Re: [ossec-list] Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[dan (ddp)]

On Oct 11, 2016 2:22 PM, "Kernel Panic"  wrote:
>
> Hi guys,
> Yes, I've been reading the error on the list, lots of cases and I got it
too but I run out of idea.
>
> The log:
>

Are there any errors befoew these messages?
Maybe try starting the daemons manually one at a time (with -df) to see
which fails.

> 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..
>
> The queue
> srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue
>
> Also read the local_rules may have issues, tested with -t and no errors
displayed also with xmllint
>
> xmllint local_rules.xml
> 
> --SNIP-
> 
> 
> 
>
> There is a file also under /var/ossec/etc/decoder.xml that seems not good
, is that correct?
> xmllint decoder.xml
> decoder.xml:52: parser error : Extra content at the end of the document
> 
> ^
>

Did you modify this file?
Does `ossec-logtest -t` complain about it?

> And found this:
>
> xmllint  ossec.conf
> ossec.conf:74: parser error : Comment not terminated
> 
>
> Line 74, what's missing here?
>

I see the "-->" there. Right after "hours." xmllint doesn't apply to ossec.

>  
> 
> 72000
>
>
>
>
>
> ossec-hids-2.8.3-53.el6.art.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-wui-0.8-4.el6.art.noarch
>
> Thanks for your time and support
> Regards
>
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Teamviewer logs not consistant

[Jacob Mcgrath]

I am looking at logging on a windows agent Teamviewer logs.  The issue is 
the irregular output like soo.

673915615   Support Team20-05-2016 19:37:51 20-05-2016 20:04:29 
userRemoteControl   {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF}  
151856824   01-06-2016 19:30:36 01-06-2016 20:00:44 user
RemoteControl   {38164985-5201-4BFE-BF6E-32F2E770954E}  
151856824   02-06-2016 18:29:32 02-06-2016 18:47:33 user
RemoteControl   {22D28696-95C0-4AF8-9EBE-440580B85D65}  
172856590   PCMust  16-08-2016 15:15:21 16-08-2016 15:22:54 user
RemoteControl   {934B2BDF-DB82-4113-9C60-9250A6E47A7A}  
891956027   Afterworld  18-08-2016 18:13:27 18-08-2016 18:26:37 
userRemoteControl   {E4555287-A198-4D54-8851-67C2DF8EA5DD}


How would one go about regexing this type of output?


The stuff in blue would be the required data to pass to rulesets

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Can you explain remoted.recv_counter_flush and remoted.comp_average_printout?

[Jon Goodgion]

I would be super grateful if someone could explain what the 
*remoted.recv_counter_flush* and *remoted.comp_average_printout *options 
signify in the internal_options.conf file.

By default they are set to 128 and 1 respectively. How will it affect 
the system if I raise or lower these values?

I appreciate your help!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Simultaneous Events at 25 EPS, but Missing Alerts

[Jon Goodgion]

Hey there! I think it's actually due to the *remoted.verify_msg_id* option 
in internal_options.conf

Once I turned this off, messages were coming in out of order, but all 
messages were getting received!

On Tuesday, October 4, 2016 at 5:15:25 AM UTC-4, Pedro S wrote:
>
> Hi Jon,
>
> This is an interesting test, I think we can get a lot of useful 
> information from here.
>
> On my experience probably the bottleneck is on remoted socket/buffer or 
> logcollector speed performance to read each log line.
>
> For Remoted, try to enable debug mode at the agent, internal_options.conf 
> file, remoted.debug=2, and agent.debug=2. You will find at ossec.log each 
> line read by logcollector and sent to remoted, this way we can figure out 
> if the problem is related to gathering/sending or lately 
> receiving/proccesing.
>
> On my tests I can see how everything is being pushed, but just a few 
> events on archives are displayed, I think OSSEC also have some protection 
> for multiple identical messages.
>
> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: 'test55'
>> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to 
>> server.
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to 
>> server.
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to 
>> server.
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to 
>> server.
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: 
>> 'test55'
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to 
>> server.
>> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: 
>> '--MARK--: '
>> 2016/10/04 11:07:43 ossec-agent: DEBUG: Attempting to send message to 
>> server.
>
>
>
>
>
> On Monday, October 3, 2016 at 8:27:04 PM UTC+2, Jon Goodgion wrote:
>>
>> I've been curious about the performance of OSSEC in a server/agent 
>> architecture, so I have been emulating simultaneous events on a single 
>> agent by appending log entries to the agent's syslog.
>>
>> Using a shell script for loop on the agent, I append 25 consecutive logs 
>> that match the format of a telnet failed password log. I figured 25 EPS 
>> should be easily captured by OSSEC.
>>
>> However, on the server, (after enabling logall to archives), it doesn't 
>> seem like it is processing all the logs. 
>> /var/ossec/logs/archives/archives.log shows:
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[*1*]: refused connect from 81.215.42.24
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[*13*]: refused connect from 81.215.42.158
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[14]: refused connect from 81.215.42.69
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[15]: refused connect from 81.215.42.32
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[16]: refused connect from 81.215.42.41
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[17]: refused connect from 81.215.42.74
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[18]: refused connect from 81.215.42.32
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[19]: refused connect from 81.215.42.222
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[20]: refused connect from 81.215.42.25
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[21]: refused connect from 81.215.42.141
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[22]: refused connect from 81.215.42.248
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[23]: refused connect from 81.215.42.45
>>
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[24]: refused connect from 81.215.42.166
>> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 
>> 14:15:55 queen telnetd[25]: refused connect from 

[ossec-list] Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue

[Kernel Panic]

Hi guys,
Yes, I've been reading the error on the list, lots of cases and I got it 
too but I run out of idea.

The log:

2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access 
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..

The queue
srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue

Also read the local_rules may have issues, tested with -t and no errors 
displayed also with xmllint

xmllint local_rules.xml

--SNIP-




There is a file also under /var/ossec/etc/decoder.xml that seems not good , 
is that correct?
xmllint decoder.xml
decoder.xml:52: parser error : Extra content at the end of the document

^

And found this:

xmllint  ossec.conf
ossec.conf:74: parser error : Comment not terminated


Line 74, what's missing here?

 

72000





ossec-hids-2.8.3-53.el6.art.x86_64
ossec-hids-server-2.8.3-53.el6.art.x86_64
ossec-wui-0.8-4.el6.art.noarch

Thanks for your time and support
Regards








-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ignore computer account logon and logoff

[roberto . mendonca]

Hi Jesus!

I discovered the error. It was not the @, it was a space in the field 
Account Name: host$, sometimes the log comes with an extra space in this 
field. and therefore it did not fall in the rule.
But i put an space in the regex.


It looked like this:
Account Name: \S+\$|Account Name:  \S+\$

Thanks a lot for the help!

Em terça-feira, 11 de outubro de 2016 04:22:43 UTC-3, Jesus Linares 
escreveu:
>
> I didn't test it, but it seems OSSEC tries to use "$\S+" as a variable.
>
> You could do something like:
> @domain
> Account Name: \S+\$
>
> Regards.
>
> On Monday, October 10, 2016 at 10:28:37 PM UTC+2, 
> roberto@phoebustecnologia.com.br wrote:
>>
>> hi!
>> I'm using this solution in my ossec. But I have another question.
>> I also wanted to ignore the following entry:
>> host$*@domain*
>>
>> Can anyone help?
>>
>> Already tried:
>>
>> Account Name: \S+\$@\S+
>> Account Name: \S+\$\S+
>> Account Name: \S+\$'@'\S+
>> Account Name: \S+\$\S+
>> Account Name: \S+\$\\S+
>> Account Name: \S+\$\\w
>>
>> Always gives error. For example, when I use the ossec-logtest:
>>
>> *XMLERR: Unknown variable: '\S+'..*  error for:
>> Account Name: \S+\$\S+
>>
>> * XMLERR: Unknown variable: '@\S+'..*  error for:
>> Account Name: \S+\$@\S+
>>
>>
>> Em terça-feira, 17 de abril de 2012 16:08:29 UTC-3, ash kumar escreveu:
>>>
>>> This should do it
>>>
>>>User Name: \S+\$|Account Name: \S+\$
>>>
>>> Ash Kumar
>>>
>>> On Monday, April 9, 2012 4:04:16 PM UTC-4, (unknown) wrote:

 Can someone help me with this rule to filter out computer logon and 
 logoff events?  Since all computer accounts end with the $ I figured I 
 could just filter on that, for example 

 WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: 
 (none) User: *W-ABC-3ND88P1$* WinEvtLog: Security: AUDIT_SUCCESS(4634)


 Here is what I have but it is not working.  I have tried several 
 variations of the regex but no luck with anything.  Sure it is something 
 simple but I am just not hitting the right combination.

   
 18149
 User: w+ \$
 Ignore machine logoff
   

 Thanks for the help.
 Karl

 The information transmitted is intended only for the person or entity to
 which it is addressed and may contain confidential and/or privileged
 material. Any review, retransmission, dissemination or other use of, or
 taking of any action in reliance upon this information by persons or
 entities other than the intended recipient is prohibited. If you 
 received
 this in error, please contact the sender and destroy any copies of this
 document.

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ignore computer account logon and logoff

[Jesus Linares]

I didn't test it, but it seems OSSEC tries to use "$\S+" as a variable.

You could do something like:
@domain
Account Name: \S+\$

Regards.

On Monday, October 10, 2016 at 10:28:37 PM UTC+2, 
roberto@phoebustecnologia.com.br wrote:
>
> hi!
> I'm using this solution in my ossec. But I have another question.
> I also wanted to ignore the following entry:
> host$*@domain*
>
> Can anyone help?
>
> Already tried:
>
> Account Name: \S+\$@\S+
> Account Name: \S+\$\S+
> Account Name: \S+\$'@'\S+
> Account Name: \S+\$\S+
> Account Name: \S+\$\\S+
> Account Name: \S+\$\\w
>
> Always gives error. For example, when I use the ossec-logtest:
>
> *XMLERR: Unknown variable: '\S+'..*  error for:
> Account Name: \S+\$\S+
>
> * XMLERR: Unknown variable: '@\S+'..*  error for:
> Account Name: \S+\$@\S+
>
>
> Em terça-feira, 17 de abril de 2012 16:08:29 UTC-3, ash kumar escreveu:
>>
>> This should do it
>>
>>User Name: \S+\$|Account Name: \S+\$
>>
>> Ash Kumar
>>
>> On Monday, April 9, 2012 4:04:16 PM UTC-4, (unknown) wrote:
>>>
>>> Can someone help me with this rule to filter out computer logon and 
>>> logoff events?  Since all computer accounts end with the $ I figured I 
>>> could just filter on that, for example 
>>>
>>> WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: (none) 
>>> User: *W-ABC-3ND88P1$* WinEvtLog: Security: AUDIT_SUCCESS(4634)
>>>
>>>
>>> Here is what I have but it is not working.  I have tried several 
>>> variations of the regex but no luck with anything.  Sure it is something 
>>> simple but I am just not hitting the right combination.
>>>
>>>   
>>> 18149
>>> User: w+ \$
>>> Ignore machine logoff
>>>   
>>>
>>> Thanks for the help.
>>> Karl
>>>
>>> The information transmitted is intended only for the person or entity to
>>> which it is addressed and may contain confidential and/or privileged
>>> material. Any review, retransmission, dissemination or other use of, or
>>> taking of any action in reliance upon this information by persons or
>>> entities other than the intended recipient is prohibited. If you received
>>> this in error, please contact the sender and destroy any copies of this
>>> document.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.