Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.

2016-09-14 Thread InfoSec
Regardless of the syslog RFC, they all allow messages up to 1024 bytes. The entire message is 1017 bytes. I think csyslogd is choking on the \r\n\t\t (carriage return, line feed, and two tabs) that precede every group SID. The event is being truncated just before the first \r\n\t\t. I do not

[ossec-list] log_alert_levels versus syslog_output > level?

2016-09-14 Thread Xtina Schelin
In the ossec.conf file, I see two settings: alerts > log_alert_level syslog_output > level What is the meaningful difference between these two? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop

[ossec-list] Best way to whitelist installed RPM / packages

2016-09-14 Thread Shawn Wiley
Is there a way with OSSEC to create a white list of packages that should be installed on my Red Hat server and create an ongoing alert that's triggered if an unauthorized package (non-white-list) is installed? My concern is if someone installs an unauthorized package and I miss the alert or the

[ossec-list] "eventlog" and "eventchannel". What is difference?

2016-09-14 Thread Duẩn Phạm
What is difference between "eventlog" and "eventchannel" in ossec.conf (Agent)? Application eventlog & Application eventchannel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and

Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.

2016-09-14 Thread dan (ddp)
On Wed, Sep 14, 2016 at 10:42 AM, InfoSec wrote: > In /var/ossec/logs/alerts/alerts.json file: > > {"rule":{"level":1,"comment":"Windows - Audit Success event catch > all.","sidid":18104,"firedtimes":2,"groups":["win_audit"]},"dstuser":"(no > user)","full_log":"2016 Sep

[ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.

2016-09-14 Thread InfoSec
In /var/ossec/logs/alerts/alerts.json file: {"rule":{"level":1,"comment":"Windows - Audit Success event catch all.","sidid":18104,"firedtimes":2,"groups":["win_audit"]},"dstuser":"(no user)","full_log":"2016 Sep 14 17:25:27 WinEvtLog: Security: AUDIT_SUCCESS(4627):