Has there been any further thought on this issue? I am in the same boat. On Wednesday, September 14, 2016 at 12:43:56 AM UTC-5, Vilius wrote: > > Jesus, > > when question is should I send alert into the void or into archive, there > are cases when archiving is a better option. > > Vilius > > On Tue, Sep 13, 2016 at 8:54 PM, Jesus Linares <je...@wazuh.com > <javascript:>> wrote: > >> Vilius, OSSEC is designed to receive alerts from the present and not old >> logs. If you send to OSSEC old logs, the alert timestamp will be the >> timestamp when the alert was triggered (and not the timestamp when the log >> was generated). I was talking about a related issue here >> <https://groups.google.com/forum/#!topic/wazuh/eSqkmBfSSIk>. >> >> Nick, usually it is not a good idea to make your Manager accessible from >> the public Internet. If your server has a security breach, anyone could >> access to confidential information of your agents. It could even control >> them if they have the active response enabled. If you are sure, follow some >> security hardening guide for your host and configure your firewall >> properly. I would not recommend to make public a OSSEC Manager. >> >> Regards. >> >> >> On Tuesday, September 13, 2016 at 6:47:14 PM UTC+2, Nick Giannoulis wrote: >>> >>> Didnt know you can use "ANY" , thats great thanks a lot. If my ossec >>> server is accessible externally any alerts from the agents should still >>> reach my server right ? ( if the agents are connected to the net and >>> nothing blocking ) >>> >>> On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linares wrote: >>>> >>>> Hi, >>>> >>>> as Eero said, you can register your agents with ANY instead of the IP. >>>> >>>> anyway, remember that the agents send the alerts in real time. *Alerts are >>>> not stored to be sent later*. So, you are not going to receive the >>>> alerts generated in your agents when they were not connected to the >>>> Manager >>>> network. >>>> >>>> Regards. >>>> >>>> On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen >>>> wrote: >>>>> >>>>> You can use ip address any while creating agent keys for roaming >>>>> devices. >>>>> >>>>> Eero >>>>> >>>>> 2016-09-13 10:58 GMT+03:00 Nick Giannoulis <ni...@nea-idea.com>: >>>>> >>>>>> Hi all >>>>>> I have an OSSEC server running perfectly monitoring all my servers. >>>>>> I want to expand it to start monitoring my 'normal' clients ( win7-10 >>>>>> laptops and workstations ) . Some of these laptops will be outside of >>>>>> the >>>>>> network most of the time. Considering that ossec agents shouldnt have >>>>>> the >>>>>> same IP is there any work around for my situation ? i imagine at some >>>>>> point >>>>>> or another a few laptops will have the same IP while they are connected >>>>>> to >>>>>> various other networks. >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > /Vilius >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
