[ossec-list] no output seen from syslog_output

Hi. I'm setting up ossec 2.8.1, running on Ubuntu 14.04LTS. I can see alerts (in /var/ossec/logs/alerts/alert.log) but they don't appear in syslog, even though I've configured it to be there. The following is my current config; I was running it with only the first two config items at first.

Re: [ossec-list] agent_config syscheck configuration questions

Thanks! it didn't occur to me that using realtime and report_changes together could cause issues. I will have to test this and see how it works. I realized that syscheck doesn't monitor new files until after it finishes the hardway, when i was trying to troubleshoot reporting and why it was

Re: [ossec-list] agent_config syscheck configuration questions

Afaik, ignore option has always worked fine, meaning that those files are not scanned/monitored. Joseph, I would say problem is caused because you are using realtime and report_changes together (pretty sure this could fill up your hard disk space quickly). Here are a couple of issues to keep in

[ossec-list] Concerns related to when OSSEC server is unreachable/down?

Greetings, I'm in the process of evaluating the use of OSSEC on a large number of server instances. One of the biggest concerns expressed to me is whether or not the assets that host the Agent will be adversely affected if the Server become unavailable and the Agent is still running. For

Re: [ossec-list] agent_config syscheck configuration questions

On Thu, Mar 3, 2016 at 1:27 PM, Santiago Bassett wrote: > Weird, are you sure the ignored directories are getting scanned? Maybe have > a duplicated directory given to the Syscheck both in ossec.conf and > agent.conf? > Unless something has changed, that's been the

Re: [ossec-list] Help with setting up email alerts

On Thu, Mar 3, 2016 at 1:28 PM, jkrew wrote: > Ok, this is the agent. I thought one could configure the agent to fire off > emails because of this bit in the doc: > (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html) > > Supported types > >

Re: [ossec-list] Help with setting up email alerts

Ok, this is the agent. I thought one could configure the agent to fire off emails because of this bit in the doc: (http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html) Supported types Global options are available in the the following installation types: -

Re: [ossec-list] agent_config syscheck configuration questions

Weird, are you sure the ignored directories are getting scanned? Maybe have a duplicated directory given to the Syscheck both in ossec.conf and agent.conf? On Thu, Mar 3, 2016 at 7:00 AM, Joseph cosgrove wrote: > I have a large number of applications that i need to

Re: [ossec-list] Apache log porting to Ossec server

Yes, it is possible. You need to use OSSEC logall option and have logstash/filebeat reading /var/ossec/logs/archives.log My advice is to use different Elastcisearch indexes, one for the alerts and one for the raw logs (archives) On Wed, Mar 2, 2016 at 11:16 PM, Bhuvanesh Bhuvanachandran <

Re: [ossec-list] Help with setting up email alerts

On Thu, Mar 3, 2016 at 1:09 PM, jkrew wrote: > Greetings, > > We are using OSSEC as provided by CloudAware. I'm in the process of setting > up some custom alerts for testing, alerts I would like to receive via email. > > I am able to send email from the Linux host via the

[ossec-list] Help with setting up email alerts

Greetings, We are using OSSEC as provided by CloudAware. I'm in the process of setting up some custom alerts for testing, alerts I would like to receive via email. I am able to send email from the Linux host via the following: echo "test" | mail -s "subject line" myem...@domain.name To help

RE: [ossec-list] Disable Email Alerts from a particular source ip

You must include your rules inside of a group tag. Unless I’m totally missing something, that is what analysisd is complaining about. From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of calvin ratti Sent: Wednesday, March 2, 2016 4:25 AM To: ossec-list

[ossec-list] agent_config syscheck configuration questions

I have a large number of applications that i need to monitor and i was wondering if there is a syscheck configuration option that i can use that will not scan certain directories and/or files(similar to the way the skip_nfs aborts syschecks). I have my agent_conf set to ignore the directories

[ossec-list] What's your favorite rules?

I'm wondering what everyone's favorite rules are. I'm trying to come up with some new rules to tighten security, so I would like to hear (and see code snippets) or folks favorites, and what they are designed to detect. I.E. detect commands run, look for certain IOC's and so on. I'm impressed

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

Hi, yes, a cdb list is what you need. 1. Create the list: /var/ossec/lists/allow_users.txt $ cat allow_users jesuslinares: maxim: 2. Add the file to ossec.conf: lists/allow_users 3. Compile the list $ /var/ossec/bin/ossec-makelists 4. Use in your rules: lists/allow_users Example:

[ossec-list] Re: Decoding long messages - multiple regex statements

Hi, I would add a *prematch *tag: Checkpoint ** (\w+) \p\w+ \w+ src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+) action,srcip,dstip Checkpoint \.*resource: (\.*);\.*product: (\.*); url,extra_data Each decoder must have a *prematch* tag. Try this example without

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

On Mar 3, 2016 6:30 AM, "Maxim Surdu" wrote: > > is it a solution but can i create a list and a rule to read all my list from the file, or something like this because now i have 300 clinets but it can be more and it will not working more. > If that username isdecoded into a

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

is it a solution but can i create a list and a rule to read all my list from the file, or something like this because now i have 300 clinets but it can be more and it will not working more. thanks for your responsiveness joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris: > > > On Mar 3,

[ossec-list] Re: Help needed with Ossec implementation

Hi, If you need to forward to Elastic all the events (not only alerts), try to enable the option *yes* (available at Wazuh Fork ) like this: ossec.conf yes You will find a log file at */var/ossec/logs/archives/archives.json, *then set up

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

On Mar 3, 2016 4:18 AM, "Maxim Surdu" wrote: > > Hi dear community, > > i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients > > in policy-rules.xml > > i have next rules > > > > authentication_success >

Re: [ossec-list] Help needed with Ossec implementation

On Mar 3, 2016 5:07 AM, "Bhuvanesh Bhuvanachandran" wrote: > > Hi Folks, > > > > I am new to Ossec, and trying out the functionalities of Ossec for a requirement in my company. I need some help with some of the concepts that I am trying to achieve. > > > > Basically I am

[ossec-list] Apache log porting to Ossec server

Hi Folks, I am new to Ossec, and trying out the functionalities of Ossec for a requirement in my company. I need some help with some of the concepts that I am trying to achieve. Basically I am using a combination of Ossec + Logstash + Elastic search Kibana to get the things visualized in a

[ossec-list] Help needed with Ossec implementation

Hi Folks, I am new to Ossec, and trying out the functionalities of Ossec for a requirement in my company. I need some help with some of the concepts that I am trying to achieve. Basically I am using a combination of Ossec + Logstash + Elastic search Kibana to get the things

[ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

Hi dear community, i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients in policy-rules.xml i have next rules authentication_success 4 pm - 7 am Successful login during non-business hours. login_time,

[ossec-list] Re: Decoding long messages - multiple regex statements

Hi Fredrik, I don't think OSSEC allow regex to work backwards, from end to beginning, I know that can be specify on other languages with some flags, but I am not sure if we can do that here. Regarding to your decoder, we have two options, include the extraction of "resource" and product"