Re: [ossec-list] ossec with nagios
Why not do a process check for remoted? On Mar 13, 2014 4:41 PM, "Gaurav Rajput" wrote: > Hi, > > I have an ossec-server along with a nagios-server. All i want, is to > monitor the ossec-remoted from nagios. But the main problem is that, > "ossec-remoted" uses UDP protocol, so it never echoes back. So how would I > ensure that my ossec-server is up and running (with or without using > nagios) ? > > Also, i tried nagios-plugin "check_udp", but, while tackling the UDP, we > must pass the "send string" and "expect string" as parameters to this > command. I couldn't find any way to do this. I tried "netcat" too but its > not giving me the desired result (as it was echoing the same thing for all > UDP ports [0-65535]). So is there any specific string that i can send and > receive some expected string ? ( I don't have enough time to open the code > right now ). > > Thanks. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Thanks all for the help. I had another machine laying around, so I installed an 'agent' to the second machine. Once I did that and had it report to the server, everything started working fine and it inserts the blocks in my hosts.deny. I don't know if it's a bug per se, but I believe that the active responses shouldn't make you install an agent if you just have a server running. Then again, if you are just using one machine, you should probably install 'local' anyways. Thanks for the responses and help! On Thursday, March 13, 2014 2:54:43 PM UTC-5, Mike Wisniewski wrote: > > Please see below for the answers... > > On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski >> wrote: >> > Thanks for the quick response. Please see inline for naswers. >> > >> > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski >> wrote: >> >> [...] >> >> >> >> >> >> Are you using active response? >> > >> > >> > Yes, I am trying to use active response. I'm trying to get it to dump >> IP's >> > in /etc/hosts.deny. I am reading logs from another device in a >> directory >> > that doesn't support ossec. It's actually dumping the apache logs and >> I'm >> > trying to get it to add it to the hosts.deny on the server. >> > >> >> Make sure AR isn't disabled. Make sure ossec-execd is running. Make >> sure AR is configured for the server and not just the agents. >> >> > I believe I enabled AR for the 'host-deny' command. Attached is my config > file. > > http://pastebin.com/PY8C10Uc > > ossec-execd is running as well. The alert shows up in the 'alerts.log' > file as well, but doesn't add it to /etc/hosts.deny or the > activeresponse.log. Here's a snip of an alert of me doing a vulnerability > scan against that box. > > ** Alert 1394732302.250449: - apache,invalid_request, > 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log > Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' > Src IP: 10.0.1.9 > [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in > request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd > HTTP/1.1 > > > Thanks for your response and help. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec with nagios
Hi, I have an ossec-server along with a nagios-server. All i want, is to monitor the ossec-remoted from nagios. But the main problem is that, "ossec-remoted" uses UDP protocol, so it never echoes back. So how would I ensure that my ossec-server is up and running (with or without using nagios) ? Also, i tried nagios-plugin "check_udp", but, while tackling the UDP, we must pass the "send string" and "expect string" as parameters to this command. I couldn't find any way to do this. I tried "netcat" too but its not giving me the desired result (as it was echoing the same thing for all UDP ports [0-65535]). So is there any specific string that i can send and receive some expected string ? ( I don't have enough time to open the code right now ). Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Please see below for the answers... On Thursday, March 13, 2014 1:30:37 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski > > > wrote: > > Thanks for the quick response. Please see inline for naswers. > > > > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski > wrote: > >> [...] > >> > >> > >> Are you using active response? > > > > > > Yes, I am trying to use active response. I'm trying to get it to dump > IP's > > in /etc/hosts.deny. I am reading logs from another device in a > directory > > that doesn't support ossec. It's actually dumping the apache logs and > I'm > > trying to get it to add it to the hosts.deny on the server. > > > > Make sure AR isn't disabled. Make sure ossec-execd is running. Make > sure AR is configured for the server and not just the agents. > > I believe I enabled AR for the 'host-deny' command. Attached is my config file. http://pastebin.com/PY8C10Uc ossec-execd is running as well. The alert shows up in the 'alerts.log' file as well, but doesn't add it to /etc/hosts.deny or the activeresponse.log. Here's a snip of an alert of me doing a vulnerability scan against that box. ** Alert 1394732302.250449: - apache,invalid_request, 2014 Mar 13 12:38:22 snoopy->/data/device-Logs/Apache/sys-error.log Rule: 30115 (level 5) -> 'Invalid URI (bad client request).' Src IP: 10.0.1.9 [Thu Mar 13 12:38:22 2014] [error] [client 10.0.1.9] Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Thanks for your response and help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 2:24 PM, Mike Wisniewski wrote: > Thanks for the quick response. Please see inline for naswers. > > On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: >> >> On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: >> [...] >> >> >> Are you using active response? > > > Yes, I am trying to use active response. I'm trying to get it to dump IP's > in /etc/hosts.deny. I am reading logs from another device in a directory > that doesn't support ossec. It's actually dumping the apache logs and I'm > trying to get it to add it to the hosts.deny on the server. > Make sure AR isn't disabled. Make sure ossec-execd is running. Make sure AR is configured for the server and not just the agents. >> >> >> > and the FAQ says to install the agentbut it's a server that's >> > already >> > being monitored by OSSEC by default. >> > >> >> I'll have to check that out, because it makes no sense. > > > I know one thing is to check to see if 'ossec-analysis' is running, which it > is. > Yeah, I checked out the FAQ and explained it in a second email. > > Thanks all for the help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
Thanks for the quick response. Please see inline for naswers. On Thursday, March 13, 2014 12:57:34 PM UTC-5, dan (ddpbsd) wrote: > > On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski > > > wrote: > [...] > > Are you using active response? > Yes, I am trying to use active response. I'm trying to get it to dump IP's in /etc/hosts.deny. I am reading logs from another device in a directory that doesn't support ossec. It's actually dumping the apache logs and I'm trying to get it to add it to the hosts.deny on the server. > > > and the FAQ says to install the agentbut it's a server that's > already > > being monitored by OSSEC by default. > > > > I'll have to check that out, because it makes no sense. > I know one thing is to check to see if 'ossec-analysis' is running, which it is. Thanks all for the help. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 1:57 PM, dan (ddp) wrote: > On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: >> Simple question... Do I have to install an OSSEC agent on the Server? If >> so, should I specify a different default directory? >> > > No, you do not need to install an OSSEC agent on the OSSEC manager. > The server installation performs those functions for that system > already. > >> Something makes me think I don't think so because the server already >> monitors files, but I'm seeing this message... >> >> 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' >> not accessible: 'Connection refused'. >> 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to >> active response queue. >> 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to >> '/queue/alerts/execq' (exec queue) >> > > Are you using active response? > >> and the FAQ says to install the agentbut it's a server that's already >> being monitored by OSSEC by default. >> > > I'll have to check that out, because it makes no sense. > Ok, the FAQ (http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#check-queue-alerts-ar) actually says to add an agent with manage_agents, not to perform an agent installation on the OSSEC manager. >> Thanks in advanced. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install Agent on OSSEC Server?
On Thu, Mar 13, 2014 at 1:53 PM, Mike Wisniewski wrote: > Simple question... Do I have to install an OSSEC agent on the Server? If > so, should I specify a different default directory? > No, you do not need to install an OSSEC agent on the OSSEC manager. The server installation performs those functions for that system already. > Something makes me think I don't think so because the server already > monitors files, but I'm seeing this message... > > 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > Are you using active response? > and the FAQ says to install the agentbut it's a server that's already > being monitored by OSSEC by default. > I'll have to check that out, because it makes no sense. > Thanks in advanced. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Install Agent on OSSEC Server?
Simple question... Do I have to install an OSSEC agent on the Server? If so, should I specify a different default directory? Something makes me think I don't think so because the server already monitors files, but I'm seeing this message... 2014/03/13 12:42:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'. 2014/03/13 12:42:17 ossec-analysisd(1301): ERROR: Unable to connect to active response queue. 2014/03/13 12:42:17 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' (exec queue) and the FAQ says to install the agentbut it's a server that's already being monitored by OSSEC by default. Thanks in advanced. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] strange error message from ossec-keepalive
All,
I'm getting this alert also in 2.7.1. I tried writing a rule to filter
them, but it caused remoted to not want to work properly. I'd welcome a
hack at this point, if not a proper fix.
--Josh
On Thu, Mar 13, 2014 at 4:37 AM, Bib Kam wrote:
> Hello,
>
> I'm using OSSEC 2.7 but i get still this alert!!
> Please, how to resolve this issue ?
>
> Thank you in advance
>
> On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote:
>>
>> Yes, a bug on OSSEC. These messages are randomly generated and should not
>> reach
>> analysisd.
>>
>> Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/
>>
>> thanks,
>>
>> On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) wrote:
>> > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby wrote:
>> >> That leaves only a memory / buffer overflow kind of error . If it only
>> >> happened once I would not sweat it.
>> >> It is also "possible" that the log data got corrupted in transit (look
>> at
>> >> netstat -s for host and client interfaces)
>> >> If it repeats, then I would relook at the logs, possibly with a
>> different
>> >> tool.
>> >> Binary data in a log file can hide from editors so cat, grep and
>> strings are
>> >> better tools.
>> >> I think it is unlikely that OSSEC bug can cause this but you could
>> >> re-install as a last resort.
>> >>
>> >>
>> >
>> > Or it could be part of the keep alive messages in OSSEC:
>> > (from src/logcollector/logcollector.c)
>> > char *rand_keepalive_str(char *dst, int size)
>> > {
>> >static const char text[] = "abcdefghijklmnopqrstuvwxyz"
>> > "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
>> > "0123456789"
>> > "!@#$%^&*()_+-=;'[],./?";
>> >int i, len = rand() % (size - 10);
>> >strncpy(dst, "--MARK--: ", 12);
>> >for ( i = 10; i < len; ++i )
>> >{
>> >dst[i] = text[rand() % (sizeof text - 1)];
>> >}
>> >dst[i] = '\0';
>> >return dst;
>> > }
>> >
>> >
>> >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote:
>> >>>
>> >>> I don't find this log entry in any of my logs. That means that there
>> was
>> >>> no syslog message with this text. Smart didn't detect anything strange
>> >>> either.
>> >>>
>> >>> Andre Pawlowski
>> >>>
>> >>> ---
>> >>>
>> >>> Poor is the pupil who does not surpass his master.
>> >>>-Leonardo da Vinci
>> >>>
>> >>> On 12/02/2010 07:54 PM, loyd.darby wrote:
>> >>>
>>
>> It means that a syslog message had one of these words in it:
>> core_dumped|failure|error|attack|bad |illegal
>> |denied|refused|unauthorized|fatal|failed|Segmentation
>> Fault|Corrupted
>> MARK and the string of characters is actually part of the message
>> and it
>> is likely a disk error.
>> It definitely should be looked at.
>>
>> On 12/02/2010 12:10 PM, dan (ddp) wrote:
>>
>> >
>> > On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski
>> > wrote:
>> >
>> >
>> >>
>> >> Hi list,
>> >>
>> >> I've got a strange error message from my ossec server that I don't
>> >> understand:
>> >>
>> >> OSSEC HIDS Notification.
>> >> 2010 Dec 02 09:48:40
>> >>
>> >> Received From: kokyt0s->ossec-keepalive
>> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
>> >> system."
>> >> Portion of the log(s):
>> >>
>> >> --MARK--:
>> >>
>> >> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]
>> IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)
>> 4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%
>> 7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/
>> kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+
>> buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-
>> TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU
>> >>
>> >>
>> >>
>> >>
>> >> --END OF NOTIFICATION
>> >>
>> >>
>> >> Has anyone an idea what this means?
>> >>
>> >> Regards
>> >>
>> >> --
>> >>
>> >> Andre Pawlowski
>> >>
>> >>
>> ---
>> >>
>> >> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
>> >> -Albert Einstein
>> >>
>> >>
>> >>
>> >
>> > I think it's "normal" (although I didn't think these messages were
>> > going to be logged). It's definitely nothing to worry about. I think
>> > the random text in the message is just padding to make the keep
>> alives
>> > indistinguishable from other messages based on packet size.
>> >
>> >
>>
>>
>> >>
>> >> --
>> >> R. Loyd Darby, OSSIM-OCSE
>> >> Project Manager DOC/NOAA/NMFS
>> >> Infrastructure coordinator
>> >> Southeast Fisheries Science Center
>> >> 305-361-4297
>> >>
>> >>
>> >
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" g
Re: [ossec-list] strange error message from ossec-keepalive
Hello,
I'm using OSSEC 2.7 but i get still this alert!!
Please, how to resolve this issue ?
Thank you in advance
On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote:
>
> Yes, a bug on OSSEC. These messages are randomly generated and should not
> reach
> analysisd.
>
> Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/
>
> thanks,
>
> On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) >
> wrote:
> > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby >
> wrote:
> >> That leaves only a memory / buffer overflow kind of error . If it only
> >> happened once I would not sweat it.
> >> It is also "possible" that the log data got corrupted in transit (look
> at
> >> netstat -s for host and client interfaces)
> >> If it repeats, then I would relook at the logs, possibly with a
> different
> >> tool.
> >> Binary data in a log file can hide from editors so cat, grep and
> strings are
> >> better tools.
> >> I think it is unlikely that OSSEC bug can cause this but you could
> >> re-install as a last resort.
> >>
> >>
> >
> > Or it could be part of the keep alive messages in OSSEC:
> > (from src/logcollector/logcollector.c)
> > char *rand_keepalive_str(char *dst, int size)
> > {
> >static const char text[] = "abcdefghijklmnopqrstuvwxyz"
> > "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
> > "0123456789"
> > "!@#$%^&*()_+-=;'[],./?";
> >int i, len = rand() % (size - 10);
> >strncpy(dst, "--MARK--: ", 12);
> >for ( i = 10; i < len; ++i )
> >{
> >dst[i] = text[rand() % (sizeof text - 1)];
> >}
> >dst[i] = '\0';
> >return dst;
> > }
> >
> >
> >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote:
> >>>
> >>> I don't find this log entry in any of my logs. That means that there
> was
> >>> no syslog message with this text. Smart didn't detect anything strange
> >>> either.
> >>>
> >>> Andre Pawlowski
> >>>
> >>> ---
> >>>
> >>> Poor is the pupil who does not surpass his master.
> >>>-Leonardo da Vinci
> >>>
> >>> On 12/02/2010 07:54 PM, loyd.darby wrote:
> >>>
>
> It means that a syslog message had one of these words in it:
> core_dumped|failure|error|attack|bad |illegal
> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
> MARK and the string of characters is actually part of the message and
> it
> is likely a disk error.
> It definitely should be looked at.
>
> On 12/02/2010 12:10 PM, dan (ddp) wrote:
>
> >
> > On Thu, Dec 2, 2010 at 11:27 AM, Andre
> > Pawlowski
> >
> > wrote:
> >
> >
> >>
> >> Hi list,
> >>
> >> I've got a strange error message from my ossec server that I don't
> >> understand:
> >>
> >> OSSEC HIDS Notification.
> >> 2010 Dec 02 09:48:40
> >>
> >> Received From: kokyt0s->ossec-keepalive
> >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
> >> system."
> >> Portion of the log(s):
> >>
> >> --MARK--:
> >>
> >>
> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU
> >>
> >>
> >>
> >>
> >> --END OF NOTIFICATION
> >>
> >>
> >> Has anyone an idea what this means?
> >>
> >> Regards
> >>
> >> --
> >>
> >> Andre Pawlowski
> >>
> >> ---
> >>
> >> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
> >> -Albert Einstein
> >>
> >>
> >>
> >
> > I think it's "normal" (although I didn't think these messages were
> > going to be logged). It's definitely nothing to worry about. I think
> > the random text in the message is just padding to make the keep
> alives
> > indistinguishable from other messages based on packet size.
> >
> >
>
>
> >>
> >> --
> >> R. Loyd Darby, OSSIM-OCSE
> >> Project Manager DOC/NOAA/NMFS
> >> Infrastructure coordinator
> >> Southeast Fisheries Science Center
> >> 305-361-4297
> >>
> >>
> >
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] ossec-maild tags
Hi, I have 3 different infrastructures (Development, Production and Testing), running the same configuration (with same ip-address and subnet) and nodes. I have 3 ossec-servers running. Each ossec-server is sending the mails to a central gmail account. All I want is, to categorize the mails from each infrastructure. In other words I want to tag the emails with Dev, Prod or Test. Is there any way to do this, as I searched a lot in the configuration file ??? Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
