I've recently setup my ossec server to output alerts to a json file. I'm
sending it over to logstash and elasticsearch. I'd like to create a kibana
dashboard that defines individual ossec agent hosts.
The issue is that the json doesn't have it's own dedicated field for agent
host. Here's an
Its necessary to monitor /var/log/messages to catch the “illegal user” message
and the AR script begin to run?
De: Adiel Navarro [mailto:adiel.nava...@mail.telcel.com]
Enviado el: miércoles, 19 de octubre de 2016 02:31 p.m.
Para: 'ossec-list@googlegroups.com'
Asunto: RE:
There is all the secuence of events:
Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Illegal user vpn6006 from
10.188.62.176
Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] input_userauth_request:
illegal user vpn6006
Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Failed none for
On Oct 19, 2016 1:40 PM, "Adiel Navarro"
wrote:
>
> I got configured the next rule_id
>
>
>
> 5712
>
>
>
> And checking ssh_rules.sh, I see the rule 5712:
>
>
>
>
>
> 5710
>
> SSHD brute force trying to get access to
>
> the system.
>
>
>
>
On Oct 19, 2016 12:08 PM, "Matt" wrote:
>
> Thank you both, I appreciate it.
>
> I added the config to the global file instead of the local file.
>
> So, I think realtime is behaving now, but not the rest. It's my
understanding the scan frequency for the agent is set on the
I got configured the next rule_id
5712
And checking ssh_rules.sh, I see the rule 5712:
5710
SSHD brute force trying to get access to
the system.
authentication_failures,
5700
illegal user|invalid user
Attempt to login using a
I got configured the next rule_id
5712
And checking ssh_rules.sh, I see the rule 5712:
5710
SSHD brute force trying to get access to
the system.
authentication_failures,
5700
illegal user|invalid user
Attempt to login using a
On Wed, Oct 19, 2016 at 1:02 PM, Adiel Navarro
wrote:
> How can I check the active-responses scripts are running?
>
If there are entries in the active-responses.log file, the scripts are running.
If there are not entries in the log, you need to figure out why.
>
How can I check the active-responses scripts are running?
In the agent, I have the next lines inserted in ossec.conf to watch the log
files:
syslog
/var/ossec/logs/active-responses.log
How can I configure the rule?
-Mensaje original-
De: ossec-list@googlegroups.com
On Wed, Oct 19, 2016 at 11:04 AM, Adiel Navarro
wrote:
> Question, Dan
>
> Active response works in Solaris systems?
>
It should, as long as you configure it I guess. I've never tried it.
>
>
>
> -Mensaje original-
> De: ossec-list@googlegroups.com
On Wed, Oct 19, 2016 at 12:48 PM, Adiel Navarro
wrote:
> How can I Configure ossec to watch the active response.log file will fire an
> alert?
> Why active-responses.log is not writing?
>
If active-responses.log is empty, it's probably because no active
response
How can I Configure ossec to watch the active response.log file will fire an
alert?
Why active-responses.log is not writing?
In agent:
syslog
/var/ossec/logs/active-responses.log
-bash-3.2# ls -l /var/ossec/logs
total 86
-rw-r--r-- 1 root root
Due to some other obligations I am unable to spen much time on this atm. Thanks
for your efforts. I might have some time tomorrow, if I am able to complete my
current task :-)
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe
Thank you both, I appreciate it.
I added the config to the global file instead of the local file.
So, I think realtime is behaving now, but not the rest. It's my
understanding the scan frequency for the agent is set on the agent, not the
global level. I've set the agent to about an hour, but
Question, Dan
Active response works in Solaris systems?
-Mensaje original-
De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En nombre
de dan (ddp)
Enviado el: miércoles, 19 de octubre de 2016 07:50 a.m.
Para: ossec-list@googlegroups.com
Asunto: Re: [ossec-list]
On Wed, Oct 19, 2016 at 8:43 AM, dan (ddp) wrote:
> On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro wrote:
>> Only I see the next messages in /var/ossec/logs/alers/alerts.log
>>
>> ** Alert 1476724188.107242: mail - syslog,errors,
>>
>> 2016 Oct 17
On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro wrote:
> try to configured the next active response:
>
> On Ossec Server:
>
>
>
> firewall-drop
>
> firewall-drop.sh
>
> srcip
>
> yes
>
>
>
>
>
> no
>
> firewall-drop
>
> defined-agent
>
> 021
>
> 5712
>
> 1800
>
>
>
> On
Hi Liam,
unfortunately Syscheck and Rootcheck features are run in the same process
and can't work together (at the same time). In short, the process works
looping over three steps:
1. Complete Syscheck scan.
2. Rootcheck test.
3. Real-time Syscheck monitoring.
So, every file changed
18 matches
Mail list logo