[ossec-list] for what time ossec save logs?

2015-12-28 Thread Maxim Surdu 
Hi everyone,

Who can tell me how much time ossec saves my logs? i need to configure or 
how it is work?, i need ossec to save my logs for minimum 2 years.

Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] for what time ossec save logs?

2015-12-28 Thread dan (ddp) 
On Mon, Dec 28, 2015 at 7:00 AM, Maxim Surdu  wrote:
> Hi everyone,
>
> Who can tell me how much time ossec saves my logs? i need to configure or
> how it is work?, i need ossec to save my logs for minimum 2 years.
>
> Any help would be greatly appreciated
>

OSSEC does not currently delete logs.

> Thanks,
> Maxim
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Nothing returned (or search expired)

2015-12-28 Thread theresa mic-snare 
Hi Vipin,

ok, does the tmp directory exist inside your ossec installation?
this directory should belong to root:apache or whatever your group for the 
webserver user is called

I had this problem a while ago too, and I think this was my issue along 
with some missing SELinux permissions...

what does the webserver logs say?

best,
theresa

Am Montag, 28. Dezember 2015 04:57:51 UTC+1 schrieb Vipin Hooda:
>
> Hi Theresa,
>
>  
>
> Selinux is in disabled mode.
>
>  
>
>  
>
> Regards
>
> *Vipin Hooda*
>
>  
>
> *From:* ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] *On Behalf Of *theresa mic-snare
> *Sent:* 27 December 2015 22:13
> *To:* ossec-list
> *Subject:* Re: [ossec-list] Nothing returned (or search expired)
>
>  
>
> Hi Vipin,
>
> out of curiosity, do you have SELinux enabled?
> Do you have it set to enforcing?
>
> best,
> theresa
>
> Am Freitag, 25. Dezember 2015 13:13:10 UTC+1 schrieb Vipin Hooda:
>
> Hi Dan, 
>
> Yes we have log level 7 alerts in OSSEC-WUI but I do not know from where I 
> can find PHP error details. So kindly guide. 
>
>
> Regards 
> Vipin Hooda 
>
> -Original Message- 
> From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On 
> Behalf Of dan (ddp) 
> Sent: 24 December 2015 18:44 
> To: ossec...@googlegroups.com 
> Subject: Re: [ossec-list] Nothing returned (or search expired) 
>
> On Thu, Dec 24, 2015 at 4:25 AM,   wrote: 
> > Hi, 
> > 
> > We have installed OSSEC-WUI but when we search log level 7 then we are 
> > greeting error "Total alerts found: 5 Nothing returned (or search 
> expired)". 
> > Can someone help to fix the issue. 
> > 
>
> Are there any level 7 alerts in alerts.log? 
> Are there any PHP errors that might explain this? 
>
> > Regards 
> > Vipin Hooda 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> > Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> > an email to ossec-list+...@googlegroups.com. 
> > For more options, visit https://groups.google.com/d/optout. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group. 
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe. 
> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com. 
> For more options, visit https://groups.google.com/d/optout. 
>
> -- 
>
> --- 
> You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Nothing returned (or search expired)

2015-12-28 Thread dan (ddp) 
On Fri, Dec 25, 2015 at 7:12 AM, Vipin Hooda  wrote:
> Hi Dan,
>
> Yes we have log level 7 alerts in OSSEC-WUI but I do not know from where I 
> can find PHP error details. So kindly guide.
>

I believe it will be in your webserver's error log.

>
> Regards
> Vipin Hooda
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
> Behalf Of dan (ddp)
> Sent: 24 December 2015 18:44
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] Nothing returned (or search expired)
>
> On Thu, Dec 24, 2015 at 4:25 AM,   wrote:
>> Hi,
>>
>> We have installed OSSEC-WUI but when we search log level 7 then we are
>> greeting error "Total alerts found: 5 Nothing returned (or search expired)".
>> Can someone help to fix the issue.
>>
>
> Are there any level 7 alerts in alerts.log?
> Are there any PHP errors that might explain this?
>
>> Regards
>> Vipin Hooda
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the Google 
> Groups "ossec-list" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Using Regular Expressions in an OSSEC rule

2015-12-28 Thread namobuddhaonion 
Hello all and Happy Holidays,

I setup a rule to look for log-in's after hours as follows:


 
authentication 
6 pm - 9 am 
Login after hours 
 

 
  50 
  USERNAME 
  Ignore USERNAME 
 


The first rule tries to pickup all logins after hours, and the subordinate 
rule tries to strip out none human accounts such as service accounts and 
machine accounts. 


The issue I am having is this rule picks EVERY login including (service 
accounts and machine accounts) which I have tried to enter in between 
brackets like COMP-01|COMP-02 | SERVICE ACCOUNT-1 | and so on. I was 
wondering if I have a whole bunch of computer /service accounts (i.e. 
COMP-01, COMP-02) how to use a regular expression to enter a single filter 
which covers all the machine names (i.e. COMP*.* in dos-ease).

Thanks,

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Nothing returned (or search expired)

2015-12-28 Thread theresa mic-snare 
yeah, check your webserver logs if you see something like this

Warning: opendir(/var/ossec/etc/ossec.conf) [function.opendir]: failed to open 
dir: Permission denied in /var/www/ossec-wui/lib/os_lib_handle.php on line 94



Am Montag, 28. Dezember 2015 16:44:07 UTC+1 schrieb dan (ddpbsd):
>
> On Fri, Dec 25, 2015 at 7:12 AM, Vipin Hooda  
> wrote: 
> > Hi Dan, 
> > 
> > Yes we have log level 7 alerts in OSSEC-WUI but I do not know from where 
> I can find PHP error details. So kindly guide. 
> > 
>
> I believe it will be in your webserver's error log. 
>
> > 
> > Regards 
> > Vipin Hooda 
> > 
> > -Original Message- 
> > From: ossec...@googlegroups.com  [mailto:
> ossec...@googlegroups.com ] On Behalf Of dan (ddp) 
> > Sent: 24 December 2015 18:44 
> > To: ossec...@googlegroups.com  
> > Subject: Re: [ossec-list] Nothing returned (or search expired) 
> > 
> > On Thu, Dec 24, 2015 at 4:25 AM,   wrote: 
> >> Hi, 
> >> 
> >> We have installed OSSEC-WUI but when we search log level 7 then we are 
> >> greeting error "Total alerts found: 5 Nothing returned (or search 
> expired)". 
> >> Can someone help to fix the issue. 
> >> 
> > 
> > Are there any level 7 alerts in alerts.log? 
> > Are there any PHP errors that might explain this? 
> > 
> >> Regards 
> >> Vipin Hooda 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> >> Groups "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> >> an email to ossec-list+...@googlegroups.com . 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group. 
> > To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/RSn2zhXabEs/unsubscribe. 
> > To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC regex issues in hostname for custom rule

2015-12-28 Thread dan (ddp) 
On Dec 28, 2015 3:17 PM, "Francisco"  wrote:
>
> Hello,
>
> I'm having trouble getting Regex to work in the  field in my
custom OSSEC rule. According to the OSSEC documentation here I should be
able to use a regex in the hostname qualifier.
>

Despite qhat the documentation might say, I don't think regex works in the
hostname field. Can you give me a link tonwhere it says it works so I can
test/and correct the documentation if necessary?

> When I add any regex value to the hostname attribute it seems to be
ignored and never match my rule. I've tried this on 2.8.1 and 2.8.3.
>
> Here is the rule I'm trying to write:
>>
>>
>>   
>> 1002
>> sudo
>> db\w+.blah.net
>> pam_unix(sudo:auth): conversation failed
>> Ignore DB sudo issues for now
>>   
>
>
> I've verified that the regex works as expected using ossec-regex:
>
>> [root@blah ~]# /var/ossec/bin/ossec-regex 'db\w+.blah.net'
>> dbstuff0010.blah.net
>> +OSRegex_Execute: dbstuff0010.blah.net
>> +OS_Regex   : dbstuff0010.blah.net
>
>
>  However, when I run OSSEC-logtest the rule isn't applied:
>
>> [root@blah ~]# /var/ossec/bin/ossec-logtest
>> 2015/12/28 19:50:56 ossec-testrule: INFO: Reading local decoder file.
>> 2015/12/28 19:50:56 ossec-testrule: INFO: Started (pid: 114042).
>> ossec-testrule: Type one log per line.
>>
>> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed '
>>hostname: 'dbstuff0010.blah.net'
>>program_name: 'sudo'
>>log: 'pam_unix(sudo:auth): conversation failed '
>>
>> **Phase 2: Completed decoding.
>>decoder: 'pam'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '1002'
>>Level: '2'
>>Description: 'Unknown problem somewhere in the system.'
>> **Alert to be generated.
>
>
> Removing the  qualifier from the rule allows the rule to match:
>
>> [root@blah ~]# /var/ossec/bin/ossec-logtest
>> 2015/12/28 19:53:09 ossec-testrule: INFO: Reading local decoder file.
>> 2015/12/28 19:53:09 ossec-testrule: INFO: Started (pid: 115629).
>> ossec-testrule: Type one log per line.
>>
>> 2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo:
pam_unix(sudo:auth): conversation failed '
>>hostname: 'dbstuff0010.blah.net'
>>program_name: 'sudo'
>>log: 'pam_unix(sudo:auth): conversation failed '
>>
>> **Phase 2: Completed decoding.
>>decoder: 'pam'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '100050'
>>Level: '0'
>>Description: 'Ignore DB sudo issues for now'
>
>
> I've tried the following regexes for the  qualifier and nothing
worked in the rule:
>
> db\w+.blah.net
> db(\w+).blah.net
> db(\S+).blah.net
> db(\.*).blah.net
> db\S+.blah.net
> db\.+
> dbstuff0010.blah.ne\w (for testing..)
> \.* (as a test to attempt to match anything)
>
> Any ideas around here? Has anyone had luck getting regex to work in the
hostname qualifier?
>
> Would appreciate any ideas or help people can offer!
>
> - Francisco
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC regex issues in hostname for custom rule

2015-12-28 Thread Francisco 
Hello,

I'm having trouble getting Regex to work in the  field in my 
custom OSSEC rule. According to the OSSEC documentation here 
I 
should be able to use a regex in the hostname qualifier. 

When I add any regex value to the hostname attribute it seems to be ignored 
and never match my rule. I've tried this on 2.8.1 and 2.8.3.

Here is the rule I'm trying to write:


  
1002
sudo
db\w+.blah.net
pam_unix(sudo:auth): conversation failed
Ignore DB sudo issues for now
  


I've verified that the regex works as expected using ossec-regex:

[root@blah ~]# /var/ossec/bin/ossec-regex 'db\w+.blah.net'
dbstuff0010.blah.net
+OSRegex_Execute: dbstuff0010.blah.net
+OS_Regex   : dbstuff0010.blah.net


 However, when I run OSSEC-logtest the rule isn't applied:

[root@blah ~]# /var/ossec/bin/ossec-logtest
2015/12/28 19:50:56 ossec-testrule: INFO: Reading local decoder file.
2015/12/28 19:50:56 ossec-testrule: INFO: Started (pid: 114042).
ossec-testrule: Type one log per line.

2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): 
conversation failed


**Phase 1: Completed pre-decoding.
   full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: 
pam_unix(sudo:auth): conversation failed '
   hostname: 'dbstuff0010.blah.net'
   program_name: 'sudo'
   log: 'pam_unix(sudo:auth): conversation failed '

**Phase 2: Completed decoding.
   decoder: 'pam'

**Phase 3: Completed filtering (rules).
   Rule id: '1002'
   Level: '2'
   Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


*Removing the  qualifier from the rule allows the rule to match:*

[root@blah ~]# /var/ossec/bin/ossec-logtest
2015/12/28 19:53:09 ossec-testrule: INFO: Reading local decoder file.
2015/12/28 19:53:09 ossec-testrule: INFO: Started (pid: 115629).
ossec-testrule: Type one log per line.

2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: pam_unix(sudo:auth): 
conversation failed


**Phase 1: Completed pre-decoding.
   full event: '2015-12-25T06:04:13+00:00 dbstuff0010.blah.net sudo: 
pam_unix(sudo:auth): conversation failed '
   hostname: 'dbstuff0010.blah.net'
   program_name: 'sudo'
   log: 'pam_unix(sudo:auth): conversation failed '

**Phase 2: Completed decoding.
   decoder: 'pam'

**Phase 3: Completed filtering (rules).
   Rule id: '100050'
   Level: '0'
   Description: 'Ignore DB sudo issues for now'


I've tried the following regexes for the  qualifier and nothing 
worked in the rule:


   - db\w+.blah.net
   - db(\w+).blah.net
   - db(\S+).blah.net
   - db(\.*).blah.net
   - db\S+.blah.net
   - db\.+
   - dbstuff0010.blah.ne\w (for testing..)
   - \.* (as a test to attempt to match anything)


Any ideas around here? Has anyone had luck getting regex to work in the 
hostname qualifier?

Would appreciate any ideas or help people can offer!

- Francisco

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.