[ossec-list] ossec-agentlessd: ERROR: ssh_generic_diff: ossec@x.x.x.x: ssh_integrity_check
Dear all cc to daniel founder ossec I have install ossec this good monitoring syslog, but i have problem since I don't what I have to do. to all person experience hands on about this can help this issue? sorry my English not good, :D 2011/12/09 11:10:37 ossec-agentlessd: ERROR: ssh_generic_diff: ossec@10.10.150.4: ssh_integrity_check 2011/12/09 11:10:38 ossec-agentlessd: ERROR: ssh_generic_diff: ossec@10.10.150.3: ssh_integrity_check 2011/12/09 11:10:40 ossec-agentlessd: ERROR: ssh_generic_diff: admin@10.10.150.2: ssh_integrity_check 2011/12/09 11:11:03 ossec-agentlessd: ERROR: ssh_integrity_check_linux: ossec@10.10.150.4: Timeout while connecting to host: ossec@10.10.150.4 Thx Harsono
Re: [ossec-list] Rule 553 syscheck_deleted failing
It was not working for me on Ubuntu 11.04 with realtime enabled in a local install. I did manage to get it to work though, but I'm not sure if this was the intended process: File is added to the syscheck db. File is modified (alert) File is deleted (alert) Without that first modification a deleted alert did not happen. On Thu, Dec 8, 2011 at 1:11 PM, Nick Green wrote: > I have run a test on one of my ubuntu 10.10 systems ... no 553 errors. > Other rules fire off OK but not when I delete the file and rerun syscheck > > Example working alert ... > > ** Alert 1323365954.6512: mail - ossec,syscheck, > 2011 Dec 08 17:39:14 ->syscheck > Rule: 550 (level 7) -> 'Integrity checksum changed.' > Integrity checksum changed for: '/tmp/test/fileone' > Size changed from '0' to '43' > Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' > New md5sum is : 'b483e5505194ddacc762aeb3785220f6' > Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' > New sha1sum is : 'b01f401df4e3423fd8fd91cbfb787adf0f9f85b7' > > > > /nick > > > > On Thu, Dec 8, 2011 at 2:54 PM, dan (ddp) wrote: >> >> On Thu, Dec 8, 2011 at 7:16 AM, Nick Green wrote: >> > If you want I can supply a strace dump of syscheckd and analyisd? >> > >> > I'll continue to plod through the code and see what's not matching up >> > ... >> > >> > /nick >> > >> > >> >> That might help someone figure it out. Dunno. >> >> It might also help to find out what commonalities there are among the >> setups that are not working properly. I checked my OpenBSD manager and >> found 553 alerts from this week. >> >> I have not checked my CentOS 5 or Ubuntu systems yet, but I will today. >> >> > >> > >> > On Thu, Dec 8, 2011 at 11:33 AM, Nick Green >> > wrote: >> >> >> >> >> >> I have not enabled INOTIFY. Real-time is not an requirement for me. >> >> I have not got any realtime option in my conf >> >> >> >> /nick >> >> >> >> >> >> On Wed, Dec 7, 2011 at 10:48 PM, Andreas Piesk wrote: >> >>> >> >>> On 07.12.2011 21:41, Nick Green wrote: >> >>> > >> >>> > Is anyone having trouble with getting alerts to fire on deletion of >> >>> > a >> >>> > file? >> >>> >> >>> same problem here but i haven't found a solution yet. it's supposed to >> >>> be >> >>> working and for at least >> >>> one list member (danddp) it does. >> >>> >> >>> i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC >> >>> w/o >> >>> INOTIFY are still on my todo >> >>> list. do you use INOTIFY too? >> >>> >> >>> regards, >> >>> -ap >> >> >> >> >> > > >
Re: [ossec-list] Re: No diff shown in the alert email
On Thu, Dec 8, 2011 at 8:57 PM, Macus wrote: > Yes, there are no files in the /var/ossec/queue/diff, but there are > files in the $HOME/abc-v123. Therefore, why there is no file in the / > var/ossec/queue/diff?? > > I add the monitor dir like below. > /home/abc > Does it work if you add the report_changes option? /home/abc > > On 12月8日, 下午11時08分, "dan (ddp)" wrote: >> On Thu, Dec 8, 2011 at 1:37 AM, Macus wrote: >> > I am using the OSSEC 2.6 to monitoring a symbolic link (ie. $HOME/abc) >> > to a phy dir (ie. $HOME/abc-v123). The syscheck alert work, but in the >> > alert email, there is no diff shown for the txt file change. Moreover, >> > I found there is no image of the files stored in /var/ossec/queue/ >> > diff. >> > What's the problem? is it because the path is a symbolic link rather >> > than a phy dir? thanks >> >> Possibly. Are there no files in /var/ossec/queue/diff or just no files >> from $HOME/abc-v123?
[ossec-list] Re: No diff shown in the alert email
Yes, there are no files in the /var/ossec/queue/diff, but there are files in the $HOME/abc-v123. Therefore, why there is no file in the / var/ossec/queue/diff?? I add the monitor dir like below. /home/abc On 12月8日, 下午11時08分, "dan (ddp)" wrote: > On Thu, Dec 8, 2011 at 1:37 AM, Macus wrote: > > I am using the OSSEC 2.6 to monitoring a symbolic link (ie. $HOME/abc) > > to a phy dir (ie. $HOME/abc-v123). The syscheck alert work, but in the > > alert email, there is no diff shown for the txt file change. Moreover, > > I found there is no image of the files stored in /var/ossec/queue/ > > diff. > > What's the problem? is it because the path is a symbolic link rather > > than a phy dir? thanks > > Possibly. Are there no files in /var/ossec/queue/diff or just no files > from $HOME/abc-v123?
Re: [ossec-list] Rule 553 syscheck_deleted failing
I have run a test on one of my ubuntu 10.10 systems ... no 553 errors. Other rules fire off OK but not when I delete the file and rerun syscheck Example working alert ... ** Alert 1323365954.6512: mail - ossec,syscheck, 2011 Dec 08 17:39:14 ->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/tmp/test/fileone' Size changed from '0' to '43' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : 'b483e5505194ddacc762aeb3785220f6' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : 'b01f401df4e3423fd8fd91cbfb787adf0f9f85b7' /nick On Thu, Dec 8, 2011 at 2:54 PM, dan (ddp) wrote: > On Thu, Dec 8, 2011 at 7:16 AM, Nick Green wrote: > > If you want I can supply a strace dump of syscheckd and analyisd? > > > > I'll continue to plod through the code and see what's not matching up ... > > > > /nick > > > > > > That might help someone figure it out. Dunno. > > It might also help to find out what commonalities there are among the > setups that are not working properly. I checked my OpenBSD manager and > found 553 alerts from this week. > > I have not checked my CentOS 5 or Ubuntu systems yet, but I will today. > > > > > > > On Thu, Dec 8, 2011 at 11:33 AM, Nick Green > wrote: > >> > >> > >> I have not enabled INOTIFY. Real-time is not an requirement for me. > >> I have not got any realtime option in my conf > >> > >> /nick > >> > >> > >> On Wed, Dec 7, 2011 at 10:48 PM, Andreas Piesk wrote: > >>> > >>> On 07.12.2011 21:41, Nick Green wrote: > >>> > > >>> > Is anyone having trouble with getting alerts to fire on deletion of a > >>> > file? > >>> > >>> same problem here but i haven't found a solution yet. it's supposed to > be > >>> working and for at least > >>> one list member (danddp) it does. > >>> > >>> i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC w/o > >>> INOTIFY are still on my todo > >>> list. do you use INOTIFY too? > >>> > >>> regards, > >>> -ap > >> > >> > > >
Re: [ossec-list] Re: Latest ossec builds not building
On 08.12.2011 15:12, Peter M Abraham wrote: > > 2. How do I install inotify? > on Centos5 the header files are in package kernel-headers: # yum provides /usr/include/linux/inotify.h kernel-headers-2.6.18-274.12.1.el5.x86_64 : Header files for the Linux kernel for use by glibc Repo: installed Matched from: Other : Provides-match: /usr/include/linux/inotify.h regards, -ap
[ossec-list] Re: Multiple cores?
Yep -- sending 1800 agents to a single server so it has a lot to analyze. I am finding that this causes many of the agents to show "disconnected" because they can't get to the server while it is processing very busy nodes. So rather than throw additional servers at it, I have all the cores, but I am maxing out a single core and the others just sit there. :-( On Dec 8, 9:09 am, "dan (ddp)" wrote: > OSSEC isn't really built for multiple cores. Are you pushing enough > data through it to consume a whole core? How many eps? > > >
Re: [ossec-list] Error 1203
No problem. I was able to start the agent after recreating the user and group. Thanks! Victor Pineiro On Dec 8, 2011, at 10:07 AM, "dan (ddp)" wrote: > On Thu, Dec 8, 2011 at 10:04 AM, PS wrote: >> So it looks like the user ossec and group ossec where deleted. I can see in >> syslog where it says that userdel was used to delete user 'ossec' >> >> I am not sure what did it. It had to be some script. Is there a way for me >> to find out what did it? >> >> I am the only person who manages this server. >> >> The syslog entry looks like this: >> Dec 4 23:48:53 system userdel[2558]: delete user 'ossec' >> >> I'm not sure how to tie that event to a process or script that may have done >> it. >> > > You can look through the logs to see what was going on, and I guess > check through the scripts on your system for something that would > delete users. > >> Thanks! >> >> Victor Pineiro >> Sent from my iPad >> >> On Dec 8, 2011, at 6:28 AM, "dan (ddp)" wrote: >> >> What happened to your ossec group? >> >> On Dec 8, 2011 6:02 AM, "PS" wrote: >>> >>> Hello list, >>> >>> I am seeing error 1203 when attempting to run any of the scripts from the >>> "/var/ossec/bin" folder. >>> >>> I have looked around for a fix and have not been able to find one. I have >>> seen that a couple of other people have had the same issue. When I first >>> installed it, I was able to start the agent and it was sending events to the >>> server. I just happened to look at the server and noticed that the agent was >>> disconnected. Nothing has changed since installation. Any clues? >>> >>> [root@system bin]# ./ossec-control start >>> Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... >>> 2011/12/08 07:51:49 ossec-execd(1203): ERROR: Invalid user '' or group >>> 'ossec' given. >>> >>> [root@system bin]# ./manage_agents -l >>> 2011/12/08 07:51:51 manage_agents(1203): ERROR: Invalid user '' or group >>> 'ossec' given. >>> >>> -r-xr-x--- 1 root 500 222857 Dec 4 08:32 agent-auth >>> -r-xr-x--- 1 root 500 297452 Dec 4 08:32 manage_agents >>> -r-xr-x--- 1 root 500 550237 Dec 4 08:32 ossec-agentd >>> -r-xr-x--- 1 root 500 4647 Jul 11 21:36 ossec-control >>> -r-xr-x--- 1 root 500 103724 Dec 4 08:32 ossec-execd >>> -r-xr-x--- 1 root 500 380464 Dec 4 08:32 ossec-logcollector >>> -r-xr-x--- 1 root 500 506300 Dec 4 08:32 ossec-syscheckd
Re: [ossec-list] Re: Unable to send file 'merged.mg' to agent.
I guess you could try shutting down the ossec processes, deleting the merged.mg file, and finally starting the ossec processes. On Mon, Dec 5, 2011 at 3:55 PM, Peter M Abraham wrote: > Hi Dan: > > CentOS 5.7 (latest), 64-bit. > > Thank you.
Re: [ossec-list] OSSEC Agent and huge diff folders
Other than the secret option, yes. On Tue, Dec 6, 2011 at 2:16 AM, mikes wrote: > it's the only way? You really think I'd say to modify the source if I knew of an easier way?
Re: [ossec-list] Re: "Never connected"
On Tue, Dec 6, 2011 at 11:56 AM, Bruno Vernay wrote: > It is working now. > > I installed an agent on another machine. a 2.5.1 agent. It worked. > > I de-installed 2.6 and reinstalled 2.5.1 instead. > I got a "duplicated error", I stopped the services, remove the queues rids, > removed the agent ... > I added a new agent ID and it worked. > I even re-installed the 2.6 agent, and it seems to work. > > It is really not clear to me why it didn' work. > But a quick test would have been to > 1/ remove the agent (on the server) ; remove the agent on the client > (de-install) > 2/ Restart the service > 3/ add the agent again. > > Bruno > > You should consider upgrading to 2.6 on the manager and agents. It's much nicer.
Re: [ossec-list] "Never connected"
On Tue, Dec 6, 2011 at 4:33 AM, Bruno Vernay wrote: > >> Are packets making it to the manager on port 1514/udp? >> >> If so, are the replies making it to the agent? > > I don't know how to be sure, but there are no firewall between the two at > least. > >> >> Is this your only agent? Are other agents working? > > No other agent configured. > >> >> Does the agent have multiple IP addresses? Is the correct one being used? > > It has only 10.1.5.50. I even disabled IPv6 on the windows client. > > > Just to be sure: my client is v2.6 and the AlienVault uses v2.5.1 server, > could it be a problem ? > > It could be. Newer agents with older managers is definitely an "unsupported" configuration.
Re: [ossec-list] Error 1203
On Thu, Dec 8, 2011 at 10:04 AM, PS wrote: > So it looks like the user ossec and group ossec where deleted. I can see in > syslog where it says that userdel was used to delete user 'ossec' > > I am not sure what did it. It had to be some script. Is there a way for me > to find out what did it? > > I am the only person who manages this server. > > The syslog entry looks like this: > Dec 4 23:48:53 system userdel[2558]: delete user 'ossec' > > I'm not sure how to tie that event to a process or script that may have done > it. > You can look through the logs to see what was going on, and I guess check through the scripts on your system for something that would delete users. > Thanks! > > Victor Pineiro > Sent from my iPad > > On Dec 8, 2011, at 6:28 AM, "dan (ddp)" wrote: > > What happened to your ossec group? > > On Dec 8, 2011 6:02 AM, "PS" wrote: >> >> Hello list, >> >> I am seeing error 1203 when attempting to run any of the scripts from the >> "/var/ossec/bin" folder. >> >> I have looked around for a fix and have not been able to find one. I have >> seen that a couple of other people have had the same issue. When I first >> installed it, I was able to start the agent and it was sending events to the >> server. I just happened to look at the server and noticed that the agent was >> disconnected. Nothing has changed since installation. Any clues? >> >> [root@system bin]# ./ossec-control start >> Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... >> 2011/12/08 07:51:49 ossec-execd(1203): ERROR: Invalid user '' or group >> 'ossec' given. >> >> [root@system bin]# ./manage_agents -l >> 2011/12/08 07:51:51 manage_agents(1203): ERROR: Invalid user '' or group >> 'ossec' given. >> >> -r-xr-x--- 1 root 500 222857 Dec 4 08:32 agent-auth >> -r-xr-x--- 1 root 500 297452 Dec 4 08:32 manage_agents >> -r-xr-x--- 1 root 500 550237 Dec 4 08:32 ossec-agentd >> -r-xr-x--- 1 root 500 4647 Jul 11 21:36 ossec-control >> -r-xr-x--- 1 root 500 103724 Dec 4 08:32 ossec-execd >> -r-xr-x--- 1 root 500 380464 Dec 4 08:32 ossec-logcollector >> -r-xr-x--- 1 root 500 506300 Dec 4 08:32 ossec-syscheckd
Re: [ossec-list] Multiple cores?
OSSEC isn't really built for multiple cores. Are you pushing enough data through it to consume a whole core? How many eps? On Wed, Dec 7, 2011 at 9:25 AM, Kat wrote: > Just wondering if there is any trick either at build time or runtime > to convince ossec-analysisd to use more than a single core in a large > CPU rich system. I have 8 cores and no matter what it just doesn't > want to use more than one. I guess I could look at the code, not sure > if it is able to use more than one. > > thanks > ~k
Re: [ossec-list] How to exclude a host from active responses
There isn't really a good way. You could build the logic into the AR scripts on the agent, or turn off AR on the agent I guess. On Thu, Dec 8, 2011 at 9:54 AM, Florian Roscher wrote: > Hello! > > > I do want to define several active responses, which should > be executed on the agent who generated the alert which > triggered that event ( using local ). > > Is there a way to exclude special hosts/agents from that > active-response-definition? > Or to exclude an agent, i.e. the ossec server from all > active responses? > > > Any help apreciated, thanks > Florian Roscher > > > -- > Florian Roscher private: m...@florian-roscher.de > Debian: f...@debian.org > PGP Key / ID: 1024D/B4071A65 > Fingerprint : F9AB 00C1 3E3A 8125 DD3F DF1C DF79 A374 B407 1A65
Re: [ossec-list] No diff shown in the alert email
On Thu, Dec 8, 2011 at 1:37 AM, Macus wrote: > I am using the OSSEC 2.6 to monitoring a symbolic link (ie. $HOME/abc) > to a phy dir (ie. $HOME/abc-v123). The syscheck alert work, but in the > alert email, there is no diff shown for the txt file change. Moreover, > I found there is no image of the files stored in /var/ossec/queue/ > diff. > What's the problem? is it because the path is a symbolic link rather > than a phy dir? thanks Possibly. Are there no files in /var/ossec/queue/diff or just no files from $HOME/abc-v123?
Re: [ossec-list] Error 1203
So it looks like the user ossec and group ossec where deleted. I can see in syslog where it says that userdel was used to delete user 'ossec' I am not sure what did it. It had to be some script. Is there a way for me to find out what did it? I am the only person who manages this server. The syslog entry looks like this: Dec 4 23:48:53 system userdel[2558]: delete user 'ossec' I'm not sure how to tie that event to a process or script that may have done it. Thanks! Victor Pineiro Sent from my iPad On Dec 8, 2011, at 6:28 AM, "dan (ddp)" wrote: > What happened to your ossec group? > > On Dec 8, 2011 6:02 AM, "PS" wrote: > Hello list, > > I am seeing error 1203 when attempting to run any of the scripts from the > "/var/ossec/bin" folder. > > I have looked around for a fix and have not been able to find one. I have > seen that a couple of other people have had the same issue. When I first > installed it, I was able to start the agent and it was sending events to the > server. I just happened to look at the server and noticed that the agent was > disconnected. Nothing has changed since installation. Any clues? > > [root@system bin]# ./ossec-control start > Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... > 2011/12/08 07:51:49 ossec-execd(1203): ERROR: Invalid user '' or group > 'ossec' given. > > [root@system bin]# ./manage_agents -l > 2011/12/08 07:51:51 manage_agents(1203): ERROR: Invalid user '' or group > 'ossec' given. > > -r-xr-x--- 1 root 500 222857 Dec 4 08:32 agent-auth > -r-xr-x--- 1 root 500 297452 Dec 4 08:32 manage_agents > -r-xr-x--- 1 root 500 550237 Dec 4 08:32 ossec-agentd > -r-xr-x--- 1 root 500 4647 Jul 11 21:36 ossec-control > -r-xr-x--- 1 root 500 103724 Dec 4 08:32 ossec-execd > -r-xr-x--- 1 root 500 380464 Dec 4 08:32 ossec-logcollector > -r-xr-x--- 1 root 500 506300 Dec 4 08:32 ossec-syscheckd
Re: [ossec-list] Re: ERROR: Error sending message to queue
On Wed, Dec 7, 2011 at 11:01 PM, Macus wrote: > The logs are below. > > 2011/11/17 18:55:49 ossec-syscheckd: INFO: Started (pid: 6759). > 2011/11/17 18:55:49 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2011/11/17 18:55:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2011/11/17 18:55:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2011/11/17 18:55:49 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2011/11/17 18:55:49 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2011/11/17 18:56:49 ossec-syscheckd: INFO: Starting syscheck scan. > 2011/11/17 18:56:49 ossec-syscheckd: socketerr (not available). > 2011/11/17 18:56:49 ossec-syscheckd(1224): ERROR: Error sending > message to queue. > 2011/11/17 18:56:49 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer set to: '1048576'. > Are all of the processes running? > > > On 11月30日, 下午9時01分, "dan (ddp)" wrote: >> Not sure, are there any errors in the logfile before that one? >> Are all of the processes running? >> On Nov 30, 2011 6:13 AM, "Macus" wrote: >> >> >> >> >> >> >> >> > What's the cause of the following errors? I can resolve it by clean >> > the db in the manager and restart the manager. >> >> > ossec.log.2:2011/11/18 20:03:25 ossec-syscheckd(1224): ERROR: Error >> > sending message to queue
Re: [ossec-list] Setting up Agentless without root
It should be possible as long as the user has the rights to do what you want. Are you having issues setting this up? Any specific errors you can provide? On Wed, Dec 7, 2011 at 3:29 PM, Pedro wrote: > Is it possible to setup agentless monitoring without having to use the root > account for using public key authentication? Using root works fine in our > environment but we plan on disabling ssh access to root on some systems. > Nearly all guides I see use root@hostname in order to configure but would > like to setup a different account such as ossecagent@hostname. > > Thanks! > >
Re: [ossec-list] Re: Invalid integrity message in the database
That's a pretty old version of CentOS. You could try a re-install of OSSEC, something strange is going on (and you haven't given me enough information to figure out where the strangeness is happening). I don't think I've had this many syscheck issues since I started using it. On Wed, Dec 7, 2011 at 11:07 PM, Macus wrote: > I am running OSSEC 2.6 on the Centos 5.3, kernel is 2.6.24.7-146. > > On 11月30日, 下午9時03分, "dan (ddp)" wrote: >> My guess, without being able to investigate, is a corrupted syscheck db >> entry. What system are you running this on? What version of ossec? You seem >> to be having a lot of syscheck issues. >> On Nov 30, 2011 6:15 AM, "Macus" wrote: >> >> >> >> >> >> >> >> > The following error was observed in the manager log. Then the agent cannot >> > send hash to the manager and the syscheck do not work any more. What's the >> > cause of this ? >> >> > ossec-analysisd: Invalid integrity message in the database.
[ossec-list] How to exclude a host from active responses
Hello! I do want to define several active responses, which should be executed on the agent who generated the alert which triggered that event ( using local ). Is there a way to exclude special hosts/agents from that active-response-definition? Or to exclude an agent, i.e. the ossec server from all active responses? Any help apreciated, thanks Florian Roscher -- Florian Roscher private: m...@florian-roscher.de Debian: f...@debian.org PGP Key / ID: 1024D/B4071A65 Fingerprint : F9AB 00C1 3E3A 8125 DD3F DF1C DF79 A374 B407 1A65
Re: [ossec-list] Re: Latest ossec builds not building
On Thu, Dec 8, 2011 at 9:12 AM, Peter M Abraham wrote: > Good day: > > 1. I thought the installer was self contained installing what it > needs. Am I incorrect/ > No, you are not. There are a number of external dependencies that are much too complex for OSSEC to install for you (like gcc and make). > 2. How do I install inotify? > I asked around and CentOS 4.9 does not appear to support inotify. If it did, you'd find it with yum. It's time to start digging around the ossec install.sh script to figure out why it thought inotify support was available. Testing will be difficult for most people since I don't know anyone that keeps a CentOS that old around. > Thank you.
Re: [ossec-list] Rule 553 syscheck_deleted failing
On Thu, Dec 8, 2011 at 7:16 AM, Nick Green wrote: > If you want I can supply a strace dump of syscheckd and analyisd? > > I'll continue to plod through the code and see what's not matching up ... > > /nick > > That might help someone figure it out. Dunno. It might also help to find out what commonalities there are among the setups that are not working properly. I checked my OpenBSD manager and found 553 alerts from this week. I have not checked my CentOS 5 or Ubuntu systems yet, but I will today. > > > On Thu, Dec 8, 2011 at 11:33 AM, Nick Green wrote: >> >> >> I have not enabled INOTIFY. Real-time is not an requirement for me. >> I have not got any realtime option in my conf >> >> /nick >> >> >> On Wed, Dec 7, 2011 at 10:48 PM, Andreas Piesk wrote: >>> >>> On 07.12.2011 21:41, Nick Green wrote: >>> > >>> > Is anyone having trouble with getting alerts to fire on deletion of a >>> > file? >>> >>> same problem here but i haven't found a solution yet. it's supposed to be >>> working and for at least >>> one list member (danddp) it does. >>> >>> i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC w/o >>> INOTIFY are still on my todo >>> list. do you use INOTIFY too? >>> >>> regards, >>> -ap >> >> >
[ossec-list] Re: Latest ossec builds not building
Good day: 1. I thought the installer was self contained installing what it needs. Am I incorrect/ 2. How do I install inotify? Thank you.
Re: [ossec-list] Rule 553 syscheck_deleted failing
If you want I can supply a strace dump of syscheckd and analyisd? I'll continue to plod through the code and see what's not matching up ... /nick On Thu, Dec 8, 2011 at 11:33 AM, Nick Green wrote: > > I have not enabled INOTIFY. Real-time is not an requirement for me. > I have not got any realtime option in my conf > > /nick > > > On Wed, Dec 7, 2011 at 10:48 PM, Andreas Piesk wrote: > >> On 07.12.2011 21:41, Nick Green wrote: >> > >> > Is anyone having trouble with getting alerts to fire on deletion of a >> file? >> >> same problem here but i haven't found a solution yet. it's supposed to be >> working and for at least >> one list member (danddp) it does. >> >> i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC w/o >> INOTIFY are still on my todo >> list. do you use INOTIFY too? >> >> regards, >> -ap >> > >
Re: [ossec-list] Rule 553 syscheck_deleted failing
I have not enabled INOTIFY. Real-time is not an requirement for me. I have not got any realtime option in my conf /nick On Wed, Dec 7, 2011 at 10:48 PM, Andreas Piesk wrote: > On 07.12.2011 21:41, Nick Green wrote: > > > > Is anyone having trouble with getting alerts to fire on deletion of a > file? > > same problem here but i haven't found a solution yet. it's supposed to be > working and for at least > one list member (danddp) it does. > > i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC w/o > INOTIFY are still on my todo > list. do you use INOTIFY too? > > regards, > -ap >
Re: [ossec-list] Re: Rule 553 syscheck_deleted failing
Is everyone who is having this issue using the realtime option? On Dec 8, 2011 6:02 AM, "Macus" wrote: > I am having the same issue. No alert is triggered on deletion of a > file. > > On 12月8日, 上午6時48分, Andreas Piesk wrote: > > On 07.12.2011 21:41, Nick Green wrote: > > > > > > > > > Is anyone having trouble with getting alerts to fire on deletion of a > file? > > > > same problem here but i haven't found a solution yet. it's supposed to > be working and for at least > > one list member (danddp) it does. > > > > i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC w/o > INOTIFY are still on my todo > > list. do you use INOTIFY too? > > > > regards, > > -ap >
Re: [ossec-list] Error 1203
What happened to your ossec group? On Dec 8, 2011 6:02 AM, "PS" wrote: > Hello list, > > I am seeing error 1203 when attempting to run any of the scripts from the > "/var/ossec/bin" folder. > > I have looked around for a fix and have not been able to find one. I have > seen that a couple of other people have had the same issue. When I first > installed it, I was able to start the agent and it was sending events to > the server. I just happened to look at the server and noticed that the > agent was disconnected. Nothing has changed since installation. Any clues? > > [root@system bin]# ./ossec-control start > Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... > 2011/12/08 07:51:49 ossec-execd(1203): ERROR: Invalid user '' or group > 'ossec' given. > > [root@system bin]# ./manage_agents -l > 2011/12/08 07:51:51 manage_agents(1203): ERROR: Invalid user '' or group > 'ossec' given. > > -r-xr-x--- 1 root 500 222857 Dec 4 08:32 agent-auth > -r-xr-x--- 1 root 500 297452 Dec 4 08:32 manage_agents > -r-xr-x--- 1 root 500 550237 Dec 4 08:32 ossec-agentd > -r-xr-x--- 1 root 500 4647 Jul 11 21:36 ossec-control > -r-xr-x--- 1 root 500 103724 Dec 4 08:32 ossec-execd > -r-xr-x--- 1 root 500 380464 Dec 4 08:32 ossec-logcollector > -r-xr-x--- 1 root 500 506300 Dec 4 08:32 ossec-syscheckd
[ossec-list] Error 1203
Hello list, I am seeing error 1203 when attempting to run any of the scripts from the "/var/ossec/bin" folder. I have looked around for a fix and have not been able to find one. I have seen that a couple of other people have had the same issue. When I first installed it, I was able to start the agent and it was sending events to the server. I just happened to look at the server and noticed that the agent was disconnected. Nothing has changed since installation. Any clues? [root@system bin]# ./ossec-control start Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... 2011/12/08 07:51:49 ossec-execd(1203): ERROR: Invalid user '' or group 'ossec' given. [root@system bin]# ./manage_agents -l 2011/12/08 07:51:51 manage_agents(1203): ERROR: Invalid user '' or group 'ossec' given. -r-xr-x--- 1 root 500 222857 Dec 4 08:32 agent-auth -r-xr-x--- 1 root 500 297452 Dec 4 08:32 manage_agents -r-xr-x--- 1 root 500 550237 Dec 4 08:32 ossec-agentd -r-xr-x--- 1 root 500 4647 Jul 11 21:36 ossec-control -r-xr-x--- 1 root 500 103724 Dec 4 08:32 ossec-execd -r-xr-x--- 1 root 500 380464 Dec 4 08:32 ossec-logcollector -r-xr-x--- 1 root 500 506300 Dec 4 08:32 ossec-syscheckd
[ossec-list] Re: Rule 553 syscheck_deleted failing
I am having the same issue. No alert is triggered on deletion of a file. On 12月8日, 上午6時48分, Andreas Piesk wrote: > On 07.12.2011 21:41, Nick Green wrote: > > > > > Is anyone having trouble with getting alerts to fire on deletion of a file? > > same problem here but i haven't found a solution yet. it's supposed to be > working and for at least > one list member (danddp) it does. > > i'm using RHEL5/Centos5 too, OSSEC w/ INOTIFY. the tests with OSSEC w/o > INOTIFY are still on my todo > list. do you use INOTIFY too? > > regards, > -ap
[ossec-list] No diff shown in the alert email
I am using the OSSEC 2.6 to monitoring a symbolic link (ie. $HOME/abc) to a phy dir (ie. $HOME/abc-v123). The syscheck alert work, but in the alert email, there is no diff shown for the txt file change. Moreover, I found there is no image of the files stored in /var/ossec/queue/ diff. What's the problem? is it because the path is a symbolic link rather than a phy dir? thanks