Re: [ossec-list] Re: Deploy OSSEC agent using .deb/.rpm packages in conjunction with preloaded-vars.conf (no terminal prompt configuration).

S Linux and Ubuntu > 18.04). It took me a while to debug it, but after some effort it deploys > ossec flawesly, so far. > > I can share the SSM template if you want to take a look. > > Thanks all for the help, and best regards. > On 7/27/20 8:55 AM, Alberto Rodriguez wrote: &g

[ossec-list] Re: Deploy OSSEC agent using .deb/.rpm packages in conjunction with preloaded-vars.conf (no terminal prompt configuration).

Hello I think that is not possible out of the box. You can make a script that downloads the package, install ossec, make the changes in ossec.conf with *sed* or *awk*, and restart the agent. In this repository: https://github.com/wazuh/wazuh-packages a package building tool is provided.

[ossec-list] Re: File integrity: How to check only owner/permission/deletion changes (No checksum)?

Hello Julia Sorry for the late response. Did you consider the possibility of configuring Auditd? This module will allow you to determine the owner, permissions, etc of the desired files and you can get the logs with Ossec by reading the syslog log file of the OS. Hope it helps Best

[ossec-list] Re: Oracle Multi-Line logs in XML

Hello Jared Did you try to configure Oracle logs in JSON format? I think it's the easier way to ingest the logs due to automatic JSON decoding of Wazuh. Do you have this option? Best regards, On Saturday, May 5, 2018 at 9:27:38 PM UTC+2, Jared wrote: > > Hello, > > I am looking for

[ossec-list] Re: Pivoting in Windws Server

Hello As we discussed here: https://groups.google.com/forum/#!topic/wazuh/vdKsdOQX0QE Sysmon provides the information that you need. Hope it help. Best regards, Alberto R. On Wednesday, April 25, 2018 at 7:28:01 PM UTC+2, Aj Navarro wrote: > > Hi everibody… > > > > Can the rootchek

[ossec-list] Re: [Windows] Problem with eventchannel

Hello Richard You could be able to forward this event channel by XPATH query like this: USB eventchannel \ \ \*\ \ \ But, unfortunately, Ossec doesn't allow to scape some characters. This is fixed in this commit:

[ossec-list] Re: Using regex to match specific URL

Hello Using the following rule: 31101 .jpg?\d+ Ignored extensions on 400 error codes. it works for me, so I think that you need to review the compiled rule if you want to still use it. Hope it help Best regards, Alberto R. On Saturday, May 5, 2018 at 12:20:43 PM

[ossec-list] Re: Using regex to match specific URL

Hello Did you tried to use the regex like that? 31101 .jpg?\d+ is_simple_http_request Ignored extensions on 400 error codes. Documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/regex.html?highlight=\d+ Hope it help Best regards, Alberto R On Friday, May

Re: [ossec-list] Syslog Output to SIEM in TCP port

Hello Julia It's not possible to change it. Best regards, On Tue, Oct 17, 2017 at 8:17 AM, Julia Vitoria Cardoso < the.julia.s...@gmail.com> wrote: > Hi guys. I am a newbie with OSSEC, trying to use primarily for file > integrity check. > > So, the plan is: Ossec agent on server checks

Re: [ossec-list] Re-ingest old log archives?

Hello Martin If you are referring to include the archive logs (system log files, program log files, etc) you only need to monitor an empty file with Ossec, and then add all contents of your file inside this file: i.e. cat old_log_file.log >> empty_file.log. Hope it help. Best regards, On

[ossec-list] Re: Need to whitelist a message from message file

Hello Stephen I do not know if I understood well, but if you want to disable this alert, you only need to add the following block to your file local_rules.xml 5100 Promiscuous mode enabled| device \S+ entered promiscuous mode Interface entered in promiscuous(sniffing) mode.

[ossec-list] Re: How to filter out events before collect

Hello Sylvain There is an option in Ossec for that purpose: the label and could be used as follow: System eventchannel Event/System[EventID=7040] You can use EventID=7040 in order to match with a specific event, you can use operators like <, >, <=, >= or !=. Documentation:

[ossec-list] Re: Error trying to collect DHCP logs from a windows server.

Hello Cesar This error sometimes happens when ossec try to read a file which has a "strange" format. If the file has a "UTF-8" format, for example, there is no problem. But some Microsoft logs are in "UCS2-LE BOM" for example. Please verify this. If the file has a "strange" format consider

[ossec-list] Re: OSSEC Alert rule for powershell

Hello Daryl Here you'll find some decoders (in same repository, folder rules are the rules) for Sysmon. Although the decoders are built for Wazuh, it's possible to use them with some modification.

[ossec-list] Re: OSSEC Alert rule for powershell

Hello Daryl Here you'll find some decoders (in same repository, folder rules are the rules) for Sysmon. Although the decoders are built for Wazuh, it's possible to use them with some modification.

Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Good to know. Thanks for sharing the issue, we will take into account in the future. Best regards, On Tuesday, August 8, 2017 at 9:04:36 PM UTC+2, Kevin Geil wrote: > > Well, the version makes all the difference. I set up a test system with > server version 2.91, and agent version 2.90, and

[ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Hello Kevin Following this document http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/ you'll be able to read the multiple lines of sysmon events. *Allowed:* multi-line: NUMBER Hope it helps, Best regards, Alberto R. -- --- You received this message because you are

[ossec-list] Re: archives.log under /var/ossec/logs/

Yes, here you'll find a guide with all daemons descriptions: https://documentation.wazuh.com/current/user-manual/reference/daemons/index.html Please, let us know if you have any doubt. Best regards, On Monday, July 17, 2017 at 9:19:04 AM UTC+2, Kazim Koybasi wrote: > > Thanks for quick

[ossec-list] Re: archives.log under /var/ossec/logs/

Hello Kazim On Monday, July 17, 2017 at 8:53:37 AM UTC+2, Kazim Koybasi wrote: > > Is archives.log under /var/ossec/logs/ contains all logs produced at agent > host server?I am trying to understand that how OSSEC manager and agent > topology works. > Yes, if you have configured your ossec.conf

[ossec-list] Re: ossec.conf not installed with defaults...

Hello pRose I think that if you modify "by hand" a file in a debian package installation file (as ossec.conf for example) the uninstall process doesn't completely remove the folder. Could you please try to re-do your uninstall process and then, verify if the folder "/var/ossec" still

[ossec-list] Re: Logging of informational events on OSSIM

Hello Irshad I think I have replied this on the other thread, isn't it? https://groups.google.com/forum/#!topic/ossec-list/mDueDPTDFTw Best regards, On Thursday, June 15, 2017 at 9:14:32 AM UTC+2, Irshad Rahimbux wrote: > > The logs are being pushed to archives.log and not ossec.log > > On

[ossec-list] Re: OSSEC - windows event

Hello Irshad You have configurated your manager in order to recorder all events in archives.log. In this file, you have all the events and there is the event you want to see on the GUI. But, an event could be or not an alert. And if you want to see it on the GUI must be an alert. This is the

[ossec-list] Re: Ossec with ELK

Hello Akash Munjan In this link: https://documentation.wazuh.com/current/index.html you will find all the information related of Wazuh (an Ossec fork) and ELK integration. Let us know if you have any question. Best regards, On Thursday, May 18, 2017 at 5:22:39 PM UTC+2, Akash Munjal