Re: [ossec-list] Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
On Oct 11, 2016 2:22 PM, "Kernel Panic"wrote: > > Hi guys, > Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea. > > The log: > Are there any errors befoew these messages? Maybe try starting the daemons manually one at a time (with -df) to see which fails. > 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. > 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > The queue > srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue > > Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint > > xmllint local_rules.xml > > --SNIP- > > > > > There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct? > xmllint decoder.xml > decoder.xml:52: parser error : Extra content at the end of the document > > ^ > Did you modify this file? Does `ossec-logtest -t` complain about it? > And found this: > > xmllint ossec.conf > ossec.conf:74: parser error : Comment not terminated > > > Line 74, what's missing here? > I see the "-->" there. Right after "hours." xmllint doesn't apply to ossec. > > > 72000 > > > > > > ossec-hids-2.8.3-53.el6.art.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-wui-0.8-4.el6.art.noarch > > Thanks for your time and support > Regards > > > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Teamviewer logs not consistant
I am looking at logging on a windows agent Teamviewer logs. The issue is the irregular output like soo. 673915615 Support Team20-05-2016 19:37:51 20-05-2016 20:04:29 userRemoteControl {811FB7EC-E1EB-470A-B5EE-01E7290B7FDF} 151856824 01-06-2016 19:30:36 01-06-2016 20:00:44 user RemoteControl {38164985-5201-4BFE-BF6E-32F2E770954E} 151856824 02-06-2016 18:29:32 02-06-2016 18:47:33 user RemoteControl {22D28696-95C0-4AF8-9EBE-440580B85D65} 172856590 PCMust 16-08-2016 15:15:21 16-08-2016 15:22:54 user RemoteControl {934B2BDF-DB82-4113-9C60-9250A6E47A7A} 891956027 Afterworld 18-08-2016 18:13:27 18-08-2016 18:26:37 userRemoteControl {E4555287-A198-4D54-8851-67C2DF8EA5DD} How would one go about regexing this type of output? The stuff in blue would be the required data to pass to rulesets -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Can you explain remoted.recv_counter_flush and remoted.comp_average_printout?
I would be super grateful if someone could explain what the *remoted.recv_counter_flush* and *remoted.comp_average_printout *options signify in the internal_options.conf file. By default they are set to 128 and 1 respectively. How will it affect the system if I raise or lower these values? I appreciate your help! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Simultaneous Events at 25 EPS, but Missing Alerts
Hey there! I think it's actually due to the *remoted.verify_msg_id* option in internal_options.conf Once I turned this off, messages were coming in out of order, but all messages were getting received! On Tuesday, October 4, 2016 at 5:15:25 AM UTC-4, Pedro S wrote: > > Hi Jon, > > This is an interesting test, I think we can get a lot of useful > information from here. > > On my experience probably the bottleneck is on remoted socket/buffer or > logcollector speed performance to read each log line. > > For Remoted, try to enable debug mode at the agent, internal_options.conf > file, remoted.debug=2, and agent.debug=2. You will find at ossec.log each > line read by logcollector and sent to remoted, this way we can figure out > if the problem is related to gathering/sending or lately > receiving/proccesing. > > On my tests I can see how everything is being pushed, but just a few > events on archives are displayed, I think OSSEC also have some protection > for multiple identical messages. > > 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: 'test55' >> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: >> 'test55' >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to >> server. >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: >> 'test55' >> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: >> 'test55' >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to >> server. >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: >> 'test55' >> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: >> 'test55' >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to >> server. >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: >> 'test55' >> 2016/10/04 11:07:39 ossec-logcollector: DEBUG: Reading syslog message: >> 'test55' >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to >> server. >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: >> 'test55' >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Attempting to send message to >> server. >> 2016/10/04 11:07:39 ossec-agent: DEBUG: Sending message to server: >> '--MARK--: ' >> 2016/10/04 11:07:43 ossec-agent: DEBUG: Attempting to send message to >> server. > > > > > > On Monday, October 3, 2016 at 8:27:04 PM UTC+2, Jon Goodgion wrote: >> >> I've been curious about the performance of OSSEC in a server/agent >> architecture, so I have been emulating simultaneous events on a single >> agent by appending log entries to the agent's syslog. >> >> Using a shell script for loop on the agent, I append 25 consecutive logs >> that match the format of a telnet failed password log. I figured 25 EPS >> should be easily captured by OSSEC. >> >> However, on the server, (after enabling logall to archives), it doesn't >> seem like it is processing all the logs. >> /var/ossec/logs/archives/archives.log shows: >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[*1*]: refused connect from 81.215.42.24 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[*13*]: refused connect from 81.215.42.158 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[14]: refused connect from 81.215.42.69 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[15]: refused connect from 81.215.42.32 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[16]: refused connect from 81.215.42.41 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[17]: refused connect from 81.215.42.74 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[18]: refused connect from 81.215.42.32 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[19]: refused connect from 81.215.42.222 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[20]: refused connect from 81.215.42.25 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[21]: refused connect from 81.215.42.141 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[22]: refused connect from 81.215.42.248 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[23]: refused connect from 81.215.42.45 >> >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[24]: refused connect from 81.215.42.166 >> 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 >> 14:15:55 queen telnetd[25]: refused connect from
[ossec-list] Same old song ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue
Hi guys, Yes, I've been reading the error on the list, lots of cases and I got it too but I run out of idea. The log: 2016/10/11 13:04:40 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:40 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:46 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:46 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2016/10/11 13:04:48 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:04:48 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:05:01 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2016/10/11 13:05:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. The queue srw-rw. 1 ossec ossec 0 Oct 11 13:04 /var/ossec/queue/ossec/queue Also read the local_rules may have issues, tested with -t and no errors displayed also with xmllint xmllint local_rules.xml --SNIP- There is a file also under /var/ossec/etc/decoder.xml that seems not good , is that correct? xmllint decoder.xml decoder.xml:52: parser error : Extra content at the end of the document ^ And found this: xmllint ossec.conf ossec.conf:74: parser error : Comment not terminated Line 74, what's missing here? 72000 ossec-hids-2.8.3-53.el6.art.x86_64 ossec-hids-server-2.8.3-53.el6.art.x86_64 ossec-wui-0.8-4.el6.art.noarch Thanks for your time and support Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ignore computer account logon and logoff
Hi Jesus! I discovered the error. It was not the @, it was a space in the field Account Name: host$, sometimes the log comes with an extra space in this field. and therefore it did not fall in the rule. But i put an space in the regex. It looked like this: Account Name: \S+\$|Account Name: \S+\$ Thanks a lot for the help! Em terça-feira, 11 de outubro de 2016 04:22:43 UTC-3, Jesus Linares escreveu: > > I didn't test it, but it seems OSSEC tries to use "$\S+" as a variable. > > You could do something like: > @domain > Account Name: \S+\$ > > Regards. > > On Monday, October 10, 2016 at 10:28:37 PM UTC+2, > roberto@phoebustecnologia.com.br wrote: >> >> hi! >> I'm using this solution in my ossec. But I have another question. >> I also wanted to ignore the following entry: >> host$*@domain* >> >> Can anyone help? >> >> Already tried: >> >> Account Name: \S+\$@\S+ >> Account Name: \S+\$\S+ >> Account Name: \S+\$'@'\S+ >> Account Name: \S+\$\S+ >> Account Name: \S+\$\\S+ >> Account Name: \S+\$\\w >> >> Always gives error. For example, when I use the ossec-logtest: >> >> *XMLERR: Unknown variable: '\S+'..* error for: >> Account Name: \S+\$\S+ >> >> * XMLERR: Unknown variable: '@\S+'..* error for: >> Account Name: \S+\$@\S+ >> >> >> Em terça-feira, 17 de abril de 2012 16:08:29 UTC-3, ash kumar escreveu: >>> >>> This should do it >>> >>>User Name: \S+\$|Account Name: \S+\$ >>> >>> Ash Kumar >>> >>> On Monday, April 9, 2012 4:04:16 PM UTC-4, (unknown) wrote: Can someone help me with this rule to filter out computer logon and logoff events? Since all computer accounts end with the $ I figured I could just filter on that, for example WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: (none) User: *W-ABC-3ND88P1$* WinEvtLog: Security: AUDIT_SUCCESS(4634) Here is what I have but it is not working. I have tried several variations of the regex but no luck with anything. Sure it is something simple but I am just not hitting the right combination. 18149 User: w+ \$ Ignore machine logoff Thanks for the help. Karl The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this document. >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ignore computer account logon and logoff
I didn't test it, but it seems OSSEC tries to use "$\S+" as a variable. You could do something like: @domain Account Name: \S+\$ Regards. On Monday, October 10, 2016 at 10:28:37 PM UTC+2, roberto@phoebustecnologia.com.br wrote: > > hi! > I'm using this solution in my ossec. But I have another question. > I also wanted to ignore the following entry: > host$*@domain* > > Can anyone help? > > Already tried: > > Account Name: \S+\$@\S+ > Account Name: \S+\$\S+ > Account Name: \S+\$'@'\S+ > Account Name: \S+\$\S+ > Account Name: \S+\$\\S+ > Account Name: \S+\$\\w > > Always gives error. For example, when I use the ossec-logtest: > > *XMLERR: Unknown variable: '\S+'..* error for: > Account Name: \S+\$\S+ > > * XMLERR: Unknown variable: '@\S+'..* error for: > Account Name: \S+\$@\S+ > > > Em terça-feira, 17 de abril de 2012 16:08:29 UTC-3, ash kumar escreveu: >> >> This should do it >> >>User Name: \S+\$|Account Name: \S+\$ >> >> Ash Kumar >> >> On Monday, April 9, 2012 4:04:16 PM UTC-4, (unknown) wrote: >>> >>> Can someone help me with this rule to filter out computer logon and >>> logoff events? Since all computer accounts end with the $ I figured I >>> could just filter on that, for example >>> >>> WinEvtLog Rule: 18149 (level 3) -> 'Windows User Logoff.' Src IP: (none) >>> User: *W-ABC-3ND88P1$* WinEvtLog: Security: AUDIT_SUCCESS(4634) >>> >>> >>> Here is what I have but it is not working. I have tried several >>> variations of the regex but no luck with anything. Sure it is something >>> simple but I am just not hitting the right combination. >>> >>> >>> 18149 >>> User: w+ \$ >>> Ignore machine logoff >>> >>> >>> Thanks for the help. >>> Karl >>> >>> The information transmitted is intended only for the person or entity to >>> which it is addressed and may contain confidential and/or privileged >>> material. Any review, retransmission, dissemination or other use of, or >>> taking of any action in reliance upon this information by persons or >>> entities other than the intended recipient is prohibited. If you received >>> this in error, please contact the sender and destroy any copies of this >>> document. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.