date:20151223

[ossec-list] User who change files

2015-12-23 Thread Maxim Surdu

Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
i can see logs when file is change but not who did it and what changed 
can  someone help me to set ossec to get more info?
















Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] multiple errors during rootcheck

2015-12-23 Thread Santiago Bassett

The first error is caused because some rootcheck rules use $web_dirs
variable, as defined in system_audit_rcl.txt file.

system_audit_rcl.txt:
$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/
apache2,/usr/local/www;

Theresa, if you don't use those files you can tune that variable.

On the other hand, I don't think that should actually be considered an
"Error", but more a "Warning", as non of the capabilities that OSSEC
provides are broken because of it.

I would say the second error is caused because you have realtime monitoring
enabled for directories that do not exist.

I hope that helps,

Santiago.

On Wed, Dec 23, 2015 at 5:33 AM, dan (ddp)  wrote:

> On Wed, Dec 23, 2015 at 8:21 AM, theresa mic-snare
>  wrote:
> > Hi Dan,
> >
> > thanks for the pull request.
> > When upgrading to 2.9 I would need to uninstall my current ossec
> > installation or is there a upgrade scenario?
> > would this mean I would lose my current data (e.g alerts, logs, etc...)
> > because if so, I will wait till february to install OSSEC 2.9, after my
> > thesis project was accepted and finalized.
> >
>
> I understand waiting (and I wouldn't blame you at all), but there is
> an upgrade option.
>
> > you were right, the two errors were unrelated.
> > I ran out of inodes previously, I coudn't even run a tail of the
> ossec.log
> > anymore. I had it set to 8192 and then increased it to 16384.
> > The syscheck errors disappeared then...
> >
> > Am Mittwoch, 23. Dezember 2015 13:46:25 UTC+1 schrieb dan (ddpbsd):
> >>
> >> On Wed, Dec 23, 2015 at 7:15 AM, theresa mic-snare
> >>  wrote:
> >> > hi everyone,
> >> >
> >> > I'm receiving multiple errors during rootcheck... I think we discussed
> >> > this
> >> > a couple of months ago...and from what I remember it would be fixed in
> >> > the
> >> > next release?
> >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error:
> >> > No
> >> > such file or directory
> >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced
> error:
> >> > No
> >> > such file or directory
> >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No
> >> > such
> >> > file or directory
> >> > 2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No
> such
> >> > file or directory
> >> > 2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No
> such
> >> > file or directory
> >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error:
> >> > No
> >> > such file or directory
> >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced
> error:
> >> > No
> >> > such file or directory
> >> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No
> >> > such
> >> > file or directory
> >> >
> >> > I'm still using the old stable version 2.8 (no idea which minor
> version,
> >> > because in ossec-init.conf it only says 2.8)
> >> > Has this been fixed in 2.9 ?
> >> >
> >>
> >> Download the beta and see:
> >>
> https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view
> >> But no, I don't think it was. The PR I submitted for this was never
> >> accepted, and it looks like I deleted the branch several months after
> >> submitting it. So here's a new pull request:
> >> https://github.com/ossec/ossec-hids/pull/720
> >>
> >> > and where do these statfs errors come from anyway? I don't think I
> have
> >> > this
> >> > in the ossec.conf so it must come from a .c file
> >> >
> >> > and I've also got this error recently:
> >> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'.
> -1
> >> > 28
> >> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'.
> -1
> >> > 28
> >> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring:
> >> > '/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28
> >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'.
> -1
> >> > 28
> >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'.
> -1
> >> > 28
> >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring:
> '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'.
> >> > -1
> >> > 28
> >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'.
> -1
> >> > 28
> >> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
> >> > real
> >> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'.
> -1
> >> > 28
> >> > 2015/1

Re: [ossec-list] eventchannel Applications and Services Logs monitoring

2015-12-23 Thread Santiago Bassett

Hi,

Windows informational event rule has level "0", meaning that an alert won't
be generated, unless you take down the alert level threshold
(log_alert_level, set to "1" by default).

My advice is to create a new rule instead just for events with ID "2005" in
order to trigger an alert. I guess something like this would work:

  

18101

^2005$

Windows Firewall enabled\disabled

  

Remember to include it in local_rules.xml inside a group section (you can
use group="windows,")

On the other hand, try enabling logall option and check if events are
written to archives.log

I hope that helps,

Santiago.

On Wed, Dec 23, 2015 at 3:07 AM,  wrote:

> Hi.
> I would like to monitor channel called “*Microsoft-Windows-Windows
> Firewall With Advanced Security/Firewall*“
> For this I added the following lines into shared/agent.conf file  into
> Windows agent tag
>
>
>
>
> *:   Microsoft-Windows-Windows Firewall With
> Advanced Security/Firewall
> eventchannel  After that I restarted
> my OSSEC agent and generated some events in Firewall.(*Enable\disable
> firewall rule -- events with ID 2005 appeared in the EventViewer
> *).There is no reaction from OSSEC server, I waiting default * rule ID
> 18101 (“*Windows informational event*“), but there is no events.
> In ossec log:
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Application'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Security'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'System'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
> 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848).
>
> Could you please tell me what I doing wrong? Can I use evenchannel for
> monitor logs from Applications and Services Logs?
> OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread Maxim Surdu

yes, sorry for my bad english

miercuri, 23 decembrie 2015, 17:44:37 UTC+2, dan (ddpbsd) a scris:
>
> On Wed, Dec 23, 2015 at 10:43 AM, Maxim Surdu  > wrote: 
> > ossec show me logs and rule is working for /var/log/maillog 
> > and var/log/secure 
> > 
> > but ossec send me mail just from /var/log/maillog 
> > 
>
> I don't understand what you mean. The only emails you get are related 
> to entries in /var/log/maillog? 
>
> > 
> > miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris: 
> >> 
> >> yes the rule is work 
> >> 
> >> 
> >> Alert 1450884351.34521849: mail  - policy_violation,login_time, 
> >> 2015 Dec 23 15:25:51 localhost->/var/log/secure 
> >> Rule: 17101 (level 9) -> 'Successful login during non-business hours.' 
> >> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session 
> >> opened for user msurdu by (uid=0) 
> >> 
> >> 
> >> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris: 
> >>> 
> >>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu  
> wrote: 
> >>> > yes, i change and all rules are loaded when ossec is started 
> >>> > 
> >>> 
> >>> Is the rule firing (can you see entries for it in the 
> >>> /var/ossec/logs/alerts/alerts.log)? 
> >>> 
> >>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: 
> >>> >> 
> >>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  
> >>> >> wrote: 
> >>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml 
> >>> >> > 
> >>> >> 
> >>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry 
> is 
> >>> >> commented out in a default installation. 
> >>> >> 
> >>> >> > 
> >>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
> >>> >> >> 
> >>> >> >> yes i want for a specific mail, but i not recieve mail form this 
> >>> >> >> alert 
> >>> >> >> 
> >>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a 
> scris: 
> >>> >> >>> 
> >>> >> >>> Hi everyone, 
> >>> >> >>> 
> >>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all 
> is 
> >>> >> >>> working 
> >>> >> >>> fine, can i do to ossec mail me for specific rule? 
> >>> >> >>> for example for this rule 
> >>> >> >>> 
> >>> >> >>> 
> >>> >> >>>  
> >>> >> >>>
> >>> >> >>> authentication_success 
> >>> >> >>> 06:00 pm - 09:00 am 
> >>> >> >>> Successful login during non-business 
> >>> >> >>> hours. 
> >>> >> >>> login_time, 
> >>> >> >>>
> >>> >> >>> 
> >>> >> >>> 
> >>> >> >>> 
> >>> >> >>> Any help would be greatly appreciated 
> >>> >> >>> 
> >>> >> >>> Thanks, 
> >>> >> >>> Maxim 
> >>> >> > 
> >>> >> > -- 
> >>> >> > 
> >>> >> > --- 
> >>> >> > You received this message because you are subscribed to the 
> Google 
> >>> >> > Groups 
> >>> >> > "ossec-list" group. 
> >>> >> > To unsubscribe from this group and stop receiving emails from it, 
> >>> >> > send 
> >>> >> > an 
> >>> >> > email to ossec-list+...@googlegroups.com. 
> >>> >> > For more options, visit https://groups.google.com/d/optout. 
> >>> > 
> >>> > -- 
> >>> > 
> >>> > --- 
> >>> > You received this message because you are subscribed to the Google 
> >>> > Groups 
> >>> > "ossec-list" group. 
> >>> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >>> > an 
> >>> > email to ossec-list+...@googlegroups.com. 
> >>> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 10:43 AM, Maxim Surdu  wrote:
> ossec show me logs and rule is working for /var/log/maillog
> and var/log/secure
>
> but ossec send me mail just from /var/log/maillog
>

I don't understand what you mean. The only emails you get are related
to entries in /var/log/maillog?

>
> miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris:
>>
>> yes the rule is work
>>
>>
>> Alert 1450884351.34521849: mail  - policy_violation,login_time,
>> 2015 Dec 23 15:25:51 localhost->/var/log/secure
>> Rule: 17101 (level 9) -> 'Successful login during non-business hours.'
>> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session
>> opened for user msurdu by (uid=0)
>>
>>
>> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris:
>>>
>>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu  wrote:
>>> > yes, i change and all rules are loaded when ossec is started
>>> >
>>>
>>> Is the rule firing (can you see entries for it in the
>>> /var/ossec/logs/alerts/alerts.log)?
>>>
>>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>>> >>
>>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu 
>>> >> wrote:
>>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml
>>> >> >
>>> >>
>>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is
>>> >> commented out in a default installation.
>>> >>
>>> >> >
>>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris:
>>> >> >>
>>> >> >> yes i want for a specific mail, but i not recieve mail form this
>>> >> >> alert
>>> >> >>
>>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>>> >> >>>
>>> >> >>> Hi everyone,
>>> >> >>>
>>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is
>>> >> >>> working
>>> >> >>> fine, can i do to ossec mail me for specific rule?
>>> >> >>> for example for this rule
>>> >> >>>
>>> >> >>>
>>> >> >>> 
>>> >> >>>   
>>> >> >>> authentication_success
>>> >> >>> 06:00 pm - 09:00 am
>>> >> >>> Successful login during non-business
>>> >> >>> hours.
>>> >> >>> login_time,
>>> >> >>>   
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> Any help would be greatly appreciated
>>> >> >>>
>>> >> >>> Thanks,
>>> >> >>> Maxim
>>> >> >
>>> >> > --
>>> >> >
>>> >> > ---
>>> >> > You received this message because you are subscribed to the Google
>>> >> > Groups
>>> >> > "ossec-list" group.
>>> >> > To unsubscribe from this group and stop receiving emails from it,
>>> >> > send
>>> >> > an
>>> >> > email to ossec-list+...@googlegroups.com.
>>> >> > For more options, visit https://groups.google.com/d/optout.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread Maxim Surdu

ossec show me logs and rule is working for /var/log/maillog
and var/log/secure

but ossec send me mail just from /var/log/maillog


miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris:
>
> yes the rule is work
>
>
> Alert 1450884351.34521849: mail  - policy_violation,login_time,
> 2015 Dec 23 15:25:51 localhost->/var/log/secure
> Rule: 17101 (level 9) -> 'Successful login during non-business hours.'
> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session 
> opened for user msurdu by (uid=0)
>
>
> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris:
>>
>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu  wrote: 
>> > yes, i change and all rules are loaded when ossec is started 
>> > 
>>
>> Is the rule firing (can you see entries for it in the 
>> /var/ossec/logs/alerts/alerts.log)? 
>>
>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: 
>> >> 
>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  
>> wrote: 
>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml 
>> >> > 
>> >> 
>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
>> >> commented out in a default installation. 
>> >> 
>> >> > 
>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
>> >> >> 
>> >> >> yes i want for a specific mail, but i not recieve mail form this 
>> alert 
>> >> >> 
>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
>> >> >>> 
>> >> >>> Hi everyone, 
>> >> >>> 
>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
>> >> >>> working 
>> >> >>> fine, can i do to ossec mail me for specific rule? 
>> >> >>> for example for this rule 
>> >> >>> 
>> >> >>> 
>> >> >>>  
>> >> >>>
>> >> >>> authentication_success 
>> >> >>> 06:00 pm - 09:00 am 
>> >> >>> Successful login during non-business 
>> >> >>> hours. 
>> >> >>> login_time, 
>> >> >>>
>> >> >>> 
>> >> >>> 
>> >> >>> 
>> >> >>> Any help would be greatly appreciated 
>> >> >>> 
>> >> >>> Thanks, 
>> >> >>> Maxim 
>> >> > 
>> >> > -- 
>> >> > 
>> >> > --- 
>> >> > You received this message because you are subscribed to the Google 
>> >> > Groups 
>> >> > "ossec-list" group. 
>> >> > To unsubscribe from this group and stop receiving emails from it, 
>> send 
>> >> > an 
>> >> > email to ossec-list+...@googlegroups.com. 
>> >> > For more options, visit https://groups.google.com/d/optout. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 10:26 AM, Maxim Surdu  wrote:
> yes the rule is work
>
>
> Alert 1450884351.34521849: mail  - policy_violation,login_time,
> 2015 Dec 23 15:25:51 localhost->/var/log/secure
> Rule: 17101 (level 9) -> 'Successful login during non-business hours.'
> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session opened
> for user msurdu by (uid=0)
>

By default OSSEC will group alerts together in emails. So double check
your emails to make sure it wasn't included with other alerts.
This behavior can be changed in /var/ossec/etc/internal_options.conf
(I think copying it to local_internal_options.conf and modifying that
new file should work).

>
> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris:
>>
>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu  wrote:
>> > yes, i change and all rules are loaded when ossec is started
>> >
>>
>> Is the rule firing (can you see entries for it in the
>> /var/ossec/logs/alerts/alerts.log)?
>>
>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>> >>
>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  wrote:
>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml
>> >> >
>> >>
>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is
>> >> commented out in a default installation.
>> >>
>> >> >
>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris:
>> >> >>
>> >> >> yes i want for a specific mail, but i not recieve mail form this
>> >> >> alert
>> >> >>
>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>> >> >>>
>> >> >>> Hi everyone,
>> >> >>>
>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is
>> >> >>> working
>> >> >>> fine, can i do to ossec mail me for specific rule?
>> >> >>> for example for this rule
>> >> >>>
>> >> >>>
>> >> >>> 
>> >> >>>   
>> >> >>> authentication_success
>> >> >>> 06:00 pm - 09:00 am
>> >> >>> Successful login during non-business
>> >> >>> hours.
>> >> >>> login_time,
>> >> >>>   
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> Any help would be greatly appreciated
>> >> >>>
>> >> >>> Thanks,
>> >> >>> Maxim
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread Maxim Surdu

yes the rule is work


Alert 1450884351.34521849: mail  - policy_violation,login_time,
2015 Dec 23 15:25:51 localhost->/var/log/secure
Rule: 17101 (level 9) -> 'Successful login during non-business hours.'
Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session 
opened for user msurdu by (uid=0)


miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris:
>
> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu  > wrote: 
> > yes, i change and all rules are loaded when ossec is started 
> > 
>
> Is the rule firing (can you see entries for it in the 
> /var/ossec/logs/alerts/alerts.log)? 
>
> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: 
> >> 
> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  
> wrote: 
> >> > This rule is locate in /var/ossec/rules/policy_rules.xml 
> >> > 
> >> 
> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
> >> commented out in a default installation. 
> >> 
> >> > 
> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
> >> >> 
> >> >> yes i want for a specific mail, but i not recieve mail form this 
> alert 
> >> >> 
> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
> >> >>> 
> >> >>> Hi everyone, 
> >> >>> 
> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
> >> >>> working 
> >> >>> fine, can i do to ossec mail me for specific rule? 
> >> >>> for example for this rule 
> >> >>> 
> >> >>> 
> >> >>>  
> >> >>>
> >> >>> authentication_success 
> >> >>> 06:00 pm - 09:00 am 
> >> >>> Successful login during non-business 
> >> >>> hours. 
> >> >>> login_time, 
> >> >>>
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Any help would be greatly appreciated 
> >> >>> 
> >> >>> Thanks, 
> >> >>> Maxim 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 10:15 AM, Maxim Surdu  wrote:
> i recevie mail with alert level 2, and higher but not recieve mail from this
> rule, i simulate/test the alert is working is showing in kibana and ossec
> wui but not reciev mail :(
>

I'll assume that means these alerts show up in the alerts.log.

Are you sure the alert wasn't included in an email with other alerts?
I'm not really sure how to troubleshoot 1 email not showing up when
others are working just fine.

>
> miercuri, 23 decembrie 2015, 17:10:37 UTC+2, Maxim Surdu a scris:
>>
>> yes, i change and all rules are loaded when ossec is started
>>
>> miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>>>
>>> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  wrote:
>>> > This rule is locate in /var/ossec/rules/policy_rules.xml
>>> >
>>>
>>> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is
>>> commented out in a default installation.
>>>
>>> >
>>> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris:
>>> >>
>>> >> yes i want for a specific mail, but i not recieve mail form this alert
>>> >>
>>> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>>> >>>
>>> >>> Hi everyone,
>>> >>>
>>> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is
>>> >>> working
>>> >>> fine, can i do to ossec mail me for specific rule?
>>> >>> for example for this rule
>>> >>>
>>> >>>
>>> >>> 
>>> >>>   
>>> >>> authentication_success
>>> >>> 06:00 pm - 09:00 am
>>> >>> Successful login during non-business
>>> >>> hours.
>>> >>> login_time,
>>> >>>   
>>> >>>
>>> >>>
>>> >>>
>>> >>> Any help would be greatly appreciated
>>> >>>
>>> >>> Thanks,
>>> >>> Maxim
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread Maxim Surdu

i recevie mail with alert level 2, and higher but not recieve mail from 
this rule, i simulate/test the alert is working is showing in kibana and 
ossec wui but not reciev mail :( 

miercuri, 23 decembrie 2015, 17:10:37 UTC+2, Maxim Surdu a scris:
>
> yes, i change and all rules are loaded when ossec is started
>
> miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>>
>> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  wrote: 
>> > This rule is locate in /var/ossec/rules/policy_rules.xml 
>> > 
>>
>> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
>> commented out in a default installation. 
>>
>> > 
>> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
>> >> 
>> >> yes i want for a specific mail, but i not recieve mail form this alert 
>> >> 
>> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
>> >>> 
>> >>> Hi everyone, 
>> >>> 
>> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
>> working 
>> >>> fine, can i do to ossec mail me for specific rule? 
>> >>> for example for this rule 
>> >>> 
>> >>> 
>> >>>  
>> >>>
>> >>> authentication_success 
>> >>> 06:00 pm - 09:00 am 
>> >>> Successful login during non-business 
>> >>> hours. 
>> >>> login_time, 
>> >>>
>> >>> 
>> >>> 
>> >>> 
>> >>> Any help would be greatly appreciated 
>> >>> 
>> >>> Thanks, 
>> >>> Maxim 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu  wrote:
> yes, i change and all rules are loaded when ossec is started
>

Is the rule firing (can you see entries for it in the
/var/ossec/logs/alerts/alerts.log)?

> miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>>
>> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  wrote:
>> > This rule is locate in /var/ossec/rules/policy_rules.xml
>> >
>>
>> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is
>> commented out in a default installation.
>>
>> >
>> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris:
>> >>
>> >> yes i want for a specific mail, but i not recieve mail form this alert
>> >>
>> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>> >>>
>> >>> Hi everyone,
>> >>>
>> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is
>> >>> working
>> >>> fine, can i do to ossec mail me for specific rule?
>> >>> for example for this rule
>> >>>
>> >>>
>> >>> 
>> >>>   
>> >>> authentication_success
>> >>> 06:00 pm - 09:00 am
>> >>> Successful login during non-business
>> >>> hours.
>> >>> login_time,
>> >>>   
>> >>>
>> >>>
>> >>>
>> >>> Any help would be greatly appreciated
>> >>>
>> >>> Thanks,
>> >>> Maxim
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread Maxim Surdu

yes, i change and all rules are loaded when ossec is started

miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>
> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  > wrote: 
> > This rule is locate in /var/ossec/rules/policy_rules.xml 
> > 
>
> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
> commented out in a default installation. 
>
> > 
> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
> >> 
> >> yes i want for a specific mail, but i not recieve mail form this alert 
> >> 
> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
> >>> 
> >>> Hi everyone, 
> >>> 
> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
> working 
> >>> fine, can i do to ossec mail me for specific rule? 
> >>> for example for this rule 
> >>> 
> >>> 
> >>>  
> >>>
> >>> authentication_success 
> >>> 06:00 pm - 09:00 am 
> >>> Successful login during non-business 
> >>> hours. 
> >>> login_time, 
> >>>
> >>> 
> >>> 
> >>> 
> >>> Any help would be greatly appreciated 
> >>> 
> >>> Thanks, 
> >>> Maxim 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu  wrote:
> This rule is locate in /var/ossec/rules/policy_rules.xml
>

Is policy_rules.xml loaded in your ossec.conf? Generally that entry is
commented out in a default installation.

>
> miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris:
>>
>> yes i want for a specific mail, but i not recieve mail form this alert
>>
>> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>>>
>>> Hi everyone,
>>>
>>> I am new in Ossec, i installed Virtual Appliance of ossec, all is working
>>> fine, can i do to ossec mail me for specific rule?
>>> for example for this rule
>>>
>>>
>>> 
>>>   
>>> authentication_success
>>> 06:00 pm - 09:00 am
>>> Successful login during non-business
>>> hours.
>>> login_time,
>>>   
>>>
>>>
>>>
>>> Any help would be greatly appreciated
>>>
>>> Thanks,
>>> Maxim
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: mail for a specific rule

2015-12-23 Thread Maxim Surdu

This rule is locate in /var/ossec/rules/policy_rules.xml

miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris:
>
> yes i want for a specific mail, but i not recieve mail form this alert
>
> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>>
>> Hi everyone,
>>
>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
>> working fine, can i do to ossec mail me for specific rule?
>> for example for this rule
>>
>>
>> 
>>   
>> authentication_success
>> 06:00 pm - 09:00 am
>> Successful login during non-business hours.
>> login_time,
>>   
>>
>>
>>
>> Any help would be greatly appreciated
>>  
>> Thanks,
>> Maxim
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: mail for a specific rule

2015-12-23 Thread Maxim Surdu

yes i want for a specific mail, but i not recieve mail form this alert

miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>
> Hi everyone,
>
> I am new in Ossec, i installed Virtual Appliance of ossec, all is working 
> fine, can i do to ossec mail me for specific rule?
> for example for this rule
>
>
> 
>   
> authentication_success
> 06:00 pm - 09:00 am
> Successful login during non-business hours.
> login_time,
>   
>
>
>
> Any help would be greatly appreciated
>  
> Thanks,
> Maxim
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] mail for a specific rule

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 8:39 AM, Maxim Surdu  wrote:
> Hi everyone,
>
> I am new in Ossec, i installed Virtual Appliance of ossec, all is working
> fine, can i do to ossec mail me for specific rule?
> for example for this rule
>
>
> 
>   
> authentication_success
> 06:00 pm - 09:00 am
> Successful login during non-business hours.
> login_time,
>   
>
>
>
> Any help would be greatly appreciated
>

Do you want those emails to go to a specific email address different
from the normal address? If your settings allow alert level 9 emails,
this should be sent already.

> Thanks,
> Maxim
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] mail for a specific rule

2015-12-23 Thread Maxim Surdu

Hi everyone,

I am new in Ossec, i installed Virtual Appliance of ossec, all is working 
fine, can i do to ossec mail me for specific rule?
for example for this rule



  
authentication_success
06:00 pm - 09:00 am
Successful login during non-business hours.
login_time,
  



Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] multiple errors during rootcheck

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 8:21 AM, theresa mic-snare
 wrote:
> Hi Dan,
>
> thanks for the pull request.
> When upgrading to 2.9 I would need to uninstall my current ossec
> installation or is there a upgrade scenario?
> would this mean I would lose my current data (e.g alerts, logs, etc...)
> because if so, I will wait till february to install OSSEC 2.9, after my
> thesis project was accepted and finalized.
>

I understand waiting (and I wouldn't blame you at all), but there is
an upgrade option.

> you were right, the two errors were unrelated.
> I ran out of inodes previously, I coudn't even run a tail of the ossec.log
> anymore. I had it set to 8192 and then increased it to 16384.
> The syscheck errors disappeared then...
>
> Am Mittwoch, 23. Dezember 2015 13:46:25 UTC+1 schrieb dan (ddpbsd):
>>
>> On Wed, Dec 23, 2015 at 7:15 AM, theresa mic-snare
>>  wrote:
>> > hi everyone,
>> >
>> > I'm receiving multiple errors during rootcheck... I think we discussed
>> > this
>> > a couple of months ago...and from what I remember it would be fixed in
>> > the
>> > next release?
>> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error:
>> > No
>> > such file or directory
>> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error:
>> > No
>> > such file or directory
>> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No
>> > such
>> > file or directory
>> > 2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No such
>> > file or directory
>> > 2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No such
>> > file or directory
>> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error:
>> > No
>> > such file or directory
>> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error:
>> > No
>> > such file or directory
>> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No
>> > such
>> > file or directory
>> >
>> > I'm still using the old stable version 2.8 (no idea which minor version,
>> > because in ossec-init.conf it only says 2.8)
>> > Has this been fixed in 2.9 ?
>> >
>>
>> Download the beta and see:
>> https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view
>> But no, I don't think it was. The PR I submitted for this was never
>> accepted, and it looks like I deleted the branch several months after
>> submitting it. So here's a new pull request:
>> https://github.com/ossec/ossec-hids/pull/720
>>
>> > and where do these statfs errors come from anyway? I don't think I have
>> > this
>> > in the ossec.conf so it must come from a .c file
>> >
>> > and I've also got this error recently:
>> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'. -1
>> > 28
>> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'. -1
>> > 28
>> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring:
>> > '/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28
>> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'. -1
>> > 28
>> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'. -1
>> > 28
>> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'.
>> > -1
>> > 28
>> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'. -1
>> > 28
>> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'. -1
>> > 28
>> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/sl'. -1
>> > 28
>> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to
>> > real
>> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/zh'. -1
>> > 28
>> >
>> > no idea why this cannot be added to real time monitoring.
>> > any ideas?
>> >
>>
>> I don't think these issues are related. Have you run out of space? Run
>> out of inodes? Have some special permission or SELinux policy blocking
>> the operation?
>>
>> > sorry, if this has been asked before!
>> >
>> > best,
>> > theresa
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegrou

Re: [ossec-list] multiple errors during rootcheck

2015-12-23 Thread theresa mic-snare

Hi Dan,

thanks for the pull request.
When upgrading to 2.9 I would need to uninstall my current ossec 
installation or is there a upgrade scenario?
would this mean I would lose my current data (e.g alerts, logs, etc...)
because if so, I will wait till february to install OSSEC 2.9, after my 
thesis project was accepted and finalized.

you were right, the two errors were unrelated.
I ran out of inodes previously, I coudn't even run a tail of the ossec.log 
anymore. I had it set to 8192 and then increased it to 16384.
The syscheck errors disappeared then...

Am Mittwoch, 23. Dezember 2015 13:46:25 UTC+1 schrieb dan (ddpbsd):
>
> On Wed, Dec 23, 2015 at 7:15 AM, theresa mic-snare 
> > wrote: 
> > hi everyone, 
> > 
> > I'm receiving multiple errors during rootcheck... I think we discussed 
> this 
> > a couple of months ago...and from what I remember it would be fixed in 
> the 
> > next release? 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No 
> such 
> > file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No such 
> > file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No such 
> > file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: 
> No 
> > such file or directory 
> > 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No 
> such 
> > file or directory 
> > 
> > I'm still using the old stable version 2.8 (no idea which minor version, 
> > because in ossec-init.conf it only says 2.8) 
> > Has this been fixed in 2.9 ? 
> > 
>
> Download the beta and see: 
> https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view 
> But no, I don't think it was. The PR I submitted for this was never 
> accepted, and it looks like I deleted the branch several months after 
> submitting it. So here's a new pull request: 
> https://github.com/ossec/ossec-hids/pull/720 
>
> > and where do these statfs errors come from anyway? I don't think I have 
> this 
> > in the ossec.conf so it must come from a .c file 
> > 
> > and I've also got this error recently: 
> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'. -1 
> 28 
> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'. -1 
> 28 
> > 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: 
> > '/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'. 
> -1 
> > 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/sl'. -1 
> 28 
> > 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to 
> real 
> > time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/zh'. -1 
> 28 
> > 
> > no idea why this cannot be added to real time monitoring. 
> > any ideas? 
> > 
>
> I don't think these issues are related. Have you run out of space? Run 
> out of inodes? Have some special permission or SELinux policy blocking 
> the operation? 
>
> > sorry, if this has been asked before! 
> > 
> > best, 
> > theresa 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving email

Re: [ossec-list] Clients authenticate, but don't connect (Corp env)

2015-12-23 Thread dan (ddp)

On Tue, Dec 22, 2015 at 12:33 PM, Jamey B  wrote:
> Hi Dan,
>
> When we add agents, this is what we run on the agents:
>
> /var/ossec/bin/agent-auth -m  -p 1515

Ok, but I'd still like to know what options you're using with ossec-authd.

> /etc/init.d/ossec/ossec-hids restart
>
> I've confirmed via tcmpdump the agents are connecting over 1514.  We also
> tried 'A ' at the end of the first command above, but have the
> same result.
>
>
> Here's what the agents are running:
>
> root@testlabex2 ./ossec-control status
>
> ossec-logcollector is running...
>
> ossec-syscheckd is running...
>
> ossec-agentd is running...
> ossec-execd is running...
>
>
> We are running version 2.8.2-49
>

What errors are in the ossec.log on the agents? What about the
server's ossec.log (possibly with debugging enabled)?


>
> On Tue, Dec 22, 2015 at 8:09 AM, dan (ddp)  wrote:
>>
>> On Mon, Dec 21, 2015 at 9:26 AM, Jamey B  wrote:
>> > Hi Dan,
>> >
>> > When we use manage_agents and export the key to the agent, the agent
>> > works
>> > fine. We've had success this way, but obviously it's tedious for over
>> > 5000
>> > servers. Isn't this similar how authd works? I'm wondering if there's
>> > something we're not executing after the agent gets a key.
>> >
>> > I've regenerated the SSL key on the server (somehow it was missing), so
>> > agents no longer have issues connecting for their key -- this is what
>> > caused
>> > all the agent alerts a few posts ago. We are following the guide below,
>> > but
>> > the agents just don't connect after getting their key:
>> >
>> >
>> > http://dcid.me/blog/2011/01/automatically-creating-and-setting-up-the-agent-keys/
>> >
>>
>>
>> That was just part of the troubleshooting process. We now know that
>> agents CAN connect and work. So we have eliminated one issue. Only a
>> million more to go!
>>
>> I might have missed it in the threat, but what version of OSSEC are you
>> using?
>> When you run ossec-authd, what options are you using?
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Sincerely,
>
> James Bearden III
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] multiple errors during rootcheck

2015-12-23 Thread dan (ddp)

On Wed, Dec 23, 2015 at 7:15 AM, theresa mic-snare
 wrote:
> hi everyone,
>
> I'm receiving multiple errors during rootcheck... I think we discussed this
> a couple of months ago...and from what I remember it would be fixed in the
> next release?
> 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: No
> such file or directory
> 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: No
> such file or directory
> 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No such
> file or directory
> 2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No such
> file or directory
> 2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No such
> file or directory
> 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: No
> such file or directory
> 2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: No
> such file or directory
> 2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No such
> file or directory
>
> I'm still using the old stable version 2.8 (no idea which minor version,
> because in ossec-init.conf it only says 2.8)
> Has this been fixed in 2.9 ?
>

Download the beta and see:
https://bintray.com/ossec/ossec-hids/ossec-hids/2.9.0_beta_20151211/view
But no, I don't think it was. The PR I submitted for this was never
accepted, and it looks like I deleted the branch several months after
submitting it. So here's a new pull request:
https://github.com/ossec/ossec-hids/pull/720

> and where do these statfs errors come from anyway? I don't think I have this
> in the ossec.conf so it must come from a .c file
>
> and I've also got this error recently:
> 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'. -1 28
> 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'. -1 28
> 2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring:
> '/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28
> 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'. -1 28
> 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'. -1 28
> 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'. -1
> 28
> 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'. -1 28
> 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'. -1 28
> 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/sl'. -1 28
> 2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real
> time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/zh'. -1 28
>
> no idea why this cannot be added to real time monitoring.
> any ideas?
>

I don't think these issues are related. Have you run out of space? Run
out of inodes? Have some special permission or SELinux policy blocking
the operation?

> sorry, if this has been asked before!
>
> best,
> theresa
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] multiple errors during rootcheck

2015-12-23 Thread theresa mic-snare

hi everyone,

I'm receiving multiple errors during rootcheck... I think we discussed this 
a couple of months ago...and from what I remember it would be fixed in the 
next release?
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No such 
file or directory
2015/12/23 12:01:25 ERROR: statfs('/var/htdocs') produced error: No such 
file or directory
2015/12/23 12:01:25 ERROR: statfs('/home/httpd') produced error: No such 
file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/apache2') produced error: No 
such file or directory
2015/12/23 12:01:25 ERROR: statfs('/usr/local/www') produced error: No such 
file or directory

I'm still using the old stable version 2.8 (no idea which minor version, 
because in ossec-init.conf it only says 2.8)
Has this been fixed in 2.9 ?

and where do these statfs errors come from anyway? I don't think I have 
this in the ossec.conf so it must come from a .c file

and I've also got this error recently:
2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/eu'. -1 28
2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ru'. -1 28
2015/12/23 13:09:20 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: 
'/var/www/html/dokuwiki/lib/plugins/config/lang/ca-valencia'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/mr'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/de'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/id-ni'. -1 
28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/ja'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/fr'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/sl'. -1 28
2015/12/23 13:09:22 ossec-syscheckd: ERROR: Unable to add directory to real 
time monitoring: '/var/www/html/dokuwiki/lib/plugins/config/lang/zh'. -1 28

no idea why this cannot be added to real time monitoring.
any ideas?

sorry, if this has been asked before!

best,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] eventchannel Applications and Services Logs monitoring

2015-12-23 Thread o . verbniak

Hi.
I would like to monitor channel called “*Microsoft-Windows-Windows Firewall 
With Advanced Security/Firewall*“
For this I added the following lines into shared/agent.conf file  into 
Windows agent tag




*:   Microsoft-Windows-Windows Firewall With 
Advanced Security/Firewall
eventchannel  After that I restarted 
my OSSEC agent and generated some events in Firewall.(*Enable\disable 
firewall rule -- events with ID 2005 appeared in the EventViewer
*).There is no reaction from OSSEC server, I waiting default * rule ID 
18101 (“*Windows informational event*“), but there is no events.
In ossec log:
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'Application'.
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'Security'.
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'System'.
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848).

Could you please tell me what I doing wrong? Can I use evenchannel for 
monitor logs from Applications and Services Logs?
OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3







-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] File Integrity Monitoring through OSSEC

2015-12-23 Thread Nishant Porwal

Thanks Santiago , i will do some tests and let you know the results .

On Wed, Dec 23, 2015 at 9:47 AM, Santiago Bassett <
santiago.bass...@gmail.com> wrote:

> You can probably do that using Rootcheck rules.
>
>
> For example, to alert if "Server: 1.2.3.4" line has been modified, you
> could use a rule like this:
>
>
> [Memory configuration check - Server different than 1.2.3.4] [any]
>
> f:/etc/memory.cfg -> !r:^# && r:^Server && !r::1.2.3.4;
>
>
> You would need to create rules for those lines you want to monitor.
>
>
> I hope that helps,
>
> Santiago.
>
>
>
> On Mon, Dec 21, 2015 at 4:49 AM, dan (ddp)  wrote:
>
>> On Fri, Dec 18, 2015 at 8:36 AM, Nishant Porwal
>>  wrote:
>> > Hi Santiago/Dan,
>> >
>> > Thanks for the inputs ,i am able to track the changes.
>> > One more suggestion is needed ,
>> >
>> > I want to track the file changes and need to alert only on specific
>> changes
>> > .
>> > Example : -
>> >
>> > File : - memory.cfg
>> >
>> > Content : -
>> >
>> > *
>> >
>> > Server : 1.2.3.4
>> > Port : 8080,80,9090,28443,23
>> > Services : Telnet,SSH, FTPD,
>> > log_alert : Yes
>> > log_memory : Yes
>> > log_system : Yes
>> > log_application : Yes
>> > log_tomcat : Yes
>> >
>> > *
>> >
>> > Reuirement is : -
>> >
>> > If any changes have been done in parameters Server ,Port ,Services
>> > ,log_tomcat  notify to certain email , else if log_alert ,log_memory ,
>> > log_application ,log_system  have been changed don't notify .
>> >
>>
>> I don't know of a way to watch for changes in certain parts of a a file.
>>
>> > On Tue, Dec 8, 2015 at 7:01 AM, Santiago Bassett
>> >  wrote:
>> >>
>> >> More comments:
>> >>
>> >> 1.When file have been changed  ?
>> >> Use realtime option (kernel needs to support inotify, most recent ones
>> do)
>> >>
>> >> 2.Who have changed it ?
>> >> No easy way to do this. I would use Audit tools and parse their output
>> >> with an OSSEC decoder/rules (I think those would need to be created).
>> >>
>> >> 3.What have been changed ?
>> >>
>> >> As Dan mentioned, report_changes. Only works on text files (doesn't
>> make
>> >> sense for binaries).
>> >>
>> >> 4.Notify on certain changes .
>> >>
>> >> What do you mean? Permission changes, ownership changes are reported by
>> >> syscheck too.
>> >>
>> >> On Sun, Dec 6, 2015 at 9:10 AM, dan (ddp)  wrote:
>> >>>
>> >>>
>> >>> On Dec 6, 2015 11:01 AM, "Nishant Porwal" 
>> >>> wrote:
>> >>> >
>> >>> > Hi Guys ,
>> >>> >
>> >>> > I need to monitor approx 50 config and flat files on 20 servers ,
>> means
>> >>> > 1000 files .
>> >>> >
>> >>> > My requirement is below .
>> >>> >
>> >>> > 1.When file have been changed  ?
>> >>> > 2.Who have changed it ?
>> >>>
>> >>> No one has come up with a way to do this through syscheck yet.
>> >>>
>> >>> > 3.What have been changed ?
>> >>> > 4.Notify on certain changes .
>> >>> >
>> >>> > Most important part id "What have been changed "
>> >>> >
>> >>>
>> >>> Report_changes I think is the option you want.
>> >>>
>> >>> > All are linux servers .
>> >>> >
>> >>> > OSSEC can help here ?
>> >>> > I couldn't find anything in documentation specifying about "what
>> have
>> >>> > beeen changed " .
>> >>> >
>> >>> >
>> >>> > Thanks
>> >>> > Nishant
>> >>> >
>> >>> > --
>> >>> >
>> >>> > ---
>> >>> > You received this message because you are subscribed to the Google
>> >>> > Groups "ossec-list" group.
>> >>> > To unsubscribe from this group and stop receiving emails from it,
>> send
>> >>> > an email to ossec-list+unsubscr...@googlegroups.com.
>> >>> > For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it,
>> send an
>> >>> email to ossec-list+unsubscr...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to the Google
>> Groups
>> >> "ossec-list" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> an
>> >> email to ossec-list+unsubscr...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> >
>> >
>> > --
>> > Thanks n Regards
>> > Nishant Porwal
>> > 09527916969
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email

[ossec-list] User who change files

Re: [ossec-list] multiple errors during rootcheck

Re: [ossec-list] eventchannel Applications and Services Logs monitoring

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

Re: [ossec-list] Re: mail for a specific rule

[ossec-list] Re: mail for a specific rule

[ossec-list] Re: mail for a specific rule

Re: [ossec-list] mail for a specific rule

[ossec-list] mail for a specific rule

Re: [ossec-list] multiple errors during rootcheck

Re: [ossec-list] multiple errors during rootcheck

Re: [ossec-list] Clients authenticate, but don't connect (Corp env)

Re: [ossec-list] multiple errors during rootcheck

[ossec-list] multiple errors during rootcheck

[ossec-list] eventchannel Applications and Services Logs monitoring

Re: [ossec-list] File Integrity Monitoring through OSSEC

24 matches

Site Navigation

Mail list logo

Footer information