Hi all,
I've been using osssec for a while now and I really like it.
I'm now trying to integrate ossec with a monitoring application. I'd like
to have ossec send Alerts to a remote host via syslog.
I have it all working, with one exception. It looks like ossec forwards
ALL events as local0.w
Thanks Dan
On Friday, 13 January 2017 10:44:46 UTC-5, Joel wrote:
>
> Hi all,
>
> I've been using osssec for a while now and I really like it.
>
> I'm now trying to integrate ossec with a monitoring application. I'd like
> to have ossec send Alerts to a remot
6 13:37 .ssh
> drwxr-x--- 5 ossec ossec 61 Oct 6 13:57 stats
> dr-xr-x--T 2 root ossec6 Oct 6 13:37 tmp
> dr-xr-x--- 3 root root20 Oct 6 13:37 update
> dr-xr-x--- 3 root ossec 16 Jan 13 19:24 var
do I need to keep it allon the same volume?
thanks!
Joel
--
Am I able to setup the OSSEC windows agent to report to both a Wazuh and a
OSSIM server at the same time?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to os
I have an ansible-ized install of ossec as a server, using the art rpm's to
install (ossec-hids and ossec-hids-server). I have it working as expected
on a server in our office, however when I run the same setup on a server in
our remote data center I am unable to get remoted to stay running. Bot
On Tuesday, November 25, 2014 6:14:48 AM UTC-8, dan (ddpbsd) wrote:
>
> On Mon, Nov 24, 2014 at 7:52 PM, Joel Parker > wrote:
> > (gdb) set follow-fork-mode child
> > (gdb) run -df
>
> set follow-fork-mode child
> or
> run -df
>
hmm??
> > os
ember 25, 2014 3:51:51 AM UTC-8, Colin Bruce wrote:
>
> Dear Joel,
>
>
>
> What I am about to suggest is probably silly but have you configured an
> agent at the remote installation. If there are no agents installed then
> remoted stops as it has nothing to do. I see
On Wed, Apr 14, 2010 at 10:11 PM, uifjlh wrote:
> Paul,
>
> I seem to have some piece missing my self ? ... the search part of
> Splunk Works, and I have OSSEC Data there, from my OSSEC clients to
> the OSSEC server, (the same box as the Splunk server) ... but when I
> try the OSSEC plugin... thi
On Thu, Apr 15, 2010 at 12:09 PM, Joel Merrick wrote:
> On Wed, Apr 14, 2010 at 10:11 PM, uifjlh wrote:
>> Paul,
>>
>> I seem to have some piece missing my self ? ... the search part of
>> Splunk Works, and I have OSSEC Data there, from my OSSEC clients to
>> t
Well, it doesn't seem to be displaying anything...
OSSEC log directory is being monitored, however sourcetype="ossec"
produced nothing. Files have been indexed.
Any ideas?
On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick wrote:
> I have this working now,
>
> I had to man
I have this working now,
I had to manually add an application, then copy the contents of the
tarball... restart.. works!
h.t.h.
--
$ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
--
To unsubscribe, reply using "remove me" as the subject.
On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick wrote:
> Well, it doesn't seem to be displaying anything...
>
> OSSEC log directory is being monitored, however sourcetype="ossec"
> produced nothing. Files have been indexed.
>
> Any ideas?
Seems as though the string
give it a whirl :)
>
>
> On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick
> wrote:
>>
>> On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick
>> wrote:
>> > Well, it doesn't seem to be displaying anything...
>> >
>> > OSSEC log directory is be
Hi guys,
I'm just getting started with ossec. So far, it seems like a great
tool!
I need to deploy this in a centralized management configuration. I'm
reading through the docs and experimenting in a lab.
One thing i'm not clear on his what gets configured on the agents vs.
what gets configured
Hey,
there's an entry in the FAQ about this...
http://www.ossec.net/wiki/Know_How:BinaryInstall
J
On Feb 22, 2:38 pm, Jeremy Lee wrote:
> As luck would have it, the same engineer was assigned to the ticket I
> opened! :D
>
> *sigh*
>
> Guess I'll be trying the binary-install method.
>
> On Tue
Hi gang,
I'm wondering if there's any tricks to getting ossec working when the
server is behind a NAT.
here's the case:
i have some linode servers that i'd like to monitor with ossec.
the ossec server is in the office behind a NATting firewall.
the ossecn agent on the linode boxes is configured
hey gang,
sorry for the quick double tap.. I was wondering if there's a way to
dump an agent's config.
since moving all my config into agent.conf on the central server, i
can't tell how a particular agent is configured... I know i can
compare the md5sum of the server and the agent using agent_con
hey gang,
I'm working on my centralized management of ossec and it seems to be
going well.
However, it seems that since i centralized and moved all the
configuration to agent.conf, my active response rules have stopped
working. (last entry in active-response.log is Feb. 21, last SSH
brute force
n agent.conf
>> with active responses working, I'd greatly appreciate it!
>>
>> Thanks!
>>
>> J
>>
>> -Original Message-
>> From: "dan (ddp)"
>> Sender: ossec-list@googlegroups.com
>> Date: Wed, 23 Feb 2011 21:3
hey gang,
OK, on to a new problem with active responses...
I've got active responses working. the one i'm mainly interested
right now is the SSHD bruce force rule/response (rule id=5712).
when this rule is matched, the firewall drop command is executed, but
the active-response.log shows:
Thu F
ed message --
From: dan (ddp)
Date: Thu, Feb 24, 2011 at 3:48 PM
Subject: Re: [ossec-list] active response in central management?
To: Joel Brooks
That's still within the syscheck section.
Can you send your active response configuration (in the manager's ossec.conf)?
Also detail ho
i still haven't got it working.
I've tried moving the definitions and the
sections to the agent.conf, and still no joy.
i just can't get active response to work in central management mode.
I found that executing
bin/agent_control -b 1.2.3.4 -f firewall-drop -u 000
from the manager results in
nd
can be verified by the md5sum).
-
I will try in debug mode, and i will make sure i'm firing a rule that
is level 6 or higher.
thanks for your patience Dan.
J
On Fri, Feb 25, 2011 at 9:02 PM, dan (ddp) wrote:
> Hi Joel,
>
> On Fri, Feb 25, 2011 at 7:59 PM, Joel B
mative.
definetly got to know ossec a bit better these last few days.
cheers,
J
On Fri, Feb 25, 2011 at 9:25 PM, Joel Brooks wrote:
> i can get the active response to fire by passing "-b 1.2.3.4 -f
> firewall-drop600 -u 000"
>
> firewall-drop600 is in the ar.con
where
the agent is aware of that?
Thank you very much for your time. Best Regards,
Joel Oliveira
Hello,
Just bumping this issue. Does anyone know anything about this?
Thanks,
Joel Oliveira
Quarta-feira, 21 de Março de 2012 16h58min44s UTC, Joel Oliveira escreveu:
>
> Hello Daniel and all,
>
> I am using OSSEC 2.5.1 on different Linux environments for the past year
> and hal
d anywhere other people asking for this.
So I would be very grateful if someone would explain to me why maybe my
request is so strange.
Thank you very much for your time,
Joel Oliveira
Segunda-feira, 9 de Abril de 2012 18:52:59 UTC+1, BP9906 escreveu:
>
> I think the answer is no. When I u
causing rule 3151 to fire. Since several developers use
this server legitimately for source control, is there a way to exclude their
known IP address from that rule? So far trying things such as the
whitelist and using !. in the rule have been
unsuccessfully.
Thanks in
advance,
-Joel
Thanks for the quick response! That looks like exactly what we needed.
-Joel
-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Cid
Sent: Monday, August 14, 2006 2:30 PM
To: ossec-list@googlegroups.com
Cc: Joel Gray
Subject: [ossec-list
below
the way to do this as well?
Ex:
firewall-drop
defined-agent
001
10
600
host-deny
defined-agent
001
10
600
Thanks in advance
-Joel
-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Cid
Sent: Friday, September
ery time someone uses the source
control client. Am I doing something wrong or simply missing a step
somewhere else?
Oh, as a side note I did modify the agent machine config with the new
path to the logs. It was a simply update since the line was already
there with the old logs. I did restart the windows service (NET STOP
OssecSvc;NET START OssecSvc) after the change.
Thanks in advance!
-Joel
fail due to the file looking
for another rule that had not been loaded yet. While this is not a huge
deal that may be something to think about for the future as well,
loading all of the rules before processing them.
Thank you again for pointing me in the right direction.
-Joel
-Original
d for user
[Administrator]
--END OF NOTIFICATION
- Joel
Daniel,
Excellent, I had a suspicion that it was something like that. Thanks
for the response!
-Joel
-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Cid
Sent: Thursday, September 21, 2006 12:08 PM
To: ossec-list@googlegroups.com
I've turned off
enforcement which fixes the WUI error, but I would like to get SELinux
re-enabled.
Best Regards,
-Joel
-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Jeff Schroeder
Sent: Monday, August 13, 2007 5:33 PM
To: ossec-list
Su
That did it! I'll admit that I'm still learning a bunch about selinux.
I completely missed the --reference option. I'll have to play more with
restrictions later, but for the time being it's working and enabled.
Thanks!
Best Regards,
-Joel
-Original Message--
On Sun, Nov 1, 2009 at 9:14 PM, Michael Starks wrote:
>
> The presentation is currently in Open Document format. Anyone know of a
> way I can add an audio track with the proper timing in an *open* format?
>
Use vncrec to capture a vnc session and record to theora?
--
$ echo "kpfmAdpoofdufevq/d
On Wed, Dec 23, 2009 at 12:17 PM, Robert Lourenco
wrote:
> Hi
>
>
>
> The link to installing Ossec on Centos does not work. And my installation
> does not work either.
>
Diagnostics would help :)
--
$ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
e running check
(using pgrep) and renices.. that's the way I have done it with other I/O
intensive apps that I wanted to slow down in the past... alternatively a
wrapper script?
If you have a configuration management system, then that would be trivial to
deploy
Ta,
Joel
--
$ echo "kp
39 matches
Mail list logo