Re: [ossec-list] Agent Install on fresh install of Fedora 16 fails

[dan (ddp)]

On Wed, Oct 21, 2015 at 8:50 AM, Guilherme Boing  wrote:
> Hello,
>
> I have just installed Fedora 16 on a VM and the ossec agent install fails.
>
> 2015/10/20 15:30:05 ossec-config(1230): ERROR: Invalid element in the
> configuration: 'client'.
> 2015/10/20 15:30:05 ossec-config(1202): ERROR: Configuration error at
> '/var/ossec/etc/ossec.conf'. Exiting.
> 2015/10/20 15:30:05 ossec-agentd(1215): ERROR: No client configured.
> Exiting.
>
> What I have noticed is that the server-ip parameter is empty, however, I
> have supplied it correctly during the agent installation.
>
> 
>   
>   
>
> The way to fix it is just add the server-ip parameter inside the
> .
>
> Anyway, I just would like to report this issue.
> Thanks.
>

Did you install an RPM or from source? I think the RPMs come with a
script to help configure everything. The source installation should
gather that information during installation.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Not receiving alert when file is set back to original state

[dan (ddp)]

On Thu, Oct 22, 2015 at 6:56 PM, DerekC  wrote:
> I am running OSSEC with monitoring set on /etc with syscheck running every
> 30 minutes.
>
> I will make a change to a file and I receive an alert that the file has
> changed the next time syscheck runs.
> I then change the fill back to its original state, but I do not receive an
> alert that the file has been changed.
>
> If I make a different change to the file, I receive an alert. It's ONLY when
> the file changes back to it's original state that I do not receive an alert.
>
> Is this a configuration issue that I am missing?
>
> Please let me know if this makes sense.
>

That's an interesting issue. Try creating a new file and letting it be
picked up by syscheck. Then modify the file. Let the change be alerted
via syscheck. Stop the OSSEC processes on the manager (or that system
if it is a local installation). Open the syscheck db file for that
system in a text editor (/var/ossec/queue/syscheck), and remove the
old entry for that file. Start the OSSEC processes again, revert the
file, and see if an alert is created.

> Thanks!
>
>
> Below is the ossec.conf file on the agent:
>
> 
>
> 
>   
> 10.0.1.10
>   
>
>   
> 
> 1800
> yes
>
> 
> /etc
>  check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin
>
> 
> /etc/mtab
> /etc/hosts.deny
> /etc/mail/statistics
> /etc/random-seed
> /etc/adjtime
> /etc/httpd/logs
> /etc/lvm/archive
> /etc/lvm/backup
> /etc/lvm/cache
> /etc/service/
>   
>
>   
> /var/ossec/etc/shared/rootkit_files.txt
>
> /var/ossec/etc/shared/rootkit_trojans.txt
>   
>
>   
> full_command
> netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
>   
> 
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] archives / log - Ossec-manager writes wrong time on archives.log

[dan (ddp)]

On Sun, Nov 1, 2015 at 2:30 PM, sfritzke  wrote:
> Hi,
>
> you can delete this post. I sent 2 similar posts, because the first post was
> not displaying on the group list. Only a few minutes later.
>

The list is moderated, and sometimes I don't get to the queue right away.

> Am Sonntag, 1. November 2015 19:35:25 UTC+1 schrieb dan (ddpbsd):
>>
>>
>> On Nov 1, 2015 1:26 PM, "sfritzke"  wrote:
>> >
>> > Hi,
>> >
>> > I have configurated ossec-server to archive all events sent by the
>> > ossec-client (yes).
>> > This function works fine, but ossec writes the wrong time into
>> > archives.log:
>> >
>> > 2015 Nov 01 09:13:12 ossec->df -h ossec: output: 'df -h':
>> > /dev/mapper/vg_ossec-lv_root
>> > 2015 Nov 01 09:13:12 ossec->df -h ossec: output: 'df -h':
>> > 16G  7.8G  7.4G  52% /
>> > 2015 Nov 01 09:13:12 ossec->df -h ossec: output: 'df -h': tmpfs
>> > 1.9G  280K  1.9G   1% /de
>> >
>> > The systime on the ossec-manager and ossec-agent are correct.
>> >
>> > How can I solve this problem?
>> >
>>
>> What time should those entries be for? Perhaps the timezone is wrong?
>>
>> > Best regards,
>> >
>> > Suzan.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: how to set alert for authentication failure attempt in windows

[dan (ddp)]

On Mon, Nov 2, 2015 at 4:21 AM, Hak Bun  wrote:
> Dear All,
>
> Could anyone advice for this?
>

Turn on the log all option on the manager.
Restart the OSSEC processes on the manager.
Fail to login to a Windows agent.
Check the /var/ossec/logs/archives/archives.log file for the failed
authentication attempt.
Please provide us with the log message in the archives.log file. (You
can replace usernames with USERNAME, and IP addresses with something
like 10.10.10.X (replacing X with a different number for each
different IP seen in the log))

> Thanks in advance.
> Hak
>
> On Fri, Oct 23, 2015 at 10:48 AM, Hak Bun  wrote:
>>
>> Dear All,
>>
>> How can I set alert for authentication failure attempt in windows?
>>
>> Thanks in advance for your comment.
>> Hak
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Level: 6 - Attempt to use mail server as relay (client host rejected).

[dan (ddp)]

On Mon, Nov 2, 2015 at 4:37 AM, Hak Bun  wrote:
> Dear All,
>
> I have just installed Postfix, Dovecot, and Squirrelmail.
> When I test sending out through the web mail, my yahoo can receive the
> email.
>
> But I get an error "Recipient address rejected: Access denied" when telnet
> smtp to outside or local mail:
>
> telnet localhost smtp
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 ossec.myossec.com ESMTP Postfix
> ehlo localhost
> 250-ossec.myossec.com
> 250-PIPELINING
> 250-SIZE 1024
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> mail from: hak
> 250 2.1.0 Ok
> rcpt to: hak_...@yahoo.com
> 554 5.7.1 : Recipient address rejected: Access denied
> rcpt to: long
> 554 5.7.1 : Recipient address rejected: Access denied
>
>
> And also get an error with configuration in OSSEC
>
>
> Error
> "
> Level:
> 6 - Attempt to use mail server as relay (client host rejected).
> Rule Id:
> 3301
> Location:
> localhost->/var/log/maillog
> Src IP:
> 192.168.56.101
> Nov 2 16:05:06 localhost postfix/smtpd[7815]: NOQUEUE: reject: RCPT from
> myossec.local[192.168.56.101]: 554 5.7.1 : Recipient
> address rejected: Access denied; from=
> to= proto=SMTP helo=
>
> "
>

Postfix is denying the email. Perhaps it requires authentication
(which OSSEC does not support)?

> Please help if you know
> Thanks
> Hak
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Realtime monitoring on windows agent / ERROR: Unable to create directory

[sfritzke]

You're right!

OSSEC supports *report_changes* only for Linux and Unix systems 
(http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/).

The reason why I didn’t get alerts from further file changes, was the 
default configuration from ossec, that ignores changes made more than 3 
times.

Am Sonntag, 1. November 2015 20:42:37 UTC+1 schrieb dan (ddpbsd):
>
>
> On Nov 1, 2015 2:27 PM, "sfritzke" > wrote:
> >
> > Hi,
> >
> > I have configurated my windows-agent to monitor changes for the 
> abc-Directory on real time:
> >
> >  realtime="yes">c:\abc
> >
> > When I change the file abc.txt on this directory, ossec generates an 
> alert correctly, but although writes an error into ossec.log on the agent. 
> >
> > 2015/11/01 18:50:57 ossec-agent(1107): ERROR: Unable to create 
> directory: '/var/ossec/queue/diff/local/:\abc'
> > 2015/11/01 18:50:57 ossec-agent(1124): ERROR: Unable to rename file: 
> 'c:\abc/abc.txt'.
> >
> > How can I solve this?
> >
>
> Does the win agent supprt report changes? 
>
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Level: 6 - Attempt to use mail server as relay (client host rejected).

[Eero Volotinen]

Your postfix is incorrectly configured.this is not related with ossec in
anyway.

Eero
2.11.2015 11.37 ap. "Hak Bun"  kirjoitti:

> Dear All,
>
> I have just installed Postfix, Dovecot, and Squirrelmail.
> When I test sending out through the web mail, my yahoo can receive the
> email.
>
> But I get an error "Recipient address rejected: Access denied" when telnet
> smtp to outside or local mail:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *telnet localhost smtpTrying 127.0.0.1...Connected to localhost.Escape
> character is '^]'.220 ossec.myossec.com  ESMTP
> Postfixehlo localhost250-ossec.myossec.com
> 250-PIPELINING250-SIZE
> 1024250-VRFY250-ETRN250-STARTTLS250-AUTH LOGIN PLAIN250-AUTH=LOGIN
> PLAIN250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNmail from: hak250 2.1.0
> Okrcpt to: hak_...@yahoo.com 554 5.7.1
> >: Recipient address rejected: Access
> deniedrcpt to: long554 5.7.1 : Recipient address rejected: Access
> denied*
>
>
> And also get an error with configuration in OSSEC
>
>
> Error
> "
> *Level: *
> *6 - Attempt to use mail server as relay (client host rejected).*
> *Rule Id: *
>
> *3301  *
> *Location: *
>
> *localhost->/var/log/maillog *
> *Src IP: *
>
> *192.168.56.101 Nov 2 16:05:06 localhost postfix/smtpd[7815]: NOQUEUE:
> reject: RCPT from myossec.local[192.168.56.101]: 554 5.7.1
> >: Recipient address rejected:
> Access denied; from= to= > proto=SMTP helo= >*
>
> "
>
> Please help if you know
> Thanks
> Hak
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Level: 6 - Attempt to use mail server as relay (client host rejected).

[Hak Bun]

Dear All,

I have just installed Postfix, Dovecot, and Squirrelmail.
When I test sending out through the web mail, my yahoo can receive the
email.

But I get an error "Recipient address rejected: Access denied" when telnet
smtp to outside or local mail:























*telnet localhost smtpTrying 127.0.0.1...Connected to localhost.Escape
character is '^]'.220 ossec.myossec.com  ESMTP
Postfixehlo localhost250-ossec.myossec.com
250-PIPELINING250-SIZE
1024250-VRFY250-ETRN250-STARTTLS250-AUTH LOGIN PLAIN250-AUTH=LOGIN
PLAIN250-ENHANCEDSTATUSCODES250-8BITMIME250 DSNmail from: hak250 2.1.0
Okrcpt to: hak_...@yahoo.com 554 5.7.1
>: Recipient address rejected: Access
deniedrcpt to: long554 5.7.1 : Recipient address rejected: Access
denied*


And also get an error with configuration in OSSEC


Error
"
*Level: *
*6 - Attempt to use mail server as relay (client host rejected).*
*Rule Id: *

*3301  *
*Location: *

*localhost->/var/log/maillog *
*Src IP: *

*192.168.56.101 Nov 2 16:05:06 localhost postfix/smtpd[7815]: NOQUEUE:
reject: RCPT from myossec.local[192.168.56.101]: 554 5.7.1
>: Recipient address rejected:
Access denied; from= to=> proto=SMTP helo=http://notify.ossec.net>>*

"

Please help if you know
Thanks
Hak

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: how to set alert for authentication failure attempt in windows

[Hak Bun]

Dear All,

Could anyone advice for this?

Thanks in advance.
Hak

On Fri, Oct 23, 2015 at 10:48 AM, Hak Bun  wrote:

> Dear All,
>
> How can I set alert for authentication failure attempt in windows?
>
> Thanks in advance for your comment.
> Hak
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.