On Tuesday, June 14, 2016 at 2:02:55 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Jun 14, 2016 at 1:56 PM, Jeff Blaine <cjbl...@gmail.com
> > wrote:
> >
> >
> > On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote:
> >>
> >>
On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine <cjbl...@gmail.com
> > wrote:
> > I'll also add that /var/ossec/queue/syscheck contains these 2 files, the
> > larger of the 2 was last modifie
I'll also add that /var/ossec/queue/syscheck contains these 2 files, the
larger of the 2 was last modified ~4 days ago. I don't know if that's
useful info or not:
-rw-r- 1 ossec ossec 3 May 21 10:29 .syscheck.cpt
-rw-r- 1 ossec ossec 494689 Jun 9 10:48 syscheck
--
---
You
We're using OSSEC 2.8.3 in standalone mode and failing to get syscheck to
be useful. We *are* getting other alerts via both the log file and email.
We're stumped. Any insight would be appreciated.
The ossec.conf configuration that is relevant. There is no fine-grained
"email-alerts" section
Field 7 passed to an AR command is supposed to be file.
Triggering off of rule 550 (syscheck file integrity changed) and logging
arguments 1 through 7, I would expect argument 7 to show the file that changed.
Instead I see this:
add - - 1435510407.21426431 550 (foo.our.com)
blocked each seconds.
- Mail original -
De: Jeff Blaine cjbl...@gmail.com javascript:
À: ossec...@googlegroups.com javascript:
Envoyé: Vendredi 26 Juin 2015 18:22:46
Objet: [ossec-list] AR command executing when it should not be
When rule 550 or 554 is hit with ANY agent
When rule 550 or 554 is hit with ANY agent as the source, the command below is
executing on agent 19.
As I understand AR, the command should only be executing on agent 19 when rule
550 or 554 is hit *with agent 19 as the origin*
Is this a bug or a misunderstanding on my part somewhere?
Config
Check your agentless directory permissions and ownership too.
Should be 0550, root, ossec.
On Tuesday, March 17, 2015 at 11:39:31 AM UTC-4, Gaetan Noel wrote:
That's what I was afraid of, that's what I have, root/root.
Would you guys have an idea on where I can loof for ? If I test running
Hi all,
I'm failing to get alert_new_files working in agent.conf with OSSEC 2.8.1.
Below you'll see my agent.conf and that its md5 sum matches the one on the
agent.
Changing the contents of *existing* files in /var/www *does *trigger alerts as
expected. *PROBLEM*: Creating *new* files in
Ah crap. It's the rule 554 level issue in the FAQ. Sorry for the noise.
Isn't there a better solution to this than a FAQ entry?
The directive has the WORD alert in the string alert_new_files
I'd think at this point the default should be level=7 and those few who
*don't* want the behavior
alert_new_files is for local and server installations only, it does
nothing on agent installations.
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syscheck.html?highlight=alert_new_files
Ohhh. I get it now. Thanks Dan.
On Monday, March 9, 2015 at 2:11:59 PM UTC-4, dan (ddpbsd) wrote:
On Mon, Mar 9, 2015 at 2:07 PM, Jeff Blaine cjbl...@gmail.com
javascript: wrote:
alert_new_files is for local and server installations only, it does
nothing on agent installations
I use agents for systems that can run them, so I don't know. Try
turning on the logall option to see if the output ends up in
archives.log.
Nothing there with logallyes/logall. Bummer.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
I'm confused. I have a working agentless setup for my 1 test node, but I am
not seeing any data in logs/alerts/alerts.log indicating that an alert was
triggered when I modify files that are being integrity checked.
The stanza in the manager's ossec.conf (then I restarted ossec of course):
On Friday, February 20, 2015 at 12:49:29 PM UTC-5, dan (ddpbsd) wrote:
On Fri, Feb 20, 2015 at 12:43 PM, Jeff Blaine cjbl...@gmail.com
javascript: wrote:
Is it possible to configure agentless OSSEC to use sudo on the remote
node?
The documentation doesn't show that it is possible, so I
Is it possible to configure agentless OSSEC to use sudo on the remote node?
The documentation doesn't show that it is possible, so I assume it is not,
but thought I'd ask.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from
16 matches
Mail list logo