my server is running on cent os 6 and i have currently two agents runng one
lunix cent os 6 and another windows servr 2008. in both the cases ( in
windows as well as cent os ) i am not getting the log (intrigity check) for
deleted files. please let me know if you need any more information. i
Hey guys,
we are having an OSSEC server installation on debian with about 210 Windows
and Linux Ossec-Clients in our network.
Regarding to syscheck we have literally have the default settings of ossec
that includes a big part of the windows registry and windows directory as
well as most linux
On Fri, Dec 5, 2014 at 3:19 PM, Brent Morris brent.mor...@gmail.com wrote:
Wish I could edit that last post!
I forgot a few lines complete local_decoder.xml below.
add the following to local_decoder.xml
decoder name=pfsvc-auth
program_name^pfsvc/program_name
/decoder
On Mon, Dec 8, 2014 at 7:17 AM, horst knete baduncl...@hotmail.de wrote:
Hey guys,
we are having an OSSEC server installation on debian with about 210 Windows
and Linux Ossec-Clients in our network.
Regarding to syscheck we have literally have the default settings of ossec
that includes a
On Mon, Dec 8, 2014 at 2:28 AM, Bijesh Maskey biz@gmail.com wrote:
my server is running on cent os 6 and i have currently two agents runng one
lunix cent os 6 and another windows servr 2008. in both the cases ( in
windows as well as cent os ) i am not getting the log (intrigity check) for
On Sun, Dec 7, 2014 at 1:20 AM, Bijesh Maskey biz@gmail.com wrote:
hi all,
I have installed and configure ossec server in cent os 6 and two client Win
2k8 and cent os as agents running on my virtual box. Ossec is running
smoothly and detecting all the changes made on the files where the
We have an error with installing the OSSEC Server when using Binary
Installation Mode:
Example:
2014/12/08 16:26:46 Could not get ossec gid.
Started ossec-analysisd...
2014/12/08 16:26:46 ossec-logcollector(1103): ERROR: Unable to open file
'/queue/ossec/.agent_info'.
Started
On Mon, Dec 8, 2014 at 8:01 AM, dan (ddp) ddp...@gmail.com wrote:
Yes and no. It's cludgy, but you could have a package update trigger
an active response on the manager to clear the database. It could be a
security issue, handing over some control of the database to the
agent, but it should
On Mon, Dec 8, 2014 at 10:30 AM, Philipp Hoferichter phi...@gmx.de wrote:
We have an error with installing the OSSEC Server when using Binary
Installation Mode:
Example:
2014/12/08 16:26:46 Could not get ossec gid.
Does the ossec group exist?
Started ossec-analysisd...
2014/12/08 16:26:46
On Mon, Dec 8, 2014 at 10:34 AM, Damian Gerow damian.ge...@shopify.com wrote:
On Mon, Dec 8, 2014 at 8:01 AM, dan (ddp) ddp...@gmail.com wrote:
Yes and no. It's cludgy, but you could have a package update trigger
an active response on the manager to clear the database. It could be a
security
On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) ddp...@gmail.com wrote:
Possibly compromised systems shouldn't have control over a database
they do not have control over. That's kind of the idea behind sending
the hashes to the manager. It helps prevent shady behavior.
So, possibly
On Mon, Dec 8, 2014 at 10:56 AM, Damian Gerow damian.ge...@shopify.com wrote:
On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) ddp...@gmail.com wrote:
Possibly compromised systems shouldn't have control over a database
they do not have control over. That's kind of the idea behind sending
the
On Mon, Dec 8, 2014 at 11:05 AM, dan (ddp) ddp...@gmail.com wrote:
Possibly compromised systems shouldn't have control over a database
they do not have control over. That's kind of the idea behind sending
the hashes to the manager. It helps prevent shady behavior.
So, possibly
Hello;
I would like to monitor our ASA 5510. Is there any documentation or
tutorial on monitoring an ASA ?
I have found limited information and my understading.
1)I have to edit the register_host.sh, add the host.: if so,
Where?
2)edit
On 2014-12-08 9:56, Damian Gerow wrote:
On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) ddp...@gmail.com wrote:
Possibly compromised systems shouldn't have control over a
database
they do not have control over. That's kind of the idea behind
sending
the hashes to the manager. It helps prevent
On Mon, Dec 8, 2014 at 11:55 AM, Semperfi ke...@myschatz.net wrote:
Hello;
I would like to monitor our ASA 5510. Is there any documentation or
tutorial on monitoring an ASA ?
I have found limited information and my understading.
1)I have to edit the register_host.sh, add
Sir,
You can also configure the ASA to send log events via syslog, either
directly to OSSEC or to the syslog daemon on the ossec server, so OSSEC can
monitor that output as well.
Caveat: I am not very familiar with the remote monitoring but it is my
understanding that this would only check
On Mon, Dec 8, 2014 at 12:13 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
With real-time checks enabled, it's a time-based security problem. Can the
agent send the hashes to the manager before the attacker can alter or stop
them?
Yes: stop OSSEC, start your own agent. This is
I can.
Are you interested in just the important bits as they relate to the decodes
(authentication success/failure), or did you want to see the entire log
file? It's a fairly verbose application, so with the logging level that I
setup on it, it only reports application errors, administrator
On Thu, 4 Dec 2014, dan (ddp) wrote:
On Wed, Dec 3, 2014 at 7:51 PM, Jarrod Farncomb jarde...@gmail.com wrote:
Hi guys,
I have some Juniper SSG devices which I need log in events to be reported to
OSSEC so that they can be included within the daily report.
From my research, the Juniper SSGs
I think dan mentioned it all - but basically...
Run the register_host.sh and plug in your username@host password
enablepassword
Step 1 e.g. ./register_host.sh ciscouser@1.2.3.4 password enablepassword
Steps 2 and 3 in your list are incorrect. Delete those...
Edit the ossec.conf and
I'm looking to avoid having to worry about disk space for this sort of
config.
You must be joking? Disk space is _very_ cheap nowadays and it's also
possible to use compression ..
--
Eero
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
David,
Eero is right that disk space is relatively quite inexpensive these days; I
think lots of us are more concerned with log retention against future audit
needs than with disk usage. Anyway, it's pretty easy to set up cron
scripts for log file cleanups.
To address your question, I don't
On Mon, 8 Dec 2014, Rick McClinton wrote:
David,
Eero is right that disk space is relatively quite inexpensive these days; I
think lots of us are more concerned with log retention against future audit
needs than with disk usage. Anyway, it's pretty easy to set up cron
scripts for log file
On Tue, 9 Dec 2014, Eero Volotinen wrote:
I'm looking to avoid having to worry about disk space for this sort of
config.
You must be joking? Disk space is _very_ cheap nowadays and it's also
possible to use compression ..
Unless you are using enterprise class datacenter storage systems.
Hey all, bit of a strange issue here.. If I log in/out of a server the
event will be logged into the alerts.log file perfectly fine, but when
viewing the logs in a browser through the web interface the Src IP field
lists the username but it does so incorrectly, it appears that the first
I'm having an issue getting failed logins to Windows servers to log
correctly to alerts.log.
I've created a log in fail and confirmed the Windows event logs show this
as ID 4625.
Checking in the rules directory on the OSSEC server this appears within the
id field of the msauth rule file (ID
27 matches
Mail list logo