[ossec-list] Re: OSSEC & Logstash

2016-09-22 Thread mangasof . manga
Hi JP1, you found a pattern for archive.log file? Em quarta-feira, 18 de fevereiro de 2015 17:12:45 UTC-3, jp1...@gmail.com escreveu: > > So, this works OK for me on alerts.log - does anyone have a logstash conf > that works on the archives.log if you have ossec saving all logs to that? > > On

[ossec-list] Re: OSSEC & Logstash

2016-09-22 Thread mangasof . manga
Hi JP1, you found a pattern for archive.log file? Em quarta-feira, 18 de fevereiro de 2015 17:12:45 UTC-3, jp1...@gmail.com escreveu: > > So, this works OK for me on alerts.log - does anyone have a logstash conf > that works on the archives.log if you have ossec saving all logs to that? > > On

[ossec-list] Can I build the OSSEC server without the three GeoIP packages?

2016-09-22 Thread Shawn Wiley
Is there a way to the OSSEC server without the three GeoIP packages or at least force the packages to not be used? I'd like to install the least amount of additional packages to my web server as possible. Thanks, Shawn -- --- You received this message because you are subscribed to the

Re: [ossec-list] OSSEC log analysis vs sending logs directly to OSSIM

2016-09-22 Thread Eponymous -
Thanks for your response Santiago! So the target system is actually a pfSense router (FreeBSD 10.3 based) and the main problem I have is that the logs are not in plaintext format - they use a "clog" format instead which OSSEC can't read. The only workaround at the moment is to run a local

Re: [ossec-list] Re: How to change the OSSEC installation directory in windows

2016-09-22 Thread Eero Volotinen
How about modifying the installation package? Eero 2016-09-22 12:56 GMT+03:00 Victor Fernandez : > Hi, > > when you run the OSSEC installer for Windows, you can choose the location > where OSSEC will be installed. This shouldn't be a problem. > > Since OSSEC registers a

[ossec-list] Re: How to change the OSSEC installation directory in windows

2016-09-22 Thread Victor Fernandez
Hi, when you run the OSSEC installer for Windows, you can choose the location where OSSEC will be installed. This shouldn't be a problem. Since OSSEC registers a background service on Windows, you should first install OSSEC into another partition and then create the C:\ drive image. Hope it

[ossec-list] Re: Querying Kibana for specific event types

2016-09-22 Thread Jesus Linares
Hi, Review *alerts.json* in order to know if you have the decoder name and the event id extracted in fields. Also, check out your logstash mapping. If the fields are not extracted in alerts.json, you can not filter by them in kibana. I did the query in Wazuh and it works, so I recommend you

[ossec-list] How to change the OSSEC installation directory in windows

2016-09-22 Thread vikas
Hello all, We have a group of servers where the C:/ drive gets re-imaged daily with a standard image. Since its going to be same image that all the servers use, not sure how to make OSSEC part of that image and avoid agent-server registration issues. So we wanted to install it on a different