Still seeing high CPU usage for authd. Hmmm...
On Tuesday, March 12, 2013 1:06:18 PM UTC-7, Kat wrote:
>
> Been seeing that a lot too -- going to try the repo update and see how
> that works.
>
> Perhaps it is time for a 2.7.1 release - I think we have enough general
> f
are you checking the right logs and do you have the ARs set for the right
place? Sometimes people forget the log entries will be in agents log files,
not the SERVER.
On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote:
>
> Hello,
> I recently upgraded my ossec server to 2.7 and everyth
I have compiled OSSEC all the way thru AIX 6.1 and JB is right. gcc has issues,
native C compiler always works. I did get it to work with gcc but only after
fighting it. I will go back through my notes and see what I can find. If you
happen to have IBMs c, it should work fine however.
--
--
Ok, I am thinking "off the cuff" here -- but was starting to wonder how
OSSEC could scale more easily to large infrastructures. One of the primary
issues is analysisd being single threaded. BUT -- since analysisd does not
trap the port - 1514 for anything - that is left up to remoted - then why
I know some people have asked about the "listen ports changed" command that
they offered as a default/example in OSSEC install..
I too find it useful, but got tired of a lot of alerts for ports over 1024.
This still handles IPv4 and v6 ports:
*netstat -tan | awk '$NF != "LISTEN" || $4 ~ /^127
How many folders/files are you monitoring for changes?
On Friday, May 10, 2013 1:32:33 AM UTC-7, Winni Neessen wrote:
>
> Hi,
>
> I am running OSSEC 2.7 on FreeBSD 8.4. Recently I received a kernel
> warning, that maxfiles was exceeded.
> I was wondering how this could be, as kern.maxfiles was c
I have seen many issues with CentOS 7 becoming unresponsive. Kernel issues.
Try removing OSSEC, but my guess, it will still hang. Are you current on
all patches?
-K
On Thursday, July 2, 2015 at 6:47:53 PM UTC-7, Caleb P wrote:
>
> If I start OSSEC, my Centos 7 AWS instance becomes unresponsive
Just a silly question I don't see in this thread -- do you have ANY
clients defined on the server itself??
What is currently in /var/ossec/etc/clients.keys?
-Kat
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubs
extremely reliable and I have had no issues. I do run with as high as
20,000 agents in some cases with no issues.
Cheers
Kat
On Thursday, February 18, 2016 at 7:36:10 AM UTC-8, James Dough wrote:
>
> Looking at the hybrid install type; it installs two versions of ossec,
> that have been red
The windows systems do not have the same commands for looking at users.
Your commands for looking at both logged in and last, will only work on
*nix platforms.
Kat
On Wednesday, April 6, 2016 at 2:38:26 AM UTC-5, Maxim Surdu wrote:
>
> Hi dear community,
>
> i install and config
of the problems observed.
Kat
On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:
>
> Hi,
>
>
>
> I have been using Ossec for quite a while and we decided to upgrade the
> version (2.7.1) to 2.8.3 and that was relatively successful except for the
&g
You should disable RIDS:
remoted.verify_msg_id=0
The errors should go away. The problem is, RIDS must be removed on both
agent and server, that may be causing issues.
Kat
On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:
>
> Hi,
>
>
>
> I have be
. Without
knowing everything about your setup, I would say you could probably safely
ignore these for now, then focus on the rest of the alerts to try to get a
clear understanding of what "normal" is.
Cheers
Kat
On Friday, July 8, 2016 at 2:34:20 PM UTC-5, Brad Carey wrote:
>
>
d and
remove that file. Then you are free to re-use agent IDs all the time.
Cheers
Kat
On Thursday, July 28, 2016 at 2:03:34 PM UTC-5, Chanti Naani wrote:
>
> Hi,
> We have a pretty decent implementation of the ossec with max clients set
> to 3000.
> So far we have generated
happens though)
Cheers
Kat
(PS - Hi Graeme!)
On Thursday, July 28, 2016 at 11:43:32 AM UTC-5, Graeme Stewart wrote:
>
> Seeing a lot of errors in the logfiles like this:
>
> 2016/07/28 16:41:48 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 201
ackage. You don't need to add the
client as well, since the server will do just fine on its own. So install
ossec-hids and ossec-hids-server.
That should get you going just fine.
Cheers
Kat
On Monday, August 22, 2016 at 12:59:28 PM UTC-5, Shawn Wiley wrote:
>
> I have a pair of Red H
Hi all --
Just wondering on the status of 2.9 RC2? Been several weeks now. Any
updates on the final release?
Thanks
Kat
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emai
Wouldn't it be easier rather than to modify the rule - simply add these to
the ignores with -
/dev/oracleasm
??
Just a thought.
Kat
On Tuesday, August 30, 2016 at 9:12:33 AM UTC-5, Stephen LuShing wrote:
>
> I have been getting this notification which I am trying to fix. This is a
erent branches and make my brain stop
contorting please :-) I want to get all the best parts of all the
enhancements from all the teams, but I am not quite sure there is one
branch that incorporates them all? Then again, I could be completely wrong?
Kat
--
---
You received this message becaus
WCONFIG
fi
# add this block to check for and add a preset profile name for the
agent (from preloaded-vars.conf)
if [ "$X{USER_AGENT_CONFIG_PROFILE}" != "X" ]; then
PROFILE=${USER_AGENT_CONFIG_PROFILE}
echo "$PROFILE" >> $NEWCONFI
minor typo on this line:
echo "$PROFILE" >> $NEWCONFIG
that should read
echo "$PROFILE" >> $NEWCONFIG
On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić wrote:
>
> Hello list,
>
> I am having trouble setting up agent's ossec.conf by the install.sh
> script correct
I already did. :-)
#1027
On Thursday, January 19, 2017 at 12:15:14 PM UTC-6, dan (ddpbsd) wrote:
>
> On Tue, Jan 17, 2017 at 3:06 PM, Kat >
> wrote:
> > The problem is simple - the install.sh is where this is taken care of,
> but
> > no one ever bothered to add t
The Wazuh fork is actually newer, but regardless there should never be a
conflict from 2.x to 2.x with agent and server. When you say "conflict" -
can you be more specific on the error you are seeing?
Kat
On Friday, January 20, 2017 at 5:14:09 PM UTC-6, Alejandro M wrote:
>
> H
In case anyone is curious - with proper server sizing, I have run OSSEC
Managers with 20-30,000 agents connected.
:-)
Kat
On Thursday, August 18, 2011 at 4:49:26 AM UTC-5, PJG wrote:
>
> Dear All,
>
> We are planning on ramping up our OSSEC deployment.
>
> There's a w
erformance hit is negligible.
Obviously if you tried to do a trigger on each insert for the entire
database, that would kill it, but . you can do a lot of creative things
with OSSEC.
Cheers
Kat
On Sunday, January 8, 2017 at 7:19:34 AM UTC-6, Mike Hammett wrote:
>
> My current cen
jail.
Cheers
Kat
On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote:
>
> hi all,
>
> man, not having a good day.
>
> I was starting to run out of space on my / volume as a result of ossec
> logs piling up. i need to keep the logs, so i added a new drive (to the
>
it all up -- perhaps I will do a quick userguide doc that can
be added to OSSEC. I specifically use this method with sshfs to mount a
larger file store on the backend of my OSSEC managers.
Kat
On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote:
>
> hi all,
>
> man, not ha
I'll write something up and submit it.
Kat
On Friday, January 13, 2017 at 1:28:42 PM UTC-6, Joel wrote:
>
> hi all,
>
> man, not having a good day.
>
> I was starting to run out of space on my / volume as a result of ossec
> logs piling up. i need to keep the logs,
Hi all,
It seems to me that 2.9.0 is released - at least no more RC# after the last
one. My question is, is this the case, and if so, could the website be
updated to reflect it? According t the github release is with 25 days ago,
but website still indicated 2.8.3?
Thanks
Kat
--
---
You
arting OSSEC and you do not
have alerting on new files setup, then you may not see the alerts either.
I use this feature for monitoring in realtime if users put SSH private keys
on a public server, rather than their laptop. I have AR setup to remove any
private keys immediately upon alert gen
on exit. For example, after you edit the sshd_rules.xml,
enter
:wq!
That will over-write the file. However, any changes to the built-in files
will be overwritten next time you upgrade, so Victor's comment about using
local_rules.xml is actually more correct.
Kat
On Monday, March 20, 2017 at 1:56
You could set the appropriate folders, assuming *nix system, such as
/bin,/usr/bin,/sbin,/usr/sbin for realtime monitoring and new file alerts.
Then if an installed package, regardless of YUM or dpkg/apt is installed,
even by just copying it into place, you would still get an alert.
Kat
On
Hi,
Could you post the log entries? Also, an ssh -vvv output would help to see
what is going on. It is clearly a connection problem, but hard to diagnose
based on what you have posted.
Kat
On Friday, March 17, 2017 at 10:20:58 PM UTC-5, Marcin Gołębiowski wrote:
>
> I can't seem
I actually monitor
/home/*.ssh,/root/.ssh
And have AR set that if a new directory appears in /home, it restarts the
agent so it adds it to the wildcard.
On Monday, March 20, 2017 at 10:47:13 PM UTC-5, jingxu...@bettercloud.com
wrote:
>
> Recently, we are trying to use OSSEC to monitor ~/.ssh/
It really sounds like you are missing a step -- perhaps post the steps you
do for the install, adding an agent etc, showing the commands and results.
We need something more to help you.
Kat
On Thursday, April 13, 2017 at 5:24:32 PM UTC-5, Руслан Аминджанов wrote:
>
> Hello!
> I
101 - 135 of 135 matches
Mail list logo