[ossec-list] Re: OSSEC csyslogd truncates Windows Security Event ID: 4627.

2016-09-15 Thread InfoSec
Difference between your setup and mine is that I am forwarding events in CEF format, you seem to be forwarding the OSSEC multi-line format. Can you please rerun your test with CEF format in syslog_output? -- --- You received this message because you are subscribed to the Google Groups

[ossec-list] Question on agent authentication and use of counters

2016-09-15 Thread Abhijit Tikekar
Hi, We recently migrated one of our OSSEC instance to a new server. We are using Linux(CentOS) as the platform. Post migration, we noticed that none of the agents were connected to the server and agents had the following error in the logs: 2016/09/15 09:05:56 ossec-agentd: INFO: Trying to

[ossec-list] OSSEC - sudo

2016-09-15 Thread Kumar G
Hi team, We are in the process of getting the sudo rules worked out for OSSEC environment. However there came up a question like if we can have the ossec user have read/write access on them.(eg: /var/ossec/rules, /var/ossec/etc - ossec accountshould have the write permission). Is it advisable to

Re: [ossec-list] Re: Windows Eventlogs

2016-09-15 Thread Kumar G
Hi Jesus, Apologize for the late reply. Was away from the OSSEC for a while. The configuration for eventlog ID was implemented however, I started getting some of the new message in ossec logs on the agent box. Do you think if these are normal? 2016/09/06 07:04:43 ossec-agent(1951): INFO:

Re: [ossec-list] OSSEC Agentless Questions

2016-09-15 Thread dan (ddp)
On Thu, Sep 15, 2016 at 10:35 AM, Keith wrote: > Hey Everyone, > > I have two questions related to agentless configurations. I can't seem to > find a good answer on either. > > First Question: > > How do I removed a host from the ossecagentless config. I did remove it >

[ossec-list] OSSEC Agentless Questions

2016-09-15 Thread Keith
Hey Everyone, I have two questions related to agentless configurations. I can't seem to find a good answer on either. First Question: How do I removed a host from the ossecagentless config. I did remove it from ossec.conf and from .passlist but the hosts are still showing. Two of them were

Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.

2016-09-15 Thread dan (ddp)
On Thu, Sep 15, 2016 at 6:01 AM, dan (ddp) wrote: > On Thu, Sep 15, 2016 at 1:13 AM, InfoSec wrote: >> Regardless of the syslog RFC, they all allow messages up to 1024 bytes. The >> entire message is 1017 bytes. >> >> I think csyslogd is choking on the

[ossec-list] Re: Best way to whitelist installed RPM / packages

2016-09-15 Thread Shawn Wiley
Thanks for the help that's perfect. On Thursday, September 15, 2016 at 5:20:21 AM UTC-4, Jesus Linares wrote: > > Hi Shawn, > > by default OSSEC triggers an alert when a package is > installed/removed/updated: > > *command* > yum install valgrind.x86_64 > > *archives.log* > 2016 Sep 15 09:08:44

Re: [ossec-list] How to run ossec server by default?

2016-09-15 Thread dan (ddp)
On Thu, Sep 15, 2016 at 7:11 AM, Daiyue Weng wrote: > Hi, I am wondering how to run ossec server by default as a daemon in Linux > (Arch). For example, > > systemctl enable ossec-control ? > > I haven't done any serious testing (avoiding systemd mostly), but these PRs might

[ossec-list] How to run ossec server by default?

2016-09-15 Thread Daiyue Weng
Hi, I am wondering how to run ossec server by default as a daemon in Linux (Arch). For example, systemctl enable ossec-control ? cheers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving

Re: [ossec-list] OSSEC csyslogd truncates Windows Security Event ID: 4627.

2016-09-15 Thread dan (ddp)
On Thu, Sep 15, 2016 at 1:13 AM, InfoSec wrote: > Regardless of the syslog RFC, they all allow messages up to 1024 bytes. The > entire message is 1017 bytes. > > I think csyslogd is choking on the \r\n\t\t (carriage return, line feed, and > two tabs) that precede every

[ossec-list] Re: Best way to whitelist installed RPM / packages

2016-09-15 Thread Jesus Linares
Hi Shawn, by default OSSEC triggers an alert when a package is installed/removed/updated: *command* yum install valgrind.x86_64 *archives.log* 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0 -0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64 *alerts.log*

[ossec-list] Re: log_alert_levels versus syslog_output > level?

2016-09-15 Thread InfoSec
Alerts --> Alert level has to do with the event level threshold below which events are dropped and not placed in the alerts file. Syslog --> Level has to do with the event level threshold below which events are not forwarded via csyslogd to syslog receiver. -- --- You received this message