Re: [ossec-list] Re: Very strange - syscheck not alerting at all -- not to log file or to email

On Tuesday, June 14, 2016 at 2:02:55 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Jun 14, 2016 at 1:56 PM, Jeff Blaine <cjbl...@gmail.com > > wrote: > > > > > > On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote: > >> > >>

Re: [ossec-list] Re: Very strange - syscheck not alerting at all -- not to log file or to email

On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine <cjbl...@gmail.com > > wrote: > > I'll also add that /var/ossec/queue/syscheck contains these 2 files, the > > larger of the 2 was last modifie

[ossec-list] Re: Very strange - syscheck not alerting at all -- not to log file or to email

I'll also add that /var/ossec/queue/syscheck contains these 2 files, the larger of the 2 was last modified ~4 days ago. I don't know if that's useful info or not: -rw-r- 1 ossec ossec 3 May 21 10:29 .syscheck.cpt -rw-r- 1 ossec ossec 494689 Jun 9 10:48 syscheck -- --- You

[ossec-list] Very strange - syscheck not alerting at all -- not to log file or to email

We're using OSSEC 2.8.3 in standalone mode and failing to get syscheck to be useful. We *are* getting other alerts via both the log file and email. We're stumped. Any insight would be appreciated. The ossec.conf configuration that is relevant. There is no fine-grained "email-alerts" section

[ossec-list] file, argument 7 passed to AR command?

Field 7 passed to an AR command is supposed to be file. Triggering off of rule 550 (syscheck file integrity changed) and logging arguments 1 through 7, I would expect argument 7 to show the file that changed. Instead I see this: add - - 1435510407.21426431 550 (foo.our.com)

Re: [ossec-list] AR command executing when it should not be

blocked each seconds. - Mail original - De: Jeff Blaine cjbl...@gmail.com javascript: À: ossec...@googlegroups.com javascript: Envoyé: Vendredi 26 Juin 2015 18:22:46 Objet: [ossec-list] AR command executing when it should not be When rule 550 or 554 is hit with ANY agent

[ossec-list] AR command executing when it should not be

When rule 550 or 554 is hit with ANY agent as the source, the command below is executing on agent 19. As I understand AR, the command should only be executing on agent 19 when rule 550 or 554 is hit *with agent 19 as the origin* Is this a bug or a misunderstanding on my part somewhere? Config

Re: [ossec-list] OSSEC Agentless script not passing commands

Check your agentless directory permissions and ownership too. Should be 0550, root, ossec. On Tuesday, March 17, 2015 at 11:39:31 AM UTC-4, Gaetan Noel wrote: That's what I was afraid of, that's what I have, root/root. Would you guys have an idea on where I can loof for ? If I test running

[ossec-list] agent.conf alert_new_files not working - help?

Hi all, I'm failing to get alert_new_files working in agent.conf with OSSEC 2.8.1. Below you'll see my agent.conf and that its md5 sum matches the one on the agent. Changing the contents of *existing* files in /var/www *does *trigger alerts as expected. *PROBLEM*: Creating *new* files in

[ossec-list] Re: agent.conf alert_new_files not working - help?

Ah crap. It's the rule 554 level issue in the FAQ. Sorry for the noise. Isn't there a better solution to this than a FAQ entry? The directive has the WORD alert in the string alert_new_files I'd think at this point the default should be level=7 and those few who *don't* want the behavior

Re: [ossec-list] agent.conf alert_new_files not working - help?

alert_new_files is for local and server installations only, it does nothing on agent installations. http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syscheck.html?highlight=alert_new_files

Re: [ossec-list] agent.conf alert_new_files not working - help?

Ohhh. I get it now. Thanks Dan. On Monday, March 9, 2015 at 2:11:59 PM UTC-4, dan (ddpbsd) wrote: On Mon, Mar 9, 2015 at 2:07 PM, Jeff Blaine cjbl...@gmail.com javascript: wrote: alert_new_files is for local and server installations only, it does nothing on agent installations

Re: [ossec-list] Where does agentless data go? No alerts on hash changes.

I use agents for systems that can run them, so I don't know. Try turning on the logall option to see if the output ends up in archives.log. Nothing there with logallyes/logall. Bummer. -- --- You received this message because you are subscribed to the Google Groups ossec-list group.

[ossec-list] Where does agentless data go? No alerts on hash changes.

I'm confused. I have a working agentless setup for my 1 test node, but I am not seeing any data in logs/alerts/alerts.log indicating that an alert was triggered when I modify files that are being integrity checked. The stanza in the manager's ossec.conf (then I restarted ossec of course):

Re: [ossec-list] agentless via remote sudo instead root-only ssh?

On Friday, February 20, 2015 at 12:49:29 PM UTC-5, dan (ddpbsd) wrote: On Fri, Feb 20, 2015 at 12:43 PM, Jeff Blaine cjbl...@gmail.com javascript: wrote: Is it possible to configure agentless OSSEC to use sudo on the remote node? The documentation doesn't show that it is possible, so I

[ossec-list] agentless via remote sudo instead root-only ssh?

Is it possible to configure agentless OSSEC to use sudo on the remote node? The documentation doesn't show that it is possible, so I assume it is not, but thought I'd ask. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from