Re: [ossec-list] Re: Couple of agents unable to connect to server
Usually there are warning or error messages in ossec.log file (check those both in the agent and manager). On Mon, Jan 4, 2016 at 11:06 AM, Cal wrote: > Found a solution, thinking it might be a key issue. On one server, I had > to chmod the keys file, which allowed the agent to connect. I tried > re-adding the existing key to the other agents and configuring the > permissions without anything working. Finally, I re-issued the keys for the > disconnect clients, and all connected after restart. Not sure what the > issue was. > > > On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote: >> >> Also, from agent: >> >> # netstat -panu | grep 1520 >> udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED >> 30669/ossec-agentd >> >> On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: >>> >>> I have about 20 OSSEC agents connected to my OSSEC server without issue. >>> There are approximately 6 however that cannot connect. I'm using a >>> non-default port of 1520. Note: All IPs replaced here for OPSEC. >>> >>> Logs: >>> >>>- Agent: >>> - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: >>> SERVER_IP . >>> 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server >>> reply (not started). Tried: 'SERVER_IP'. >>>- Server: >>> - Nothing outside the standard output, even with debug enabled >>> >>> >>> What I've done so far: >>> >>>- Added rules into iptables to allow communication on both >>>agent/sever >>>- TCPdump confirming on agent that it is sending packet >>>- TCPdump confirming on server that it is receiving agent packet >>>- Netcat on both server/agent: >>> - netcat -uv SERVER_IP 1520 >>> Connection to SERVER_IP 1520 port [udp/*] succeeded! >>> - netcat -uv AGENT_IP1520 >>> Connection to AGENT_IP 1520 port [udp/*] succeeded! >>> >>> ossec.conf: >>> >>>- >>> >>>SERVER_IP >>>1520 >>> >>> >>>secure >>>tcp >>>1520 >>> >>> >>> >>> >>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Using Regular Expressions in an OSSEC rule
How about using Comp-\S+? I would also recommend to use a variable like this (taken from syslog rules): core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted On Mon, Dec 28, 2015 at 10:22 AM, wrote: > Hello all and Happy Holidays, > > I setup a rule to look for log-in's after hours as follows: > > > > authentication > 6 pm - 9 am > Login after hours > > > > 50 > USERNAME > Ignore USERNAME > > > > The first rule tries to pickup all logins after hours, and the subordinate > rule tries to strip out none human accounts such as service accounts and > machine accounts. > > > The issue I am having is this rule picks EVERY login including (service > accounts and machine accounts) which I have tried to enter in between > brackets like COMP-01|COMP-02 | SERVICE ACCOUNT-1 | and so on. I was > wondering if I have a whole bunch of computer /service accounts (i.e. > COMP-01, COMP-02) how to use a regular expression to enter a single filter > which covers all the machine names (i.e. COMP*.* in dos-ease). > > Thanks, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] for what time ossec save logs?
Maxim I would recommend you to use a separate log management system, as I would not say OSSEC covers all a system like this does. For example you can use Splunk or ELK Stack (my preferred choice as it is also free Open Source), or SIEM systems (AlienVault, Arcsight,...) I hope that helps, Santiago. On Mon, Dec 28, 2015 at 5:01 AM, dan (ddp) wrote: > On Mon, Dec 28, 2015 at 7:00 AM, Maxim Surdu wrote: > > Hi everyone, > > > > Who can tell me how much time ossec saves my logs? i need to configure or > > how it is work?, i need ossec to save my logs for minimum 2 years. > > > > Any help would be greatly appreciated > > > > OSSEC does not currently delete logs. > > > Thanks, > > Maxim > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Couple of agents unable to connect to server
Found a solution, thinking it might be a key issue. On one server, I had to chmod the keys file, which allowed the agent to connect. I tried re-adding the existing key to the other agents and configuring the permissions without anything working. Finally, I re-issued the keys for the disconnect clients, and all connected after restart. Not sure what the issue was. On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote: > > Also, from agent: > > # netstat -panu | grep 1520 > udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED > 30669/ossec-agentd > > On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: >> >> I have about 20 OSSEC agents connected to my OSSEC server without issue. >> There are approximately 6 however that cannot connect. I'm using a >> non-default port of 1520. Note: All IPs replaced here for OPSEC. >> >> Logs: >> >>- Agent: >> - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: >> SERVER_IP . >> 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server >> reply (not started). Tried: 'SERVER_IP'. >>- Server: >> - Nothing outside the standard output, even with debug enabled >> >> >> What I've done so far: >> >>- Added rules into iptables to allow communication on both agent/sever >>- TCPdump confirming on agent that it is sending packet >>- TCPdump confirming on server that it is receiving agent packet >>- Netcat on both server/agent: >> - netcat -uv SERVER_IP 1520 >> Connection to SERVER_IP 1520 port [udp/*] succeeded! >> - netcat -uv AGENT_IP1520 >> Connection to AGENT_IP 1520 port [udp/*] succeeded! >> >> ossec.conf: >> >>- >> >>SERVER_IP >>1520 >> >> >>secure >>tcp >>1520 >> >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Couple of agents unable to connect to server
Also, from agent: # netstat -panu | grep 1520 udp0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED 30669/ossec-agentd On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: > > I have about 20 OSSEC agents connected to my OSSEC server without issue. > There are approximately 6 however that cannot connect. I'm using a > non-default port of 1520. Note: All IPs replaced here for OPSEC. > > Logs: > >- Agent: > - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP > . > 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server > reply (not started). Tried: 'SERVER_IP'. >- Server: > - Nothing outside the standard output, even with debug enabled > > > What I've done so far: > >- Added rules into iptables to allow communication on both agent/sever >- TCPdump confirming on agent that it is sending packet >- TCPdump confirming on server that it is receiving agent packet >- Netcat on both server/agent: > - netcat -uv SERVER_IP 1520 > Connection to SERVER_IP 1520 port [udp/*] succeeded! > - netcat -uv AGENT_IP1520 > Connection to AGENT_IP 1520 port [udp/*] succeeded! > > ossec.conf: > >- > >SERVER_IP >1520 > > >secure >tcp >1520 > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Couple of agents unable to connect to server
I have about 20 OSSEC agents connected to my OSSEC server without issue. There are approximately 6 however that cannot connect. I'm using a non-default port of 1520. Note: All IPs replaced here for OPSEC. Logs: - Agent: - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: SERVER_IP . 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER_IP'. - Server: - Nothing outside the standard output, even with debug enabled What I've done so far: - Added rules into iptables to allow communication on both agent/sever - TCPdump confirming on agent that it is sending packet - TCPdump confirming on server that it is receiving agent packet - Netcat on both server/agent: - netcat -uv SERVER_IP 1520 Connection to SERVER_IP 1520 port [udp/*] succeeded! - netcat -uv AGENT_IP1520 Connection to AGENT_IP 1520 port [udp/*] succeeded! ossec.conf: - SERVER_IP 1520 secure tcp 1520 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Send my own logs to Ossec server
On Mon, Jan 4, 2016 at 8:46 AM, Joao T. wrote: > Can I feed ossec server with log files or just is possible to feed the > agents? > If those logfiles exist on the server, the OSSEC processes there should be able to read them. > On Thursday, December 31, 2015 at 11:56:10 AM UTC+1, Alberto Mijares wrote: >> >> You can use syslog. Tell syslogd to write a specific file and ossec >> agent to read that file. >> >> Read about syslog format and protocol, and the man page of the syslog >> server in your OS. >> >> Regards >> >> >> Alberto Mijares >> >> >> >> On Thu, Dec 31, 2015 at 5:34 AM, Joao T. wrote: >> > Hello, >> > >> > I would like to know if it is possible to send to Ossec server some logs >> > created by my own script running in the same hostname than Ossec server >> > ? >> > To which port should I communicate and what about the message? can be >> > plain >> > text? >> > >> > Thank you and happy new year >> > Joao >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Send my own logs to Ossec server
Can I feed ossec server with log files or just is possible to feed the agents? On Thursday, December 31, 2015 at 11:56:10 AM UTC+1, Alberto Mijares wrote: > > You can use syslog. Tell syslogd to write a specific file and ossec > agent to read that file. > > Read about syslog format and protocol, and the man page of the syslog > server in your OS. > > Regards > > > Alberto Mijares > > > > On Thu, Dec 31, 2015 at 5:34 AM, Joao T. > > wrote: > > Hello, > > > > I would like to know if it is possible to send to Ossec server some logs > > created by my own script running in the same hostname than Ossec server > ? > > To which port should I communicate and what about the message? can be > plain > > text? > > > > Thank you and happy new year > > Joao > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.