[ossec-list] Multiple instances of OSSEC running on a single system
I'm wondering if it's possible to have multiple instances of server or client running on the same host? Systems are x86 intel running x86 Solaris, no windows systems involved. We have two different groups of people using OSSEC for different issues. One group are the system admins and just want to see the basic system alerts and errors that are logged through syslog, the other group is the application admins and they want to see the error messages from their applications which also log to syslog. The problem is the number of application messages making it into syslog and therefore to OSSEC make it very difficult to pick out the relevant alerts the system admins would like to see. We thought if we could set up two instances of server and client we could separate the differing requirements. Anyone know if this is possible? Sherman Butler
[ossec-list] Re: Multiple instances of OSSEC running on a single system
did something similar using the smaller version of splunk (500 meg) - stuck with a single server, but created dashboards inside splunk to split the appropriate alerts. Something to think about. On Oct 19, 9:27 am, Sherman Butler sbut...@cequint.com wrote: I'm wondering if it's possible to have multiple instances of server or client running on the same host? Systems are x86 intel running x86 Solaris, no windows systems involved. We have two different groups of people using OSSEC for different issues. One group are the system admins and just want to see the basic system alerts and errors that are logged through syslog, the other group is the application admins and they want to see the error messages from their applications which also log to syslog. The problem is the number of application messages making it into syslog and therefore to OSSEC make it very difficult to pick out the relevant alerts the system admins would like to see. We thought if we could set up two instances of server and client we could separate the differing requirements. Anyone know if this is possible? Sherman Butler
[ossec-list] Centralized config, syscheck frequency not working
I have a client setup with an ossec manager (v2.6) and 10 ossec agents (v2.6) using centralized configuration (agent.conf). My agent.conf looks like this (server names and directories sanitized for public forum): agent_config syscheck alert_new_filesyes/alert_new_files frequency3600/frequency disabledno/disabled /syscheck /agent_config agent_config name=enter_server_name syscheck directories check_all=yesenter_custom_directory/directories !-- Default files to be monitored - system32 only. -- directories check_all=yes%WINDIR%/win.ini/directories directories check_all=yes%WINDIR%/system.ini/directories directories check_all=yesC:\autoexec.bat/directories directories check_all=yesC:\config.sys/directories directories check_all=yesC:\boot.ini/directories directories check_all=yes%WINDIR%/System32/CONFIG.NT/ directories directories check_all=yes%WINDIR%/System32/AUTOEXEC.NT/ directories directories check_all=yes%WINDIR%/System32/at.exe/ directories directories check_all=yes%WINDIR%/System32/attrib.exe/ directories directories check_all=yes%WINDIR%/System32/cacls.exe/ directories directories check_all=yes%WINDIR%/System32/debug.exe/ directories directories check_all=yes%WINDIR%/System32/drwatson.exe/ directories !-- Windows registry entries to monitor. -- windows_registryHKEY_LOCAL_MACHINE\Software\Classes\batfile/ windows_registry windows_registryHKEY_LOCAL_MACHINE\Software\Classes\cmdfile/ windows_registry /syscheck /agent_config The agent's ossec.conf looks like this: ossec_config client server-ip999.999.999.999/server-ip /client /ossec_config Everything is working as it should. The agents alert for registry changes, new files, etc. However the frequency is not working. For some agents when queried in agent control, they show syscheck as last completed 22 hours ago... for others it's less than an hour ago. As I understand it, the agent_config blocks should be cumulative. I've checked the syscheck directory and all of the db files have .cpt files showing they completed at least once. Additionally, I checked the md5 sum of the server agent.conf and it matches the md5 of the agent.conf on the agents. Furthermore, the agent_control timestamps show that syscheck completed within 10 minutes... with a frequency of an hour, I don't think that should be an issue. Is there any reason the frequency specified (3600) is not working as it should? Any troubleshooting steps I can perform to find out the cause of syscheck frequency not working? I sincerely appreciate your response!
Re: [ossec-list] Re: Multiple instances of OSSEC running on a single system
Thanks Kat We had suggested splunk as being a better tool for scraping the logs for their application stuff but the boss has already seen what OSSEC can do and likes the output and hasn't been receptive to trying anything else. I'll keep pushing it and hope for a better resolution to come our way at some point. Sherman Butler On 10/19/11 7:49 AM, Kat uncommon...@gmail.com wrote: did something similar using the smaller version of splunk (500 meg) - stuck with a single server, but created dashboards inside splunk to split the appropriate alerts. Something to think about. On Oct 19, 9:27 am, Sherman Butler sbut...@cequint.com wrote: I'm wondering if it's possible to have multiple instances of server or client running on the same host? Systems are x86 intel running x86 Solaris, no windows systems involved. We have two different groups of people using OSSEC for different issues. One group are the system admins and just want to see the basic system alerts and errors that are logged through syslog, the other group is the application admins and they want to see the error messages from their applications which also log to syslog. The problem is the number of application messages making it into syslog and therefore to OSSEC make it very difficult to pick out the relevant alerts the system admins would like to see. We thought if we could set up two instances of server and client we could separate the differing requirements. Anyone know if this is possible? Sherman Butler
[ossec-list] Stop particular alert
All, It's a bit embarrassing that I can't figure out how to stop this particular alert, but I don't know how. Here's the situation: I have Sophos anti-virus installed on some of my Linux boxes. I keep getting Ossec alerts like the following: 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2 Location: (plymouth) 192.168.1.2-/var/log/messages Unknown problem somewhere in the system. Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 3, scan errors: 0, viruses detected: 0, infected files detected: 0 Obviously, I don't want this event to alert. What do I have to do in Ossec to prevent this specific alert? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [ossec-list] Re: Multiple instances of OSSEC running on a single system
How about Virtualisation using VMWARE? Run as many instances of OSSEC as you want - within reason Andy -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Sherman Butler Sent: Thursday, 20 October 2011 7:25 a.m. To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Re: Multiple instances of OSSEC running on a single system Thanks Kat We had suggested splunk as being a better tool for scraping the logs for their application stuff but the boss has already seen what OSSEC can do and likes the output and hasn't been receptive to trying anything else. I'll keep pushing it and hope for a better resolution to come our way at some point. Sherman Butler On 10/19/11 7:49 AM, Kat uncommon...@gmail.com wrote: did something similar using the smaller version of splunk (500 meg) - stuck with a single server, but created dashboards inside splunk to split the appropriate alerts. Something to think about. On Oct 19, 9:27 am, Sherman Butler sbut...@cequint.com wrote: I'm wondering if it's possible to have multiple instances of server or client running on the same host? Systems are x86 intel running x86 Solaris, no windows systems involved. We have two different groups of people using OSSEC for different issues. One group are the system admins and just want to see the basic system alerts and errors that are logged through syslog, the other group is the application admins and they want to see the error messages from their applications which also log to syslog. The problem is the number of application messages making it into syslog and therefore to OSSEC make it very difficult to pick out the relevant alerts the system admins would like to see. We thought if we could set up two instances of server and client we could separate the differing requirements. Anyone know if this is possible? Sherman Butler
Re: [ossec-list] Stop particular alert
Write a rule. rule id=SET_AN_ID level=O if_sid1002/if_sid matchscan errors: 0, viruses detected: 0, infected files detected: 0/match descriptionAll is well./description /rule This one has fatal flaws, but if fixed it works. On Wed, Oct 19, 2011 at 2:34 PM, Dimitri Yioulos dyiou...@onpointfc.com wrote: All, It's a bit embarrassing that I can't figure out how to stop this particular alert, but I don't know how. Here's the situation: I have Sophos anti-virus installed on some of my Linux boxes. I keep getting Ossec alerts like the following: 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2 Location: (plymouth) 192.168.1.2-/var/log/messages Unknown problem somewhere in the system. Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 3, scan errors: 0, viruses detected: 0, infected files detected: 0 Obviously, I don't want this event to alert. What do I have to do in Ossec to prevent this specific alert? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [ossec-list] Multiple instances of OSSEC running on a single system
Yes, it's possible. Just try not to let them step on each other's toes. http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/ (first link in google) On Wed, Oct 19, 2011 at 10:27 AM, Sherman Butler sbut...@cequint.com wrote: I'm wondering if it's possible to have multiple instances of server or client running on the same host? Systems are x86 intel running x86 Solaris, no windows systems involved. We have two different groups of people using OSSEC for different issues. One group are the system admins and just want to see the basic system alerts and errors that are logged through syslog, the other group is the application admins and they want to see the error messages from their applications which also log to syslog. The problem is the number of application messages making it into syslog and therefore to OSSEC make it very difficult to pick out the relevant alerts the system admins would like to see. We thought if we could set up two instances of server and client we could separate the differing requirements. Anyone know if this is possible? Sherman Butler
Re: [ossec-list] Centralized config, syscheck frequency not working
On Wed, Oct 19, 2011 at 2:12 PM, brighamr glennbrobe...@gmail.com wrote: I have a client setup with an ossec manager (v2.6) and 10 ossec agents (v2.6) using centralized configuration (agent.conf). My agent.conf looks like this (server names and directories sanitized for public forum): agent_config syscheck alert_new_filesyes/alert_new_files This isn't necessary on agents. This is only useful on the manager. frequency3600/frequency disabledno/disabled /syscheck /agent_config agent_config name=enter_server_name That should be enter_agent_name, right? syscheck directories check_all=yesenter_custom_directory/directories !-- Default files to be monitored - system32 only. -- directories check_all=yes%WINDIR%/win.ini/directories directories check_all=yes%WINDIR%/system.ini/directories directories check_all=yesC:\autoexec.bat/directories directories check_all=yesC:\config.sys/directories directories check_all=yesC:\boot.ini/directories directories check_all=yes%WINDIR%/System32/CONFIG.NT/ directories directories check_all=yes%WINDIR%/System32/AUTOEXEC.NT/ directories directories check_all=yes%WINDIR%/System32/at.exe/ directories directories check_all=yes%WINDIR%/System32/attrib.exe/ directories directories check_all=yes%WINDIR%/System32/cacls.exe/ directories directories check_all=yes%WINDIR%/System32/debug.exe/ directories directories check_all=yes%WINDIR%/System32/drwatson.exe/ directories !-- Windows registry entries to monitor. -- windows_registryHKEY_LOCAL_MACHINE\Software\Classes\batfile/ windows_registry windows_registryHKEY_LOCAL_MACHINE\Software\Classes\cmdfile/ windows_registry /syscheck /agent_config The agent's ossec.conf looks like this: ossec_config client server-ip999.999.999.999/server-ip /client /ossec_config Everything is working as it should. The agents alert for registry changes, new files, etc. However the frequency is not working. For some agents when queried in agent control, they show syscheck as last completed 22 hours ago... for others it's less than an hour ago. As I understand it, the agent_config blocks should be cumulative. I've checked the syscheck directory and all of the db files have .cpt files showing they completed at least once. Additionally, I checked the md5 sum of the server agent.conf and it matches the md5 of the agent.conf on the agents. Furthermore, the agent_control timestamps show that syscheck completed within 10 minutes... with a frequency of an hour, I don't think that should be an issue. Is there any reason the frequency specified (3600) is not working as it should? Any troubleshooting steps I can perform to find out the cause of syscheck frequency not working? I sincerely appreciate your response! Did you restart the OSSEC processes on the agent after it received the agent.conf?
Re: [ossec-list] Re: Multiple instances of OSSEC running on a single system
That works great for the server side and honestly I didn't consider the server to be a huge issue since we could always run it on a different host. The real issue in my mind is how to get the client to report to both servers at the same time looking at different log files. But now that I think more about that, we can send everything to both servers and just use ignore rules in the rules file for the one reporting just system alerts. A bit more configuration work but doable I think. I'll have to figure out how to get the client keys off the first server and onto the second but I don't think that's an issue. It's just a file in etc. I'll look into that a little deeper. Thanks Andy Sherman On 10/19/11 11:35 AM, Andy Cockroft (andic) an...@andic.co.nz wrote: How about Virtualisation using VMWARE? Run as many instances of OSSEC as you want - within reason Andy -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Sherman Butler Sent: Thursday, 20 October 2011 7:25 a.m. To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Re: Multiple instances of OSSEC running on a single system Thanks Kat We had suggested splunk as being a better tool for scraping the logs for their application stuff but the boss has already seen what OSSEC can do and likes the output and hasn't been receptive to trying anything else. I'll keep pushing it and hope for a better resolution to come our way at some point. Sherman Butler On 10/19/11 7:49 AM, Kat uncommon...@gmail.com wrote: did something similar using the smaller version of splunk (500 meg) - stuck with a single server, but created dashboards inside splunk to split the appropriate alerts. Something to think about. On Oct 19, 9:27 am, Sherman Butler sbut...@cequint.com wrote: I'm wondering if it's possible to have multiple instances of server or client running on the same host? Systems are x86 intel running x86 Solaris, no windows systems involved. We have two different groups of people using OSSEC for different issues. One group are the system admins and just want to see the basic system alerts and errors that are logged through syslog, the other group is the application admins and they want to see the error messages from their applications which also log to syslog. The problem is the number of application messages making it into syslog and therefore to OSSEC make it very difficult to pick out the relevant alerts the system admins would like to see. We thought if we could set up two instances of server and client we could separate the differing requirements. Anyone know if this is possible? Sherman Butler
Re: [ossec-list] Stop particular alert
Dan, I fixed the fatal flaws, and it does work. Many thanks! Dimitri On Wednesday 19 October 2011 2:46:24 pm dan (ddp) wrote: Write a rule. rule id=SET_AN_ID level=O if_sid1002/if_sid matchscan errors: 0, viruses detected: 0, infected files detected: 0/match descriptionAll is well./description /rule This one has fatal flaws, but if fixed it works. On Wed, Oct 19, 2011 at 2:34 PM, Dimitri Yioulos dyiou...@onpointfc.com wrote: All, It's a bit embarrassing that I can't figure out how to stop this particular alert, but I don't know how. Here's the situation: I have Sophos anti-virus installed on some of my Linux boxes. I keep getting Ossec alerts like the following: 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2 Location: (plymouth) 192.168.1.2-/var/log/messages Unknown problem somewhere in the system. Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 3, scan errors: 0, viruses detected: 0, infected files detected: 0 Obviously, I don't want this event to alert. What do I have to do in Ossec to prevent this specific alert? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[ossec-list] Re: re-create queue folders..
it sucked up over 2G and was still running! On Oct 19, 8:49 pm, dan (ddp) ddp...@gmail.com wrote: # ls -l /var/ossec/queue total 36 drwxr-xr-x 2 ossecr ossec 512 Oct 18 18:56 agent-info drwxr-xr-x 2 ossec ossec 512 Feb 14 2011 agentless drwxrwx--- 2 ossec ossec 512 Oct 17 10:22 alerts drwxr-x--- 10 ossec ossec 512 Oct 11 09:53 diff drwxr-x--- 2 ossec ossec 512 Feb 14 2011 fts drwxrwx--- 2 ossec ossec 512 Oct 17 10:22 ossec drwxr-xr-x 2 ossecr ossec 512 Oct 18 18:55 rids drwxr-x--- 2 ossec ossec 512 Oct 18 18:57 rootcheck drwxr-x--- 2 ossec ossec 1024 Oct 19 17:07 syscheck I'm not sure why a large syscheck would have necessitated destroying the entire directory. An in place upgrade (rerun install.sh and let it upgrade the system) might also work.
[ossec-list] Re: re-create queue folders..
Oh and re-install with Update does not fix it - it won't re-create the folders, it only copies what it needs to - i.e. UPDATE. And of course if you tell it NOT to update, you lose your client keys.. *sigh*
Re: [ossec-list] Re: re-create queue folders..
Is that a lot? I buy in bulk. And I figured some of /var/ossec/queue would be ok to save. Maybe just get rid of the big files. On Oct 19, 2011 10:12 PM, Kat uncommon...@gmail.com wrote: it sucked up over 2G and was still running! On Oct 19, 8:49 pm, dan (ddp) ddp...@gmail.com wrote: # ls -l /var/ossec/queue total 36 drwxr-xr-x 2 ossecr ossec 512 Oct 18 18:56 agent-info drwxr-xr-x 2 ossec ossec 512 Feb 14 2011 agentless drwxrwx--- 2 ossec ossec 512 Oct 17 10:22 alerts drwxr-x--- 10 ossec ossec 512 Oct 11 09:53 diff drwxr-x--- 2 ossec ossec 512 Feb 14 2011 fts drwxrwx--- 2 ossec ossec 512 Oct 17 10:22 ossec drwxr-xr-x 2 ossecr ossec 512 Oct 18 18:55 rids drwxr-x--- 2 ossec ossec 512 Oct 18 18:57 rootcheck drwxr-x--- 2 ossec ossec 1024 Oct 19 17:07 syscheck I'm not sure why a large syscheck would have necessitated destroying the entire directory. An in place upgrade (rerun install.sh and let it upgrade the system) might also work.
Re: [ossec-list] Re: re-create queue folders..
Luckily I gave you most of the info you needed so you didn't have to go through that. On Oct 19, 2011 10:13 PM, Kat uncommon...@gmail.com wrote: Oh and re-install with Update does not fix it - it won't re-create the folders, it only copies what it needs to - i.e. UPDATE. And of course if you tell it NOT to update, you lose your client keys.. *sigh*