Hi Fernando, Thanks for looking in to solution. I guess you mean to say that to delete files inside ./ossec/queue/ride in agent and corresponding from server. If this is the case, then, it didn't worked in my case. Solution provided by Jose is able to deal with my problem.
Regards Prakash On Wednesday, June 7, 2017 at 4:57:15 AM UTC-7, Fernando Morata wrote: > > Hi, This disable the RIDS counter I think that a better option is remove > the RID counter in the server and the agent. > > El miércoles, 7 de junio de 2017, 0:31:25 (UTC+2), jose escribió: >> >> Hi Prakash >> >> Try set to 0 (now you should have 1) the option *remoted.verify_msg_id* >> in /var/ossec/etc/internal_options.conf in the manager and agent and >> restart both. >> >> *remoted.verify_msg_id=0* >> >> i hope it helps. >> >> Regards >> ----------------------- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On June 6, 2017 at 6:25:19 PM, prakash ranjan (prakashr...@gmail.com) >> wrote: >> >> Hi, >> >> Please help. >> >> I am getting following error:- >> >> 2017/06/06 11:20:29 ossec-remoted(1407): ERROR: Duplicated counter for ' >> notify1-nightly.networkfleet.com'. >> >> 2017/06/06 11:20:35 ossec-remoted(1407): ERROR: Duplicated counter for ' >> notify1-nightly.networkfleet.com’. >> >> >> I have followed steps provided under heading " >> Fixing Duplicate Errors >> <https://ossec.github.io/docs/faq/unexpected.html#id10>” on page - >> https://ossec.github.io/docs/faq/unexpected.html. >> But didn’t fixed issue. >> >> *Details about environment:-* >> >> *OS = OEL Linux 6.8* >> >> */var/ossec/bin/ossec-analysisd -V* >> >> >> >> OSSEC HIDS v2.8 - Trend Micro Inc. >> >> >> *cat /etc/ossec-init.conf* >> >> >> DIRECTORY="/var/ossec/" >> >> VERSION="v2.8" >> >> DATE="Tue Jan 26 08:34:27 PST 2016" >> >> TYPE=“server" >> >> >> *cat /var/ossec/etc/ossec.conf* (Removed ip addresses) >> >> >> <ossec_config> >> >> <global> >> >> <email_notification>yes</email_notification> >> >> <email_to></email_to> >> >> <smtp_server>localhost</smtp_server> >> >> <email_from></email_from> >> >> <email_maxperhour>25</email_maxperhour> >> >> </global> >> >> >> <syslog_output> >> >> <server>xx.xx.xx.xx</server> >> >> </syslog_output> >> >> >> <rules> >> >> <include>rules_config.xml</include> >> >> <include>pam_rules.xml</include> >> >> <include>sshd_rules.xml</include> >> >> <include>telnetd_rules.xml</include> >> >> <include>syslog_rules.xml</include> >> >> <include>arpwatch_rules.xml</include> >> >> <include>symantec-av_rules.xml</include> >> >> <include>symantec-ws_rules.xml</include> >> >> <include>pix_rules.xml</include> >> >> <include>named_rules.xml</include> >> >> <include>smbd_rules.xml</include> >> >> <include>vsftpd_rules.xml</include> >> >> <include>pure-ftpd_rules.xml</include> >> >> <include>proftpd_rules.xml</include> >> >> <include>ms_ftpd_rules.xml</include> >> >> <include>ftpd_rules.xml</include> >> >> <include>hordeimp_rules.xml</include> >> >> <include>roundcube_rules.xml</include> >> >> <include>wordpress_rules.xml</include> >> >> <include>cimserver_rules.xml</include> >> >> <include>vpopmail_rules.xml</include> >> >> <include>vmpop3d_rules.xml</include> >> >> <include>courier_rules.xml</include> >> >> <include>web_rules.xml</include> >> >> <include>web_appsec_rules.xml</include> >> >> <include>apache_rules.xml</include> >> >> <include>nginx_rules.xml</include> >> >> <include>php_rules.xml</include> >> >> <include>mysql_rules.xml</include> >> >> <include>postgresql_rules.xml</include> >> >> <include>ids_rules.xml</include> >> >> <include>squid_rules.xml</include> >> >> <include>firewall_rules.xml</include> >> >> <include>cisco-ios_rules.xml</include> >> >> <include>netscreenfw_rules.xml</include> >> >> <include>sonicwall_rules.xml</include> >> >> <include>postfix_rules.xml</include> >> >> <include>sendmail_rules.xml</include> >> >> <include>imapd_rules.xml</include> >> >> <include>mailscanner_rules.xml</include> >> >> <include>dovecot_rules.xml</include> >> >> <include>ms-exchange_rules.xml</include> >> >> <include>racoon_rules.xml</include> >> >> <include>vpn_concentrator_rules.xml</include> >> >> <include>spamd_rules.xml</include> >> >> <include>msauth_rules.xml</include> >> >> <include>mcafee_av_rules.xml</include> >> >> <include>trend-osce_rules.xml</include> >> >> <include>ms-se_rules.xml</include> >> >> <!-- <include>policy_rules.xml</include> --> >> >> <include>zeus_rules.xml</include> >> >> <include>solaris_bsm_rules.xml</include> >> >> <include>vmware_rules.xml</include> >> >> <include>ms_dhcp_rules.xml</include> >> >> <include>asterisk_rules.xml</include> >> >> <include>ossec_rules.xml</include> >> >> <include>attack_rules.xml</include> >> >> <include>openbsd_rules.xml</include> >> >> <include>clam_av_rules.xml</include> >> >> <include>dropbear_rules.xml</include> >> >> <include>local_rules.xml</include> >> >> </rules> >> >> >> >> <rootcheck> >> >> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> >> >> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> >> >> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> >> >> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> >> >> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> >> </rootcheck> >> >> >> <global> >> >> <white_list>xx.xx.xx.xx</white_list> >> >> <white_list>^localhost.localdomain$</white_list> >> >> <white_list>xx.xx.xx.xx</white_list> >> >> <white_list>xx.xx.xx.xx</white_list> >> >> </global> >> >> >> <remote> >> >> <connection>syslog</connection> >> >> </remote> >> >> >> <remote> >> >> <connection>secure</connection> >> >> </remote> >> >> >> <alerts> >> >> <log_alert_level>1</log_alert_level> >> >> <email_alert_level>10</email_alert_level> >> >> </alerts> >> >> >> <command> >> >> <name>host-deny</name> >> >> <executable>host-deny.sh</executable> >> >> <expect>srcip</expect> >> >> <timeout_allowed>yes</timeout_allowed> >> >> </command> >> >> >> <command> >> >> <name>firewall-drop</name> >> >> <executable>firewall-drop.sh</executable> >> >> <expect>srcip</expect> >> >> <timeout_allowed>yes</timeout_allowed> >> >> </command> >> >> >> <command> >> >> <name>disable-account</name> >> >> <executable>disable-account.sh</executable> >> >> <expect>user</expect> >> >> <timeout_allowed>yes</timeout_allowed> >> >> </command> >> >> >> <command> >> >> <name>restart-ossec</name> >> >> <executable>restart-ossec.sh</executable> >> >> <expect></expect> >> >> </command> >> >> >> >> >> <command> >> >> <name>route-null</name> >> >> <executable>route-null.sh</executable> >> >> <expect>srcip</expect> >> >> <timeout_allowed>yes</timeout_allowed> >> >> </command> >> >> >> <!-- Files to monitor (localfiles) --> >> >> >> <localfile> >> >> <log_format>syslog</log_format> >> >> <location>/var/log/messages</location> >> >> </localfile> >> >> >> <localfile> >> >> <log_format>syslog</log_format> >> >> <location>/var/log/secure</location> >> >> </localfile> >> >> >> <localfile> >> >> <log_format>apache</log_format> >> >> <location>/var/log/httpd/*log</location> >> >> </localfile> >> >> >> <localfile> >> >> <log_format>syslog</log_format> >> >> <location>/var/log/maillog</location> >> >> </localfile> >> >> >> <localfile> >> >> <log_format>command</log_format> >> >> <command>df -h</command> >> >> </localfile> >> >> >> <localfile> >> >> <log_format>full_command</log_format> >> >> <command>netstat -tan |grep LISTEN |grep -v xx.xx.xx.xx | >> sort</command> >> >> </localfile> >> >> >> <localfile> >> >> <log_format>full_command</log_format> >> >> <command>last -n 5</command> >> >> </localfile> >> >> >> </ossec_config> >> >> >> >> >> Regards >> >> Prakash >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
