[ossec-list] ossec alert json missing dedicated agent host location

I've recently setup my ossec server to output alerts to a json file. I'm sending it over to logstash and elasticsearch. I'd like to create a kibana dashboard that defines individual ossec agent hosts. The issue is that the json doesn't have it's own dedicated field for agent host. Here's an

RE: [ossec-list] Active response

Its necessary to monitor /var/log/messages to catch the “illegal user” message and the AR script begin to run? De: Adiel Navarro [mailto:adiel.nava...@mail.telcel.com] Enviado el: miércoles, 19 de octubre de 2016 02:31 p.m. Para: 'ossec-list@googlegroups.com' Asunto: RE:

RE: [ossec-list] Active response

There is all the secuence of events: Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Illegal user vpn6006 from 10.188.62.176 Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] input_userauth_request: illegal user vpn6006 Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Failed none for

RE: [ossec-list] Active response

On Oct 19, 2016 1:40 PM, "Adiel Navarro" wrote: > > I got configured the next rule_id > > > > 5712 > > > > And checking ssh_rules.sh, I see the rule 5712: > > > > > > 5710 > > SSHD brute force trying to get access to > > the system. > > > >

Re: [ossec-list] Re: Unexpected FIM behavior

On Oct 19, 2016 12:08 PM, "Matt" wrote: > > Thank you both, I appreciate it. > > I added the config to the global file instead of the local file. > > So, I think realtime is behaving now, but not the rest. It's my understanding the scan frequency for the agent is set on the

RE: [ossec-list] Active response

I got configured the next rule_id 5712 And checking ssh_rules.sh, I see the rule 5712: 5710 SSHD brute force trying to get access to the system. authentication_failures, 5700 illegal user|invalid user Attempt to login using a

RE: [ossec-list] Active response

I got configured the next rule_id 5712 And checking ssh_rules.sh, I see the rule 5712: 5710 SSHD brute force trying to get access to the system. authentication_failures, 5700 illegal user|invalid user Attempt to login using a

Re: [ossec-list] Active response

On Wed, Oct 19, 2016 at 1:02 PM, Adiel Navarro wrote: > How can I check the active-responses scripts are running? > If there are entries in the active-responses.log file, the scripts are running. If there are not entries in the log, you need to figure out why. >

RE: [ossec-list] Active response

How can I check the active-responses scripts are running? In the agent, I have the next lines inserted in ossec.conf to watch the log files: syslog /var/ossec/logs/active-responses.log How can I configure the rule? -Mensaje original- De: ossec-list@googlegroups.com

Re: [ossec-list] Active response

On Wed, Oct 19, 2016 at 11:04 AM, Adiel Navarro wrote: > Question, Dan > > Active response works in Solaris systems? > It should, as long as you configure it I guess. I've never tried it. > > > > -Mensaje original- > De: ossec-list@googlegroups.com

Re: [ossec-list] Active response

On Wed, Oct 19, 2016 at 12:48 PM, Adiel Navarro wrote: > How can I Configure ossec to watch the active response.log file will fire an > alert? > Why active-responses.log is not writing? > If active-responses.log is empty, it's probably because no active response

RE: [ossec-list] Active response

How can I Configure ossec to watch the active response.log file will fire an alert? Why active-responses.log is not writing? In agent: syslog /var/ossec/logs/active-responses.log -bash-3.2# ls -l /var/ossec/logs total 86 -rw-r--r-- 1 root root

Re: [ossec-list] Active response on server not working

Due to some other obligations I am unable to spen much time on this atm. Thanks for your efforts. I might have some time tomorrow, if I am able to complete my current task :-) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe

[ossec-list] Re: Unexpected FIM behavior

Thank you both, I appreciate it. I added the config to the global file instead of the local file. So, I think realtime is behaving now, but not the rest. It's my understanding the scan frequency for the agent is set on the agent, not the global level. I've set the agent to about an hour, but

RE: [ossec-list] Active response

Question, Dan Active response works in Solaris systems? -Mensaje original- De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En nombre de dan (ddp) Enviado el: miércoles, 19 de octubre de 2016 07:50 a.m. Para: ossec-list@googlegroups.com Asunto: Re: [ossec-list]

Re: [ossec-list] Active response

On Wed, Oct 19, 2016 at 8:43 AM, dan (ddp) wrote: > On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro wrote: >> Only I see the next messages in /var/ossec/logs/alers/alerts.log >> >> ** Alert 1476724188.107242: mail - syslog,errors, >> >> 2016 Oct 17

Re: [ossec-list] Active response

On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro wrote: > try to configured the next active response: > > On Ossec Server: > > > > firewall-drop > > firewall-drop.sh > > srcip > > yes > > > > > > no > > firewall-drop > > defined-agent > > 021 > > 5712 > > 1800 > > > > On

[ossec-list] Re: ossec-syscheckd realtime scanning does not detect file integrity changes when rootcheck is enabled

Hi Liam, unfortunately Syscheck and Rootcheck features are run in the same process and can't work together (at the same time). In short, the process works looping over three steps: 1. Complete Syscheck scan. 2. Rootcheck test. 3. Real-time Syscheck monitoring. So, every file changed