Hello Javier! thanks a lot for your answer, was really helpfull.
I have another question if you dont mind.
If I want to specify a previous path before the extension to exclude like
"/var/zimbra/.msg$" should i have to do something special? or just put it
like the example?
*/var/zimbra/.msg$*
But i need to force both conditions at the same time. I need to skip up all
the .msg from /var/zimbra.
If that is the case, is ok to express */var/zimbra/.msg$ ?*
Sorry if i didnt express good enough. But my question is about how to
express the directory before the extension and if it is correct
Thanks a lot Javier, that option works perfectly!
Regards,
Diego
El mié., 18 sept. 2019 a las 11:35, Javier Castro ()
escribió:
> Then you can try with restrict:
>
> */var/zimbra/*
>
> The folder you are monitoring will ignore files ending in .msg. You don't
> need ignore for that.
> Regards,
>
Hello Javier!
I have another problem. If i want to exclude a group of extensions, how
would i do it? because if i use */var/zimbra/ *
This is not working. I guess is because im using and OR comparator or for
the way im using the expresion. Any idea?
Thanks again!
Diego.
El mié., 18 sept. 2019
Hello everyone,
First off all, sorry for my english.
Im having a problem when I try to use "Ignore_type" parameter on syscheck
to escape ".msg" file extension.
Im on Wazuh v3.9.3 (Centos 7).
Agent: Ubuntu 18.04.3 LTS
I have a rule set to detect possible credit card numbers in files in a
Oh man you save my day! It's works perfectly for my scenario.
Im understanding how its works now.
Thanks a lot Javier and congrats for the product and the community you all
have.
El jue., 19 sept. 2019 a las 15:00, Javier Castro ()
escribió:
> Hi Diego,
> the correct syntax would be: *
Javier would you confirm if this rule is working on wazuh V2.0?
Because when i was to pass the rule from my laboratory(V3.9) to the wanted
server with (V2.0) is not working.
Thanks!
El jue., 19 sept. 2019 a las 15:55, Javier Castro ()
escribió:
> No problem Diego, glad it is working for you.
>
Hi everyone!
Im not getting the alerts generated on the server reflected on SIEM
dashboard.
I followed this steps to take data from logs of an agent.
https://www.alienvault.com/documentation/usm-appliance/ids-configuration/process-reading-log-file-with-hids-agent-windows.htm
Im getting the alert
Hi everyone!
I wondering if we already have on ossec a custom decoder acording to this
kind of log to get the red values.
1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI
Im using 2.0 version.
Im not able to find the syntax error.
Thanks!
El vie., 11 oct. 2019 a las 14:51, dan (ddp) () escribió:
> On Fri, Oct 11, 2019 at 1:41 PM Diego S wrote:
> >
> > Thnaks you very much for your response.
> > Let me know if am i wrong. The
Thnaks you very much for your response.
Let me know if am i wrong. The decoder will be like this:
^\d+\s\w\w\w\w\w,
Brocade-format
^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\),
\[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
user,second
squid
^\d+ \S+
^\d+ (\S+) (\w+)/(\d+) \d+ \w+
Sorry, my bad Dan, thanks anyways, i have a start point now.
Regards!
El lun., 14 oct. 2019 a las 10:56, dan (ddp) () escribió:
> On Mon, Oct 14, 2019 at 9:54 AM Diego S wrote:
> >
> > Hi!
> >
> > i tried with a updated version and im still getting the same error
ar expression, which uses the same
> interpreter than OSSEC, it is true that the behavior is not the same as
> with ossec, so I do recommend using the Wazuh mailing list for queries
> related to Wazuh.
>
> Best Regards,
> Juan Carlos Tello
>
> On Monday, October 14, 2019 at
Hi all!
I was wondering the best way to represent a digit between a range and if it
is possible to indicate that a digit is going to be repeated a given number
of times.
For example a digit between 0 and 3, I mean 0, 1, 2 or 3 thats for the
first question.
For the second part, for example
14 matches
Mail list logo
