[ossec-list] Re: Can't find resolution for these error messages

2016-03-19 Thread Victor Fernandez 
Hi Ben.

The first error is normal, or at less, predictable to happen: since an 
agent-less isn't an agent, it can't receive active-responses. Active 
responses are generated by the rule analyzer (analisisd), that doesn't 
distinguish between agents and agent-less, so the remote daemon, that 
 sends the active-response commands, shows that error because it can't find 
the agent. But it isn't a critical error.

Regarding to the second problem, there is a hardcoded limit of 10 attempts 
at agentless/agentless.c:

/* Main monitor loop */

/* (...) */

while(lessdc.entries[i])
{
if(lessdc.entries[i]->error_flag >= 10)
{
if(lessdc.entries[i]->error_flag != 99)
{
merror("%s: ERROR: Too many failures for '%s'. Ignoring 
it.",
   ARGV0, lessdc.entries[i]->type);
lessdc.entries[i]->error_flag = 99;
}

i++;
sleep(i);
continue;
}

The last 3 lines make that, after 10 attempts, the program continues and no 
longer tries to execute the command. Maybe, deleting them (i++; sleep(i); 
continue;) the program retries to execute the command.

We're testing it at our development environment and we'll include the 
changes in our repository at Wazuh.

Best regards.
Victor.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Scaling OSSEC (presentation from OpenNSM project / scripts / rules)

2016-03-19 Thread Brian Kellogg 
Very nice, and thank you!


On Friday, March 18, 2016 at 9:37:19 AM UTC-4, Rodrigo Montoro (Sp0oKeR) 
wrote:
>
> Presentation here: https://www.youtube.com/watch?v=TllGa-POslQ
>
> Nice content here  https://github.com/ncsa/ossec-tools
>
> Custom AR scripts
>
>- active-response/virustotal_lookup.sh/virus_total.py - Look up hash 
>from syscheck alerts in VT database
>- active-response/cymru_lookup.sh - Look up hash from sysheck alerts 
>in Team Cymru Malware Hash Registery
>- active-response/puppetdb_lookup.sh - Look up managed files in 
>PuppetDB
>- active-response/rpm_lookup.sh - Look up files that changed from RPM 
>install (must be present on agents)
>- active-response/deb_lookup.sh - Lookup file that changes from DEB 
>install (must be present on agents)
>- active-response/time_lookup.sh - Check if system clock is off or 
>time zone differs for analyzed logs
>- active-response/command_search.sh - Search for malicious commands 
>across logs
>- active-response/cif.sh - Create intelligence feed from alerts
>- active-response/bhr.sh - Block hosts at perimeter using Black Hole 
>Router by Justin Azoff
>- active-response/add_to_cdb.sh - Add entries from alerts to system 
>database e.g. system users
>- active-response/rule-all.sh - Run many of the above scripts
>- active-response/syscheck-all.sh - Run many of the syscheck scripts
>
> And more rules and tips there.
>
> Regards,
> -- 
> Rodrigo Montoro (Sp0oKeR)
> http://spookerlabs.blogspot.com
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Emails are not going

2016-03-19 Thread dan (ddp) 
On Mar 18, 2016 9:33 PM, "sandeep dubey"  wrote:
>
> Yes, it attempts but emails are not landing in inbox.
>

Is ossec-maild sending to a local (to the server) mailbox? If so, check the
maillog. If not, use tcpdump to see why it is failing.

> On Fri, Mar 18, 2016 at 8:13 PM, dan (ddp)  wrote:
>>
>> On Fri, Mar 18, 2016 at 10:40 AM, sandeep dubey
>>  wrote:
>> > Hi,
>> >
>> > I am running OSSEC version 2.8.3-3trusty on 100+ node on AWS EC2.
Recently i
>> > noticed that alerts are not being sent from ossec, not even single. It
was
>> > working fine couple of days earlier. While digging into this i
observed that
>> > it not working for an email group but working for individual email ids.
>> >
>> > Can some help to identify the issue and fix it. The same setup with
same
>> > email group is working at another system. The only different between
these
>> > two setups are that one has 100+ server where is has stopped working
and
>> > another has 15-20 nodes where it is working.
>> >
>> > I tried by restarting ossec services, ossec-maild is working, local
sendmail
>> > service is also working, test emails are going fine.
>> >
>>
>> Does ossec-maild attempt to send anything?
>>
>> >
>> > Current configuration is -
>> >
>> > 
>> > yes
>> > x...@domain.com
>> > a...@domain.com
>> > 1...@domain.com
>> > localhost
>> > oss...@ossec.domain.com
>> >   
>> > -
>> > -
>> > -
>> > -
>> > 
>> > 1
>> > 8
>> >   
>> >
>> >   
>> > cloud-t...@domain.com
>> > 8
>> > 
>> >   
>> >
>> > --
>> > Regards,
>> > Sandeep
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
an
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Regards,
> Sandeep
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Emails are not going

2016-03-19 Thread Ryan Schulze 
There are a couple hops between ossec-maild and your inbox. Since you 
said maild is attempting to send the emails: where do they get stuck, 
does the local MTA have them, what are in the mail daemons logs?


On 3/18/2016 8:33 PM, sandeep dubey wrote:

Yes, it attempts but emails are not landing in inbox.

On Fri, Mar 18, 2016 at 8:13 PM, dan (ddp) > wrote:


On Fri, Mar 18, 2016 at 10:40 AM, sandeep dubey
mailto:sandeep.san...@gmail.com>> wrote:
> Hi,
>
> I am running OSSEC version 2.8.3-3trusty on 100+ node on AWS
EC2. Recently i
> noticed that alerts are not being sent from ossec, not even
single. It was
> working fine couple of days earlier. While digging into this i
observed that
> it not working for an email group but working for individual
email ids.
>
> Can some help to identify the issue and fix it. The same setup
with same
> email group is working at another system. The only different
between these
> two setups are that one has 100+ server where is has stopped
working and
> another has 15-20 nodes where it is working.
>
> I tried by restarting ossec services, ossec-maild is working,
local sendmail
> service is also working, test emails are going fine.
>

Does ossec-maild attempt to send anything?

>
> Current configuration is -
>
> 
>  yes
> x...@domain.com 
> a...@domain.com 
> 1...@domain.com 
>  localhost
> oss...@ossec.domain.com

>   
> -
> -
> -
> -
> 
>  1
>  8
>   
>
>   
> cloud-t...@domain.com

> 8
> 
>   
>
> --
> Regards,
> Sandeep
>
> --
>
> ---
> You received this message because you are subscribed to the
Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from
it, send an
> email to ossec-list+unsubscr...@googlegroups.com
.
> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to ossec-list+unsubscr...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.




--
Regards,
Sandeep
--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Scaling OSSEC (presentation from OpenNSM project / scripts / rules)

2016-03-19 Thread Antonio Querubin 
Nice work!

Sent from my iPad

> On Mar 18, 2016, at 03:36, Rodrigo Montoro(Sp0oKeR)  wrote:
> 
> Presentation here: https://www.youtube.com/watch?v=TllGa-POslQ
> 
> Nice content here  https://github.com/ncsa/ossec-tools
> Custom AR scripts
> 
> active-response/virustotal_lookup.sh/virus_total.py - Look up hash from 
> syscheck alerts in VT database
> active-response/cymru_lookup.sh - Look up hash from sysheck alerts in Team 
> Cymru Malware Hash Registery
> active-response/puppetdb_lookup.sh - Look up managed files in PuppetDB
> active-response/rpm_lookup.sh - Look up files that changed from RPM install 
> (must be present on agents)
> active-response/deb_lookup.sh - Lookup file that changes from DEB install 
> (must be present on agents)
> active-response/time_lookup.sh - Check if system clock is off or time zone 
> differs for analyzed logs
> active-response/command_search.sh - Search for malicious commands across logs
> active-response/cif.sh - Create intelligence feed from alerts
> active-response/bhr.sh - Block hosts at perimeter using Black Hole Router by 
> Justin Azoff
> active-response/add_to_cdb.sh - Add entries from alerts to system database 
> e.g. system users
> active-response/rule-all.sh - Run many of the above scripts
> active-response/syscheck-all.sh - Run many of the syscheck scripts
> And more rules and tips there.
> 
> Regards,
> -- 
> Rodrigo Montoro (Sp0oKeR)
> http://spookerlabs.blogspot.com
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] important questions on CDB lists

2016-03-19 Thread theresa mic-snare 
ehlo *,

I have an important question about CDB lists, as I'm just researching for 
my thesis on OSSEC.
yes, i've read the documentation on readthedocs, maybe i'm too daft to 
understand it.

what I have done so far:

I've created a file called "baddomains" in /var/ossec/lists/
content is from zeustracker 
(https://zeustracker.abuse.ch/blocklist.php?download=baddomains)

I've added the list in the  section
lists/baddomains

i've run 
  # bin/ossec-makelists


i'm not quite sure what the purpose of the CDB lists is should a rule 
fire as soon as one of those domains (content of baddomains) is attacking 
me?!
I don't think i've yet understood the positive/negative key match of it

can someone please explain it to me with a real-life example?

also what does CDB stand for? I haven't found that in the OSSEC Docs 
either
common database? central database?!

thanks,
theresa

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Custom integrity checking rules question

2016-03-19 Thread thak 
Hi, 

We added /var/application directories to our application servers' 
ossec.conf file, but we just rolled an application update (introducing new 
files and absolutely modifying older ones) and didn't get any updates. 

Any ideas on a likely issue here? Do we need to run the command to clear 
the syscheck file integrity database? Is there some requirement that OSSEC 
"rebaseline" the integrity hashes, such that they pick up this new rule's 
target directories? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ssh_asa-fwsmconfig_diff

2016-03-19 Thread Brent Morris 
Hi Yurii,

Did you use the register_host.sh script as documented 
http://ossec-docs.readthedocs.org/en/latest/manual/agent/agentless-monitoring.html
 
?  If so, there should be a file called .passlist in the 
/var/ossec/agentless folder.  open that file and ensure the information is 
correct.

You can test your agentless with this method.

be sure your current working directory is /var/ossec

pwd
/var/ossec

from there..

./agentless/ssh_asa-fwsmconfig_diff user...@192.168.0.1

Check the output and see where the trouble is.

Hope this helps!!!

-Brent





On Wednesday, March 16, 2016 at 8:24:29 AM UTC-7, Yurii Shatylo wrote:
>
> Dear Colleagues,
>
> Could you give me a hand with my issue?
> I've put credentials to the *ssh_asa-fwsmconfig_diff *and as the result 
> I've got (2016/03/16 11:29:13 ossec-agentlessd: INFO: Test passed for 
> 'ssh_asa-fwsmconfig_diff). After that I deleted ACL on the cisco asa but 
> nothing happened. It seems like script which produces difference is not 
> working. 
> *There is my general config file:*
>
> 
>   ssh_asa-fwsmconfig_diff
>   300
>   user...@192.168.0.1 
>   periodic_diff
>  
>
> *Thank you in advance.*
> *Yurii*
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Emails are not going

2016-03-19 Thread dan (ddp) 
On Fri, Mar 18, 2016 at 10:40 AM, sandeep dubey
 wrote:
> Hi,
>
> I am running OSSEC version 2.8.3-3trusty on 100+ node on AWS EC2. Recently i
> noticed that alerts are not being sent from ossec, not even single. It was
> working fine couple of days earlier. While digging into this i observed that
> it not working for an email group but working for individual email ids.
>
> Can some help to identify the issue and fix it. The same setup with same
> email group is working at another system. The only different between these
> two setups are that one has 100+ server where is has stopped working and
> another has 15-20 nodes where it is working.
>
> I tried by restarting ossec services, ossec-maild is working, local sendmail
> service is also working, test emails are going fine.
>

Does ossec-maild attempt to send anything?

>
> Current configuration is -
>
> 
> yes
> x...@domain.com
> a...@domain.com
> 1...@domain.com
> localhost
> oss...@ossec.domain.com
>   
> -
> -
> -
> -
> 
> 1
> 8
>   
>
>   
> cloud-t...@domain.com
> 8
> 
>   
>
> --
> Regards,
> Sandeep
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ssh_asa-fwsmconfig_diff

2016-03-19 Thread Yurii Shatylo 
Dear Colleagues,

Could you give me a hand with my issue?
I've put credentials to the *ssh_asa-fwsmconfig_diff *and as the result 
I've got (2016/03/16 11:29:13 ossec-agentlessd: INFO: Test passed for 
'ssh_asa-fwsmconfig_diff). After that I deleted ACL on the cisco asa but 
nothing happened. It seems like script which produces difference is not 
working. 
*There is my general config file:*


  ssh_asa-fwsmconfig_diff
  300
  username@192.168.0.1
  periodic_diff
 

*Thank you in advance.*
*Yurii*

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Facing error while installing ossec agent in Centos 7

2016-03-19 Thread Eero Volotinen 
You need to install gcc on your system
19.3.2016 2.33 ip. "ROSHIN SARATH.S"  kirjoitti:

> i tried to install OSSEC agent OSSEC HIDS v2.8 in Centos 7  but getting an
> error in final stage
> error is in below
>
> 5- Installing the system
>  - Running the Makefile
> ./Makeall: line 127: cc: command not found
> ./Makeall: line 128: ./isbigendian: No such file or directory
> INFO: Little endian set.
>
>  *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
> make[1]: Entering directory `/home/admin/ossec-hids-2.8.1/src/external'
> cd zlib-1.2.8/; ./configure; make libz.a;
> Checking for gcc...
> Compiler error reporting is too harsh for ./configure (perhaps remove
> -Werror).
> ** ./configure aborting.
> make[2]: Entering directory
> `/home/admin/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[2]: *** No rule to make target `libz.a'.  Stop.
> make[2]: Leaving directory
> `/home/admin/ossec-hids-2.8.1/src/external/zlib-1.2.8'
> make[1]: *** [libz.a] Error 2
> make[1]: Leaving directory `/home/admin/ossec-hids-2.8.1/src/external'
>
> Error Making zlib
> make: *** [all] Error 1
>
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
>
> please help me on this
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Facing error while installing ossec agent in Centos 7

2016-03-19 Thread ROSHIN SARATH.S 
i tried to install OSSEC agent OSSEC HIDS v2.8 in Centos 7  but getting an 
error in final stage 
error is in below

5- Installing the system
 - Running the Makefile
./Makeall: line 127: cc: command not found
./Makeall: line 128: ./isbigendian: No such file or directory
INFO: Little endian set.

 *** Making zlib (by Jean-loup Gailly and Mark Adler)  *** 
make[1]: Entering directory `/home/admin/ossec-hids-2.8.1/src/external'
cd zlib-1.2.8/; ./configure; make libz.a;
Checking for gcc...
Compiler error reporting is too harsh for ./configure (perhaps remove 
-Werror).
** ./configure aborting.
make[2]: Entering directory 
`/home/admin/ossec-hids-2.8.1/src/external/zlib-1.2.8'
make[2]: *** No rule to make target `libz.a'.  Stop.
make[2]: Leaving directory 
`/home/admin/ossec-hids-2.8.1/src/external/zlib-1.2.8'
make[1]: *** [libz.a] Error 2
make[1]: Leaving directory `/home/admin/ossec-hids-2.8.1/src/external'

Error Making zlib
make: *** [all] Error 1

 Error 0x5.
 Building error. Unable to finish the installation.


please help me on this 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] important questions on CDB lists

2016-03-19 Thread theresa mic-snare 
Ahh, I think I've now got it :)
also found a very good example that showcases it better.

silly me ;)

Am Freitag, 18. März 2016 20:45:31 UTC+1 schrieb Eero Volotinen:
>
> Err. You must be joking? Try googling with 'CDB'.
>
> Eero
> 18.3.2016 9.42 ip. "theresa mic-snare" > 
> kirjoitti:
>
>> ehlo *,
>>
>> I have an important question about CDB lists, as I'm just researching for 
>> my thesis on OSSEC.
>> yes, i've read the documentation on readthedocs, maybe i'm too daft to 
>> understand it.
>>
>> what I have done so far:
>>
>> I've created a file called "baddomains" in /var/ossec/lists/
>> content is from zeustracker (
>> https://zeustracker.abuse.ch/blocklist.php?download=baddomains)
>>
>> I've added the list in the  section
>> lists/baddomains
>>
>> i've run 
>>   # bin/ossec-makelists
>>
>>
>> i'm not quite sure what the purpose of the CDB lists is should a rule 
>> fire as soon as one of those domains (content of baddomains) is attacking 
>> me?!
>> I don't think i've yet understood the positive/negative key match of it
>>
>> can someone please explain it to me with a real-life example?
>>
>> also what does CDB stand for? I haven't found that in the OSSEC Docs 
>> either
>> common database? central database?!
>>
>> thanks,
>> theresa
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Scaling OSSEC (presentation from OpenNSM project / scripts / rules)

2016-03-19 Thread Rodrigo Montoro(Sp0oKeR) 
Presentation here: https://www.youtube.com/watch?v=TllGa-POslQ

Nice content here  https://github.com/ncsa/ossec-tools

Custom AR scripts

   - active-response/virustotal_lookup.sh/virus_total.py - Look up hash
   from syscheck alerts in VT database
   - active-response/cymru_lookup.sh - Look up hash from sysheck alerts in
   Team Cymru Malware Hash Registery
   - active-response/puppetdb_lookup.sh - Look up managed files in PuppetDB
   - active-response/rpm_lookup.sh - Look up files that changed from RPM
   install (must be present on agents)
   - active-response/deb_lookup.sh - Lookup file that changes from DEB
   install (must be present on agents)
   - active-response/time_lookup.sh - Check if system clock is off or time
   zone differs for analyzed logs
   - active-response/command_search.sh - Search for malicious commands
   across logs
   - active-response/cif.sh - Create intelligence feed from alerts
   - active-response/bhr.sh - Block hosts at perimeter using Black Hole
   Router by Justin Azoff
   - active-response/add_to_cdb.sh - Add entries from alerts to system
   database e.g. system users
   - active-response/rule-all.sh - Run many of the above scripts
   - active-response/syscheck-all.sh - Run many of the syscheck scripts

And more rules and tips there.

Regards,
-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Emails are not going

2016-03-19 Thread sandeep dubey 
Yes, it attempts but emails are not landing in inbox.

On Fri, Mar 18, 2016 at 8:13 PM, dan (ddp)  wrote:

> On Fri, Mar 18, 2016 at 10:40 AM, sandeep dubey
>  wrote:
> > Hi,
> >
> > I am running OSSEC version 2.8.3-3trusty on 100+ node on AWS EC2.
> Recently i
> > noticed that alerts are not being sent from ossec, not even single. It
> was
> > working fine couple of days earlier. While digging into this i observed
> that
> > it not working for an email group but working for individual email ids.
> >
> > Can some help to identify the issue and fix it. The same setup with same
> > email group is working at another system. The only different between
> these
> > two setups are that one has 100+ server where is has stopped working and
> > another has 15-20 nodes where it is working.
> >
> > I tried by restarting ossec services, ossec-maild is working, local
> sendmail
> > service is also working, test emails are going fine.
> >
>
> Does ossec-maild attempt to send anything?
>
> >
> > Current configuration is -
> >
> > 
> > yes
> > x...@domain.com
> > a...@domain.com
> > 1...@domain.com
> > localhost
> > oss...@ossec.domain.com
> >   
> > -
> > -
> > -
> > -
> > 
> > 1
> > 8
> >   
> >
> >   
> > cloud-t...@domain.com
> > 8
> > 
> >   
> >
> > --
> > Regards,
> > Sandeep
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Regards,
Sandeep

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.