I recently began using Process Explorer from Sysinternals to monitor
various aspects of a Windows system that happens to also be running
the ossec agent. To my surprise, according to Process Explorer, ossec-
agent.exe is BY FAR the heaviest I/O Reader of any process on the
system, far more than
something obvious?
Thanks, Matt
Thanks for the info Bradley, I hadn't seen that before.
Matt
On May 3, 1:40 am, Bradley Falzon b...@teambrad.net wrote:
select *, inet_ntoa(src_ip) from alert limit 10;
It's an unsigned int type in MySQL (32bit unsigned integer). Basically, the
decimal version of IP Address. This requires 8
for ossec to
change the way predecoders parse these messages. Any ideas? Thanks.
--Matt
SMP Thu May 17 14:00:09 UTC
2007 s390x s390x s390x GNU/Linux
Rather than clutter this list with the log output, I'll send it to you
directly.
Thanks for your help!
--Matt
In local_rules.xml:
rule id=100339 level=5
decoded_assidewinder-audit/decoded_as
descriptionfirewall event/description
groupfirewall,/group
/rule
I configured this in a hurry, and I'm sure it could use a little
tuning.
--Matt
On Oct 23, 11:48 pm, McIntosh Darren
necessarily want sent to the
address set in the global config -- they are sent to the appropriate
admins via the email_alerts settings. Is there any way to *not* alert
the address in the global config while still sending alerts?
Thanks
--Matt
Hello All,
I am starting to work with the agentless monitoring, and the first
host I'm working with is a non-Cisco switch. I've modifed ossec.conf
like so:
agentless
typessh_generic_diff/type
frequency120/frequency !-- set to 120, just for testing
--
Hi Daniel,
Expect is (and was) installed, so I assume that is not the issue.. any
help with running manually would be appreciated.
On Mar 5, 11:36 am, Daniel Cid daniel@gmail.com wrote:
Hi Matt,
It is supposed to give you more information about the error, like we
show in the manual[1
typessh_foundry_enable_diff/type
frequency7200/frequency
hostossecu...@foundry-example.sample.com/host
stateperiodic_diff/state
argumentssh run/arguments !-- show what's running --
/agentless
Again, this works for me but as always, YMMV.
--Matt
On Mar 25
Has this issue been worked around or resolved? I'm trying to get
ossec agents upgraded to 2.3 on HP-UX as well, and both PA-RISC and
ia64 architectures seem to be having this problem. They worked fine
with 1.6 -- would it be advisable to revert to the older build?
--Matt
, 2016 at 11:06:53 AM UTC-7, Matt wrote:
> Hello,
>
> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't
> behaving consistently.
>
> First realtime monitoring simply isn't working. FIM only seem to work when
> the scan runs, which I have set to 10 minute
I've changed the scan frequency to 40 minutes, and realtime isn't working.
I've edited files 2 times, nothing. Hopefully it at least fires off when
the next scan happens.
On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:
> Hello,
>
> I just installed OSSEC in the Az
remove from agent.
16200
yes
no
On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote:
> On Oct 19, 2016 12:08 PM, "Matt" <sttw...@gmail.com > wrote:
> >
> > Thank you both, I appreciate it.
> >
> > I
remove from agent.
16200
yes
no
On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote:
> On Oct 19, 2016 12:08 PM, "Matt" <sttw...@gmail.com > wrote:
> >
> > Thank you both, I appreciate it.
> >
> > I
, October 25, 2016 at 8:15:53 AM UTC-7, dan (ddpbsd) wrote:
> On Tue, Oct 25, 2016 at 11:03 AM, Matt <sttw...@gmail.com >
> wrote:
> > I can definitely confirm that the FIM scan ISN'T paying attention to the
> > ossec.conf file on the Windows agent. Instead it is running base
I posted the agent ossec.conf on the windows server in my first posting,
here is how it's presently configured.
16200
yes
no
no
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this
Thank you both, I appreciate it.
I added the config to the global file instead of the local file.
So, I think realtime is behaving now, but not the rest. It's my
understanding the scan frequency for the agent is set on the agent, not the
global level. I've set the agent to about an hour, but
R%/win.ini
%WINDIR%/system.ini
Thanks,
Matt
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more
/ossec-list/2006-August/msg00122.html
The proposed solution in that two-year-old thread has apparently been
applied to the mainline source, and yet I am still experiencing the
problem. Any thoughts?
--Matt
Thank you in advance for anyone that could offer an opinion on whether this
should be regarded as a valid threat.
Matt
- Thanks!
Matt
On Tuesday, September 22, 2015 at 7:16:33 PM UTC-7, dan (ddpbsd) wrote:
>
> On Tue, Sep 22, 2015 at 4:56 AM, Matt Hickie <mhi...@gmail.com
> > wrote:
> > Running into an issue with ossec-remoted not running. Setup had been
> > working for over a couple of
Running into an issue with ossec-remoted not running. Setup had been
working for over a couple of months and now the remoted process just seems
to die. This is running on AWS linux
Enabled debug with gdb.
/var/ossec/bin/ossec-control enable debug
/var/ossec/bin/ossec-control restart
ran
23 matches
Mail list logo