Re: [ossec-list] timeline of a file/folder

2018-06-30 Thread Kevin Geil
I've never done it for Linux, but in windows,. If object access auditing is configured, then yes. If not, you'll need to settle for today onward. Kevin On Jun 30, 2018 9:37 AM, "bill890" wrote: Hello Forum Is it possible to monitor every change of a selected file/folder, from the point of

Re: [ossec-list] Error "bad file descriptor" when trying to collect DHCP logs from a windows server

2017-09-19 Thread Kevin Geil
I have had luck with the following config for DHCP logs. %windir%/sysnative/Dhcp/DhcpSrvLog-%a.log syslog On Tue, Sep 19, 2017 at 2:40 PM, wrote: > Hello OSSEC Team, > > I need your help to understand what the following error means. > > So I have added

Re: [ossec-list] image based windows systems

2017-09-18 Thread Kevin Geil
It may be possible to co-opt Alienvault's OSSIM opensource code for this one, if you download and install, you can find the scripts in /usr/share/ossec-generator. It's also on github here, but there's probably a more recent version in a new copy of OSSIM.

Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

2017-08-08 Thread Kevin Geil
Well, the version makes all the difference. I set up a test system with server version 2.91, and agent version 2.90, and everything works nicely. Now to convince Alienvault to update their product... On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil <i...@friendandfamilytech.com> wrote: &g

Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

2017-08-08 Thread Kevin Geil
Thanks Alberto, I did try using eventchannel, multi-line (with location of microsoft-windows-sysmon/operational, and the path to the evtx file), and eventlog, but I still get multiple line output in alerts.log (or "ERROR: Unable to open file", depending on the configuration). >From the reading I

[ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

2017-08-03 Thread Kevin Geil
ESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; Than

[ossec-list] Windows EventChannel (sysmon): Not getting full line in archives.log

2017-08-03 Thread Kevin Geil
Hi, I'm trying to get OSSEC to alert on sysmon logs. After installing sysmon, and setting to yes, I do get sysmon events in archives.log, but I don't get anything useful. The lines stop after the event description: For example: 2017 Aug 03 00:00:35 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03