Re: [ossec-list] Loop on opensuse

2020-01-17 Thread Burkhard Schultheis 

Hi,

I installed it. In the meantime I solved the problem with help from 
Google: 
https://unix.stackexchange.com/questions/200280/systemd-kills-service-immediately-after-start


Thanks for your help!

Best regards from Germany
Burkhard

Am 17.01.2020 um 13:12 schrieb dan (ddp):

On Mon, Jan 13, 2020 at 9:04 AM Schultheis Burkhard
 wrote:

Some weeks ago I've installed Ossec on on three servers. One is running
CentOS 6.10, the others Opensuse 15.1. The CentOS installation behaves
as expected, but the opensuse installations behave very different,
although the configurations are as close as possible.

  From the CentOS server we get emails as expected, from the opensuse
servers not (other programs send us emails as expected from all
servers). The opensuse servers write tons of ossec logs, because it's in
a start-terminate loop. Excerpt:


How did you install OSSEC (package, source, etc)?
You could check the /var/log/audit/audit.log to see if it mentions
anything about it.
I have an OpenSuse VM where it worked fine, but I installed from
source. I haven't powered it up in a while though.


2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file.
2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499).
2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516).
2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520).
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file.
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'pure-ftpd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'web_appsec_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'apparmor_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'cisco-ios_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:

[ossec-list] How to check new files added to the file system.

2020-01-17 Thread llehirgen 
I recently made a local installation of Ossec in a Ubuntu 18.04 server and 
added a 554 rule in /var/ossec/rules/local_rules.xml as follows, as 
suggested in Ossec documentation 

 
for alerting on new files:


  ossec
  syscheck_new_entry
  File added to the system.
  syscheck,


Straight after Ossec started, I received an email by Ossec alerting me that 
new files were added to the file system.
So my rule works.
Now, how can I check if these files were added by a legitimate system 
upgrade?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/5945643a-204e-4ae7-97ab-24c96d29d21f%40googlegroups.com.

Re: [ossec-list] Loop on opensuse

2020-01-17 Thread dan (ddp) 
On Mon, Jan 13, 2020 at 9:04 AM Schultheis Burkhard
 wrote:
>
> Some weeks ago I've installed Ossec on on three servers. One is running
> CentOS 6.10, the others Opensuse 15.1. The CentOS installation behaves
> as expected, but the opensuse installations behave very different,
> although the configurations are as close as possible.
>
>  From the CentOS server we get emails as expected, from the opensuse
> servers not (other programs send us emails as expected from all
> servers). The opensuse servers write tons of ossec logs, because it's in
> a start-terminate loop. Excerpt:
>

How did you install OSSEC (package, source, etc)?
You could check the /var/log/audit/audit.log to see if it mentions
anything about it.
I have an OpenSuse VM where it worked fine, but I installed from
source. I haven't powered it up in a while though.

> 2020/01/13 13:45:25 ossec-testrule: INFO: Reading local decoder file.
> 2020/01/13 13:45:25 ossec-testrule: INFO: Started (pid: 28499).
> 2020/01/13 13:45:25 ossec-maild: INFO: Started (pid: 28516).
> 2020/01/13 13:45:25 ossec-execd: INFO: Started (pid: 28520).
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading local decoder file.
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'rules_config.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'pam_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'sshd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'telnetd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'syslog_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'arpwatch_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'symantec-av_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'symantec-ws_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'pix_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'named_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'smbd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'vsftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'pure-ftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'proftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ms_ftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ftpd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'hordeimp_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'roundcube_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'wordpress_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'cimserver_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'vpopmail_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'vmpop3d_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'courier_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'web_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'web_appsec_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'apache_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'nginx_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'php_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'mysql_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'postgresql_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ids_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'squid_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'firewall_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'apparmor_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'cisco-ios_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'netscreenfw_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'sonicwall_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'postfix_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'sendmail_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'imapd_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'mailscanner_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'dovecot_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
> 'ms-exchange_rules.xml'
> 2020/01/13 13:45:25 ossec-analysisd: INFO: Reading rules file:
>