[ossec-list] OSSEC with OSSIM
Dear all, Any of you have working with ossec server talking to ossec in OSSIM? I send alert level ossec via syslog to rsyslog ossim but not working because OSSIM use custom log with tag AV in front of each log so alert from ossec server not recognize by OSSIM. I heard about ossec in hybrid mode. Can someone describe it? Or point me the manual to do it? Can hybrid mode solve deployment ossec to ossec in OSSIM ? Thanks. Best Regards, -Teddy- -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC with OSSIM
On Wed, Nov 12, 2014 at 5:47 AM, Teddy Jayasaputra teddy.jayasapu...@gmail.com wrote: Dear all, Any of you have working with ossec server talking to ossec in OSSIM? I send alert level ossec via syslog to rsyslog ossim but not working because OSSIM use custom log with tag AV in front of each log so alert from ossec server not recognize by OSSIM. I heard about ossec in hybrid mode. Can someone describe it? Or point me the manual to do it? Can hybrid mode solve deployment ossec to ossec in OSSIM ? Hybrid mode allows an OSSEC manager to report alerts to another OSSEC manager. Thanks. Best Regards, -Teddy- -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] pgp signatures for releases
On Sat, Nov 8, 2014 at 5:12 AM, Eero Volotinen eero.voloti...@iki.fi wrote: Hi List, looking for gpg signatures for ossec releases? where I can download them? It doesn't look like they're currently offered. -- Eero -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Hybrid issues - stops forwarding logs
On Mon, Nov 10, 2014 at 4:02 AM, Chris H chris.hemb...@gmail.com wrote:
The only calls in the strace to alerts.log are these:
sendto(4, 1:ossec-keepalive:--MARK--: no[;..., 673, 0, NULL, 0) = 673
Are you sure 4 is a log file, and not the connection to the
ossec-remoted on the other end? I don't think there's enough of the
logs to really get an idea of what's going on (maybe the developers
would have more of a clue).
I did setup a hybrid system on Centos 7 and the latest OSSEC sources,
but I'm not seeing the same issues you are.
It's definitely reading it though, as it forwards the logs for a bit.
On Friday, November 7, 2014 1:00:31 PM UTC, dan (ddpbsd) wrote:
On Thu, Nov 6, 2014 at 9:40 AM, Chris H chris@gmail.com wrote:
Hi.
I'm running on CentOS 6.6.
I enabled debug in internal_options.conf - nothing new in the logs.
strace
gives this at the time that it stops reading the file. It means nothing
to
me, though.
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60bf900) = -1
ENOENT (No such file or directory)
sendto(4, 1:/logs/ossec/logs/alerts/alerts..., 641, 0, NULL, 0) = 641
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60bf900) = -1
ENOENT (No such file or directory)
sendto(4, 1:/logs/ossec/logs/alerts/alerts..., 639, 0, NULL, 0) = 639
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60bf900) = -1
ENOENT (No such file or directory)
sendto(4, 1:/logs/ossec/logs/alerts/alerts..., 634, 0, NULL, 0) = 634
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60c0390) = -1
ENOENT (No such file or directory)
sendto(4, 1:ossec-keepalive:--MARK--: no[;..., 673, 0, NULL, 0) = 673
stat(/logs/ossec/logs/alerts/alerts.log, {st_mode=S_IFREG|0640,
st_size=2608807647, ...}) = 0
stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
open(/logs/ossec/ossec-agent/logs/ossec.log,
O_WRONLY|O_CREAT|O_APPEND,
0666) = 6
fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
=
0x7f718bba4000
fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
lseek(6, 6467, SEEK_SET)= 6467
write(6, 2014/11/06 14:28:30 ossec-logcol..., 123) = 123
close(6)= 0
munmap(0x7f718bba4000, 4096)= 0
close(5)= 0
munmap(0x7f718bba5000, 4096)= 0
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}^C unfinished ...
I don't actually see an open of the alerts.log, or any failures (or
I'm missing them).
It seems to fail after the keepalive every time.
On Thursday, November 6, 2014 12:53:32 PM UTC, dan (ddpbsd) wrote:
On Thu, Nov 6, 2014 at 6:44 AM, Chris H chris@gmail.com wrote:
Has anyone got Hybrid working?
I have agents that work and I have managers that work. So basically
yes.
What distro/version are you using?
Can you try strace to see if that gives you more information on what's
going on?
Looking at the code, I think better information should be logged,
maybe try turning on debug?
according to lsof, nothing else seems to be accessing the files at
the
time
that the agent stops processing them.
I've figured out why it's looking at additional files/directories,
it's
pulled in the shared agent config; I'd forgotten I'd configured that
:)
On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote:
Hi. I've set selinux to Permissive, no difference. It sends some
logs
out, in the 2 minutes before it stops processing the file.
Thanks.
On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote:
On Mon, Nov 3, 2014 at 12:39 PM, Chris H chris@gmail.com
wrote:
Hi. I'm trying to get a hybrid server working, and seeing some
odd
behaviour. I'm running 2.8.1.
When the agent component starts, the logs state:
2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197).
2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address:
192.168.1.1
2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to
server
(192.168.1.1:1514).
2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for:
192.168.1.1
.
2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting.
2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module
disabled.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205).
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory:
'/etc'.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory:
'/usr/bin'.
2014/11/03 17:00:28 ossec-syscheckd: INFO:
Re: [ossec-list] pgp signatures for releases
2014-11-12 16:08 GMT+02:00 dan (ddp) ddp...@gmail.com: On Sat, Nov 8, 2014 at 5:12 AM, Eero Volotinen eero.voloti...@iki.fi wrote: Hi List, looking for gpg signatures for ossec releases? where I can download them? It doesn't look like they're currently offered. So, is there any way to verify that source distribution is not tampered? SHA checksum from same server is not reliable way to do this. -- Eero -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] pgp signatures for releases
On Wed, Nov 12, 2014 at 12:48 PM, Eero Volotinen eero.voloti...@iki.fi wrote: 2014-11-12 16:08 GMT+02:00 dan (ddp) ddp...@gmail.com: On Sat, Nov 8, 2014 at 5:12 AM, Eero Volotinen eero.voloti...@iki.fi wrote: Hi List, looking for gpg signatures for ossec releases? where I can download them? It doesn't look like they're currently offered. So, is there any way to verify that source distribution is not tampered? SHA checksum from same server is not reliable way to do this. Download the source from github? Call up one of the Trend guys and ask them to read you the code? No clue. -- Eero -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Hybrid issues - stops forwarding logs
On Wed, Nov 12, 2014 at 11:49 AM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Nov 10, 2014 at 4:02 AM, Chris H chris.hemb...@gmail.com wrote:
The only calls in the strace to alerts.log are these:
sendto(4, 1:ossec-keepalive:--MARK--: no[;..., 673, 0, NULL, 0) = 673
Are you sure 4 is a log file, and not the connection to the
ossec-remoted on the other end? I don't think there's enough of the
logs to really get an idea of what's going on (maybe the developers
would have more of a clue).
I did setup a hybrid system on Centos 7 and the latest OSSEC sources,
but I'm not seeing the same issues you are.
Spoke too soon, just saw it happen after about an hour of running.
It's definitely reading it though, as it forwards the logs for a bit.
On Friday, November 7, 2014 1:00:31 PM UTC, dan (ddpbsd) wrote:
On Thu, Nov 6, 2014 at 9:40 AM, Chris H chris@gmail.com wrote:
Hi.
I'm running on CentOS 6.6.
I enabled debug in internal_options.conf - nothing new in the logs.
strace
gives this at the time that it stops reading the file. It means nothing
to
me, though.
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60bf900) = -1
ENOENT (No such file or directory)
sendto(4, 1:/logs/ossec/logs/alerts/alerts..., 641, 0, NULL, 0) = 641
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60bf900) = -1
ENOENT (No such file or directory)
sendto(4, 1:/logs/ossec/logs/alerts/alerts..., 639, 0, NULL, 0) = 639
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60bf900) = -1
ENOENT (No such file or directory)
sendto(4, 1:/logs/ossec/logs/alerts/alerts..., 634, 0, NULL, 0) = 634
stat(/logs/ossec/ossec-agent/queue/ossec/.wait, 0x7fffe60c0390) = -1
ENOENT (No such file or directory)
sendto(4, 1:ossec-keepalive:--MARK--: no[;..., 673, 0, NULL, 0) = 673
stat(/logs/ossec/logs/alerts/alerts.log, {st_mode=S_IFREG|0640,
st_size=2608807647, ...}) = 0
stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
open(/logs/ossec/ossec-agent/logs/ossec.log,
O_WRONLY|O_CREAT|O_APPEND,
0666) = 6
fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
=
0x7f718bba4000
fstat(6, {st_mode=S_IFREG|0770, st_size=6467, ...}) = 0
lseek(6, 6467, SEEK_SET)= 6467
write(6, 2014/11/06 14:28:30 ossec-logcol..., 123) = 123
close(6)= 0
munmap(0x7f718bba4000, 4096)= 0
close(5)= 0
munmap(0x7f718bba5000, 4096)= 0
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {2, 0}^C unfinished ...
I don't actually see an open of the alerts.log, or any failures (or
I'm missing them).
It seems to fail after the keepalive every time.
On Thursday, November 6, 2014 12:53:32 PM UTC, dan (ddpbsd) wrote:
On Thu, Nov 6, 2014 at 6:44 AM, Chris H chris@gmail.com wrote:
Has anyone got Hybrid working?
I have agents that work and I have managers that work. So basically
yes.
What distro/version are you using?
Can you try strace to see if that gives you more information on what's
going on?
Looking at the code, I think better information should be logged,
maybe try turning on debug?
according to lsof, nothing else seems to be accessing the files at
the
time
that the agent stops processing them.
I've figured out why it's looking at additional files/directories,
it's
pulled in the shared agent config; I'd forgotten I'd configured that
:)
On Tuesday, November 4, 2014 3:43:43 PM UTC, Chris H wrote:
Hi. I've set selinux to Permissive, no difference. It sends some
logs
out, in the 2 minutes before it stops processing the file.
Thanks.
On Tuesday, November 4, 2014 12:56:49 PM UTC, dan (ddpbsd) wrote:
On Mon, Nov 3, 2014 at 12:39 PM, Chris H chris@gmail.com
wrote:
Hi. I'm trying to get a hybrid server working, and seeing some
odd
behaviour. I'm running 2.8.1.
When the agent component starts, the logs state:
2014/11/03 17:00:24 ossec-agentd: INFO: Started (pid: 26197).
2014/11/03 17:00:24 ossec-agentd: INFO: Server IP Address:
192.168.1.1
2014/11/03 17:00:24 ossec-agentd: INFO: Trying to connect to
server
(192.168.1.1:1514).
2014/11/03 17:00:24 ossec-agentd: INFO: Using IPv4 for:
192.168.1.1
.
2014/11/03 17:00:24 ossec-rootcheck: Rootcheck disabled. Exiting.
2014/11/03 17:00:24 ossec-syscheckd: WARN: Rootcheck module
disabled.
2014/11/03 17:00:28 ossec-syscheckd: INFO: Started (pid: 26205).
2014/11/03 17:00:28 ossec-syscheckd: INFO: Monitoring directory:
[ossec-list] Agentless timeouts for linux and MAC systems
Hello Guys/Gals, I have a new system up and running with OSSEC. trying to get an agentless deployment working and it is timing out right after a successful login. I have tried the expect script with commands such as pwd and it always times out. this happens for a few linux hosts and a MAC host... on the same subnet, no firewalls on. Anyone have suggestions on what to try next? I do get a login prompt, so I get to the box... frustrating :) 2014/11/12 14:31:22 ossec-agentlessd: DEBUG: buffer: spawn ssh juser@192.168.1.1 2014/11/12 14:31:22 ossec-agentlessd: DEBUG: buffer: juser@192.168.1.1s password: 2014/11/12 14:31:22 ossec-agentlessd: DEBUG: buffer: Last login: Wed Nov 12 14:29:10 2014 from ossec.local 2014/11/12 14:31:26 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2014/11/12 14:31:26 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2014/11/12 14:31:42 ossec-agentlessd: DEBUG: buffer: juser@system1:^[ [1;4;31;40mPRODUCTION^[[0m:~ 2014/11/12 14:31:42 ossec-agentlessd: ERROR: ssh_integrity_check_linux: juser@192.168.1.1: Timeout while running on host: juser@192.168.1.1 . 2014/11/12 14:40:42 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2014/11/12 14:40:54 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2014/11/12 14:41:14 ossec-rootcheck: INFO: Starting rootcheck scan. 2014/11/12 14:41:14 ossec-rootcheck: DEBUG: Starting on check_rc_files 2014/11/12 14:41:14 ossec-rootcheck: DEBUG: Starting on check_rc_trojans 2014/11/12 14:41:17 ossec-rootcheck: DEBUG: Starting on check_rc_unixaudit -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agentless timeouts for linux and MAC systems
On Wed, Nov 12, 2014 at 3:02 PM, Jim Nofsinger jnofsin...@gmail.com wrote: Hello Guys/Gals, I have a new system up and running with OSSEC. trying to get an agentless deployment working and it is timing out right after a successful login. I have tried the expect script with commands such as pwd and it always times out. this happens for a few linux hosts and a MAC host... on the same subnet, no firewalls on. Anyone have suggestions on what to try next? I do get a login prompt, so I get to the box... frustrating :) Try running the script manually. I'm guessing the script is expecting to see something it isn't seeing. 2014/11/12 14:31:22 ossec-agentlessd: DEBUG: buffer: spawn ssh juser@192.168.1.1 2014/11/12 14:31:22 ossec-agentlessd: DEBUG: buffer: juser@192.168.1.1s password: 2014/11/12 14:31:22 ossec-agentlessd: DEBUG: buffer: Last login: Wed Nov 12 14:29:10 2014 from ossec.local 2014/11/12 14:31:26 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2014/11/12 14:31:26 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2014/11/12 14:31:42 ossec-agentlessd: DEBUG: buffer: juser@system1:^[[1;4;31;40mPRODUCTION^[[0m:~ 2014/11/12 14:31:42 ossec-agentlessd: ERROR: ssh_integrity_check_linux: juser@192.168.1.1: Timeout while running on host: juser@192.168.1.1 . 2014/11/12 14:40:42 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2014/11/12 14:40:54 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2014/11/12 14:41:14 ossec-rootcheck: INFO: Starting rootcheck scan. 2014/11/12 14:41:14 ossec-rootcheck: DEBUG: Starting on check_rc_files 2014/11/12 14:41:14 ossec-rootcheck: DEBUG: Starting on check_rc_trojans 2014/11/12 14:41:17 ossec-rootcheck: DEBUG: Starting on check_rc_unixaudit -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
