[ossec-list] last -10

2016-10-04 Thread Aj Navarro
i want to monitoring the last connections on a server. I configuring last -10 command on a ossec.conf client full_command last 10 60 I need that the output of this command will send to the ossec server, but I not watching any alert on the ossec wui. can i need to configure

Re: [ossec-list] OpenBSD 6 - Real Monitoring

2016-10-04 Thread dan (ddp)
On Mon, Oct 3, 2016 at 6:07 PM, R0me0 *** wrote: > Hello dan ! > > Real monitoring still not working, but it could be regarding my ossec server > running 2.8.3. After I upgraded agent to 2.9 ( which is that cloned ) it > stopped to make sums ( md5 sha1 ) so I think is

[ossec-list] Re: Ossec authd, Cant connect

2016-10-04 Thread Jesus Linares
Hi, it looks like a firewall issue. You could run tcpdump in the Manager to see if there are a connection between the manager and the agent. Regards. On Monday, October 3, 2016 at 10:02:52 AM UTC+2, Ali Khan wrote: > > Hi All, > > I am trying to use ossec-authd and agent-authd for auto agent

[ossec-list] Re: Windows SSTP VPN rule.

2016-10-04 Thread Jesus Linares
I'm not familiar with RRAS or Radius. If you share the logs, we can help with decoders and rules for the events that you need. On Monday, October 3, 2016 at 6:11:37 PM UTC+2, namobud...@gmail.com wrote: > > It looks like I want to monitor for windows event log source entries that > have keyword

Re: [ossec-list] ossec-authd: Unable to connect

2016-10-04 Thread Pedro S
Hi again, I don't really understand how it works if you don't have any OSSEC listening to 1514, maybe you are mistaken the hosts. On my labs if I run *netstat -tunlp* The output for OSSEC will be: > *udp0 0 0.0.0.0:15140.0.0.0:* >

[ossec-list] Re: Ossec Naming Conventions

2016-10-04 Thread Jesus Linares
I don't think so. Check out the ossec.log of the agents that don't connect to the Manager. Usually they do not connect due to: firewall, bad key or duplicate counters (rids). The hostname should not be a problem. On Friday, September 30, 2016 at 2:56:28 PM UTC+2, EvilZ wrote: > > Hi everyone i

[ossec-list] Re: Simultaneous Events at 25 EPS, but Missing Alerts

2016-10-04 Thread Pedro S
Hi Jon, This is an interesting test, I think we can get a lot of useful information from here. On my experience probably the bottleneck is on remoted socket/buffer or logcollector speed performance to read each log line. For Remoted, try to enable debug mode at the agent,

Re: [ossec-list] ossec-authd: Unable to connect

2016-10-04 Thread Dodain Dodo
HI Pedro , I have already done all these things .Your and mine netstat results are same. 1515 is in listening state and 1514 is also there. Sorry since its(1514) a udp port so how can it be in listening mode. My bad. udp0 0 0.0.0.0:15140.0.0.0:* 27560/ossec-remoted