Re: [ossec-list] ossec-syscheckd consumes more cpu space and make apache to down
No,I didn't do any syscheck tuning. Regards, Yesodha P On Thursday, October 4, 2012 6:35:02 PM UTC+5:30, dan (ddpbsd) wrote: On Thu, Oct 4, 2012 at 4:13 AM, Yesodha yes...@easylinkindia.comjavascript: wrote: Hi, Whenever my linux runs the process ossec-syscheckd,this process consumes more cpu space and make httpd down. In this server asl 3.0 is installed.Can you please suggest some ideas to fix this issue? Regards, Yesodha Prabhu Have you done any syscheck tuning? http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#internal-options-conf-syscheck
Re: [ossec-list] ossec-syscheckd consumes more cpu space and make apache to down
No,I didn't do any syscheck tuning. Regards, Yesodha P On Thursday, October 4, 2012 6:35:02 PM UTC+5:30, dan (ddpbsd) wrote: On Thu, Oct 4, 2012 at 4:13 AM, Yesodha yes...@easylinkindia.comjavascript: wrote: Hi, Whenever my linux runs the process ossec-syscheckd,this process consumes more cpu space and make httpd down. In this server asl 3.0 is installed.Can you please suggest some ideas to fix this issue? Regards, Yesodha Prabhu Have you done any syscheck tuning? http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#internal-options-conf-syscheck
Re: [ossec-list] where does this number come from
Anyone have any insight on how to change/resolve this auto number issue? Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: Scott Klauminzer sklaumin...@gmail.com To: ossec-list@googlegroups.com Date: 10/05/2012 02:26 PM Subject: Re: [ossec-list] where does this number come from Sent by: ossec-list@googlegroups.com Is it possible you have set setmaxagents to 1024 on make? Scott On Oct 5, 2012, at 10:00 AM, Michael Barrett michael_barr...@mgic.com wrote: It seems to be messed up. The agent ID used to default to the next number, now it seems to be stuck on 1025 Mail Attachment.gif Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Re: [ossec-list] OSSEC and the Web interface
I modified my ossec-rules.xml to ignore the event !-- Specify here a list of rules to ignore. -- !-- rule id=100030 level=0 if_sid12345, 23456, xyz, abc/if_sid descriptionList of rules to be ignored./description /rule -- rule id=101013 level=7 frequency=4 timeframe=1600 if_matched_sid18154/if_matched_sid matchWinEvtLog: System: ERROR(10009): DCOM:/match descriptionturn down the noise on this event/description /rule Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: Drayton Graham notyard1...@gmail.com To: ossec-list@googlegroups.com Date: 10/08/2012 05:13 PM Subject: [ossec-list] OSSEC and the Web interface Sent by: ossec-list@googlegroups.com I tried to do my due diligence, but i could not find anything within this forum. but below is my question. I have someone that is looking at the web interface of OSSEC. When they look at the stat, they see quite a number of hits for Rule 18102. After doing some investigation, I found that all this is, is some sort of Windows authentication warning that actually is not being logged to the OSSEC box becuause it is a Level 0 alert. Where do I go, and what do I need to change so that this rule does not show up in the stats? -Drayton
Re: [ossec-list] where does this number come from
On Wed, Oct 10, 2012 at 8:59 AM, Michael Barrett michael_barr...@mgic.com wrote: Anyone have any insight on how to change/resolve this auto number issue? I've seen it, but it never bothered me enough to look into. I'd start in src/addagent. Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: Scott Klauminzer sklaumin...@gmail.com To: ossec-list@googlegroups.com Date: 10/05/2012 02:26 PM Subject: Re: [ossec-list] where does this number come from Sent by: ossec-list@googlegroups.com Is it possible you have set setmaxagents to 1024 on make? Scott On Oct 5, 2012, at 10:00 AM, Michael Barrett michael_barr...@mgic.com wrote: It seems to be messed up. The agent ID used to default to the next number, now it seems to be stuck on 1025 Mail Attachment.gif Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Re: [ossec-list] rule info location
On Tue, Oct 9, 2012 at 5:38 PM, Adam a...@grandcare.com wrote: im using ossec webui and when i click on a rule id it takes me to - http://www.ossec.net/wiki/index.php/Rule:5501 which of course is gone. where would the new location be for rule info?? anyone know of the repo for ossec web ui i would like to send in this and other patches. No one has kept up with it. You might find something useful here: http://www.ossec.net/doc/rules/rules/index.html If anyone is interested in documenting the rules, let me know. We can create a template for it in the documentation.
Re: [ossec-list] add logfile to ossec
If you're using vi, just :w! to force a write. Then :q to quit. On Oct 10, 2012 5:36 PM, Adam a...@grandcare.com wrote: I set up rsyslog to get messages from a remote network device and put the messages in /var/log/IP/syslog.log How do i add that file to ossec so it parses it and stuff? i attempted to edit ossec.conf but its read only. do i need to change the prems on that make my changes, change the prems back then restart ossec? Thank you.
[ossec-list] Re: add logfile to ossec
when you exit vi/vim - just do :wq! - if you are root while editing - it will over-write it and you don't have to change perms. On Wednesday, October 10, 2012 2:36:41 PM UTC-7, Adam wrote: I set up rsyslog to get messages from a remote network device and put the messages in /var/log/IP/syslog.log How do i add that file to ossec so it parses it and stuff? i attempted to edit ossec.conf but its read only. do i need to change the prems on that make my changes, change the prems back then restart ossec? Thank you.
Re: [ossec-list] add logfile to ossec
k thanx guys, i was just thought there was someway to do it via the ossec server. On Wed, Oct 10, 2012 at 5:04 PM, dan (ddp) ddp...@gmail.com wrote: If you're using vi, just :w! to force a write. Then :q to quit. On Oct 10, 2012 5:36 PM, Adam a...@grandcare.com wrote: I set up rsyslog to get messages from a remote network device and put the messages in /var/log/IP/syslog.log How do i add that file to ossec so it parses it and stuff? i attempted to edit ossec.conf but its read only. do i need to change the prems on that make my changes, change the prems back then restart ossec? Thank you.
Re: [ossec-list] where does this number come from
Do you already have 1024 entries in the client.keys file? If yes, it is the hard coded limited for 'manage_agent'. See src/validate.c OS_AddNewAgent(). IDs higher than 1024 are reserved for 'ossec-authd' to use. If you have not reached 1024 entries, do you have a lot of gaps in agent IDs? 'manage_agent' does not fill in the gaps automatically when picking an agent ID; you will need to enter them manually. On Wednesday, October 10, 2012 6:03:07 AM UTC-7, Michael Barrett wrote: Anyone have any insight on how to change/resolve this auto number issue? ** *Michael Barrett* javascript:* *| *Information Security Analyst - Lead*| *Mortgage Guaranty Insurance Corporation* http://www.mgic.com/ 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: Scott Klauminzer sklau...@gmail.com javascript: To: ossec...@googlegroups.com javascript: Date: 10/05/2012 02:26 PM Subject: Re: [ossec-list] where does this number come from Sent by: ossec...@googlegroups.com javascript: -- Is it possible you have set setmaxagents to 1024 on make? Scott On Oct 5, 2012, at 10:00 AM, Michael Barrett *michael_barr...@mgic.com*javascript: wrote: It seems to be messed up. The agent ID used to default to the next number, now it seems to be stuck on 1025 Mail Attachment.gif* * * **Michael Barrett* javascript:* *| *Information Security Analyst - Lead*| *Mortgage Guaranty Insurance Corporation* http://www.mgic.com/ 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * *michael_barr...@mgic.com* javascript: This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.