it process log files 
> according to decoder and rule files? Is it logs only processed logs as 
> archives.log? Thanks for reading.
>

The behavior is that: the agent will send the events occurring in his side 
depending of his configuration (ossec.conf of the agent. You can allow the 
agent to send all events or do a configuration in order to filter the 
events that you want to send). These events arrive to the Manager and it's 
necessary to decide if the event is relevant or not. For that, the manager 
check against the decoder and rules and if the event analized is relevant 
it's included in "alerts.log". If not, the log will not be registered. But, 
if you have the option "log_all" to yes in ossec.conf of the manager, this 
option allow the manager to register ALL events received from all agent to 
the "archives.log". 

Hope it helps.
Best regards, 
Alberto Rodríguez

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.