[ossec-list] Re: USB storage detect & recursive file list
I have a batch script I wrote that could be used in replacement of PowerShell... @echo off for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d ) echo dir /s %var% > C:\temp\test.txt type C:\temp\test.txt pause The output is this went usb drives are available Volume in drive F is F Volume Serial Number is 2971-7DFC Directory of F:\ 08/11/2015 09:21 PM12,836,794 38 Special - Caught Up In You.mp4 08/11/2015 09:21 PM13,973,320 38 Special - Hold On Loosely.mp4 08/11/2015 09:14 PM10,296,703 Alanis Morissette - Hand In My Pocket.mp4 08/11/2015 09:15 PM19,490,518 Alanis Morissette - Ironic OFFICIAL VIDEO.mp4 08/11/2015 07:46 PM10,015,763 All That Remains - Hold On.mp4 08/11/2015 07:46 PM14,173,662 All That Remains - What If I Was Nothing.mp4 08/11/2015 07:20 PM14,071,850 Andy Grammer - Honey Im Good Official Music Video.mp4 And this when none are inserted ( this being ran from my users Desktop directory... ( was looking at running this .bat from the ossec agent side bin) or a sub folder of that.. Volume in drive C has no label. Volume Serial Number is 84F7-A037 Directory of C:\Program Files\ossec-agent\active-response\bin 04/20/2016 05:14 PM . 04/20/2016 05:14 PM .. 04/19/2016 05:30 PM 515 restart-ossec.cmd 04/19/2016 05:30 PM 1,520 route-null.cmd 04/20/2016 05:04 PM 215 usb.bat 3 File(s) 2,250 bytes Total Files Listed: 3 File(s) 2,250 bytes 2 Dir(s) 860,057,559,040 bytes free One of my concerns is that of getting this script info into the email alerts as well as in ossecs host logs in order to search via keyword say "usb" is ELSA... I am still not totally up to speed on how this works.. On Wednesday, April 20, 2016 at 3:23:31 PM UTC-5, Jacob Mcgrath wrote: > > Wonder if I could wrap it into a test.ps1 and execute threw > powershell.exe > -noprofile -executionpolicy bypass -file .\test.ps1 > > On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> >> full_command >> powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> >> 300 >> USBDevices >> >> >> >> with the following rule in local_rules.xml >> >> 530 >> ossec: output: 'USBDevices' >> >> Mounted Device change detected >> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber :359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> edia} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> I was playing around with Powershell and have a optional command to print >> out USB storage device files recursively... >> >> >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter >> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive >> -recurse >> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) >> >> >> this gives me this output in a tmp.txt if ran from a powershell window >> and or run line. >> >> >> Directory: F:\ >> >> >> ModeLastWriteTime Length Name >> >> - -- >> >> -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe >> >> -a---12/21/2014 9:27 AM 397798952
[ossec-list] postfix-reject decoder not working with port in log entry
Hi, Trying to configure OSSEC for our mail server I noticed that our postfix log format is different from what ossec expects with the default rules. The postfix-reject decoder reads the source ip and and an error id, but in our logs there is also a port present (instead of "[x.x.x.x]: id" we have "[ip]:port: id"). Here is an (shortened) example log entry: Apr 18 09:31:42 server postfix/postscreen[13433]: NOQUEUE: reject: RCPT from [x.x.x.x]:9011: 550 5.7.1 Service unavailable; client [ip] blocked using ... I now tried to overwrite the "postfix-reject" decoder locally (I hesitated to modify it directly because I thought updates would overwrite the decoder file). The problem is, that decoders can't have the same name and there is no "overwrite" option as there is for rules. Adding another decoder and overwriting rule 3300 (Grouping of the postfix reject rules.) also showed no effect, probably because the old decoder matches before any decoder in "local-decoders.xml" has a chance to match the log entry. Is it correct that I should try not to change the shipped decoders/rule but create my own ones? And is there a way to overwrite a decoder (or have I completely missed some different way to solve this problem)? I hope this is the correct list to ask this question and thank you for any ideas. Regards, Tobias Margiani -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: USB storage detect & recursive file list
Wonder if I could wrap it into a test.ps1 and execute threw powershell.exe -noprofile -executionpolicy bypass -file .\test.ps1 On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > > full_command > powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > > 300 > USBDevices > > > > with the following rule in local_rules.xml > > 530 > ossec: output: 'USBDevices' > > Mounted Device change detected > > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber :359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > > Directory: E:\ > > > ModeLastWriteTime Length Name > > - -- > > -a---12/06/2011 9:51 AM 388608 HijackThis.exe > > -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe > > -a---03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > > full_command > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > > 300 > USBDevices > > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: USB storage detect & recursive file list
I think has a character limitation, try to remove empty spaces or make shorter the test.txt content. On Wed, Apr 20, 2016 at 12:39 AM, Jacob Mcgrathwrote: > Will try droping the | select -Skip 2 from the Get-Content see if that > works or maby a -Raw output arg > > On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> >> full_command >> powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> >> 300 >> USBDevices >> >> >> >> with the following rule in local_rules.xml >> >> 530 >> ossec: output: 'USBDevices' >> >> Mounted Device change detected >> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber :359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> edia} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> I was playing around with Powershell and have a optional command to print >> out USB storage device files recursively... >> >> >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter >> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive >> -recurse >> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) >> >> >> this gives me this output in a tmp.txt if ran from a powershell window >> and or run line. >> >> >> Directory: F:\ >> >> >> ModeLastWriteTime Length Name >> - -- >> -a---11/06/2015 12:38 PM 2290 mbam-setup-2.2.0.1024.exe >> -a---12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe >> >> >> Directory: E:\ >> >> >> ModeLastWriteTime Length Name >> - -- >> -a---12/06/2011 9:51 AM 388608 HijackThis.exe >> -a---03/04/2016 2:44 PM 2290 mbam-setup-2.2.0.1024.exe >> -a---03/04/2016 2:46 PM 9524 hijackthis.log >> >> I have been attempting to get the above USB recursive file lists >> into a USB detection report but have not had any success as of yet using >> the above command instead of the first like below. >> >> >> >> >> full_command >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume - >> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem >> $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select - >> Skip 2)" >> 300 >> USBDevices >> >> >> >> This gives me a empty C:\temp\test.txt file... >> >> >> Any suggestions would be appreiciated... >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Rule 1002 continues to fire after creating local overwriting rule
Service restarts did not clear the defunct process. I ended up killing them off and restarting. The server is healthy now and processing rules correctly. Thanks for all the help. On Wednesday, April 20, 2016 at 8:46:21 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Apr 18, 2016 at 5:46 PM, James Stallings> wrote: > > I believe root cause here was a bunch of old OSSEC processes that were > still > > holding an older config in memory even after I had cycled the daemons on > > several occasions. I no longer see the issue. Has anyone seen this sort > of > > behavior before? > > > > It's not common, but it does happen. You can probably find several > instances of it on the mailing list. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Rule 1002 continues to fire after creating local overwriting rule
On Mon, Apr 18, 2016 at 5:46 PM, James Stallingswrote: > I believe root cause here was a bunch of old OSSEC processes that were still > holding an older config in memory even after I had cycled the daemons on > several occasions. I no longer see the issue. Has anyone seen this sort of > behavior before? > It's not common, but it does happen. You can probably find several instances of it on the mailing list. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec service in windows 10
Ok, I review all permission inside folder for system account and now all run ok. Thanks so much for the help El miércoles, 20 de abril de 2016, 10:02:07 (UTC+2), Victor Fernandez escribió: > > I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for > "SYSTEM". > > Unfortunately, when we change the IP in the UI, the file "ossec.conf" is > re-created without SYSTEM permissions, so the service starts and exits > suddenly, but it prints the access error in the "ossec.log". > > So, make sure that SYSTEM has permissions for executable files inside > directory "ossec-agent" and "ossec.conf". > > Kind regards. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Disk usage monitor not working in RHEL5
Sure. Current rule: 530 ossec: output: 'df -h': /dev/ 100% Partition usage reached 100% (disk space monitor). low_diskspace, Leave that rule for 100% (so you don't modify the original rules). In local_rules add: 530 ossec: output: 'df -h': /dev/ 9\d% Partition usage over 90% (disk space monitor). low_diskspace, On 20 April 2016 at 10:17, theresa mic-snarewrote: > cool, would you mind sharing those custom rules with us? the threshold > (over 90%) one is specifically appealing to me :) > > Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef: >> >> I added custom rules to alert if space is over 90%. >> >> On 20 April 2016 at 02:16, Santiago Bassett >> wrote: >> >>> Out of curiosity, what is the rule supposed to trigger the alert? The >>> one is see by default looks for full partitions... >>> >>> >>> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137 >>> >>> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef >>> wrote: >>> I tested it on CentOS 5 and the output of df is as expected (Single line). We don't have a lot of RHEL5 but this happens on every 1 I tried so far (I tried 7). Here is the output of df -h on RHEL5: FilesystemSize Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 23G 16G 5.4G 75% / /dev/hda1 99M 13M 82M 14% /boot tmpfs 4.9G 0 4.9G 0% /dev/shm Here is the output of a CentOS 5 machine: FilesystemSize Used Avail Use% Mounted on /dev/sda3 1.9T 1.7T 104G 95% / /dev/sda1 99M 36M 58M 39% /boot tmpfs 3.9G 0 3.9G 0% /dev/shm So the CentOS is a single line and OSSEC picks that log perfectly. But RHEL5 it will see 2 logs: ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00 ossec: output: 'df -h':23G 16G 5.4G 75% / And doesn't work. Tested in RHEL 5.8 and 5.11. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Disk usage monitor not working in RHEL5
cool, would you mind sharing those custom rules with us? the threshold (over 90%) one is specifically appealing to me :) Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef: > > I added custom rules to alert if space is over 90%. > > On 20 April 2016 at 02:16, Santiago Bassett> wrote: > >> Out of curiosity, what is the rule supposed to trigger the alert? The >> one is see by default looks for full partitions... >> >> >> https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137 >> >> On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef > > wrote: >> >>> I tested it on CentOS 5 and the output of df is as expected (Single >>> line). >>> >>> We don't have a lot of RHEL5 but this happens on every 1 I tried so far >>> (I tried 7). >>> >>> Here is the output of df -h on RHEL5: >>> >>> FilesystemSize Used Avail Use% Mounted on >>> /dev/mapper/VolGroup00-LogVol00 >>>23G 16G 5.4G 75% / >>> /dev/hda1 99M 13M 82M 14% /boot >>> tmpfs 4.9G 0 4.9G 0% /dev/shm >>> >>> Here is the output of a CentOS 5 machine: >>> >>> FilesystemSize Used Avail Use% Mounted on >>> /dev/sda3 1.9T 1.7T 104G 95% / >>> /dev/sda1 99M 36M 58M 39% /boot >>> tmpfs 3.9G 0 3.9G 0% /dev/shm >>> >>> So the CentOS is a single line and OSSEC picks that log perfectly. But >>> RHEL5 it will see 2 logs: >>> >>> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00 >>> ossec: output: 'df -h':23G 16G 5.4G 75% / >>> >>> And doesn't work. Tested in RHEL 5.8 and 5.11. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec service in windows 10
I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for "SYSTEM". Unfortunately, when we change the IP in the UI, the file "ossec.conf" is re-created without SYSTEM permissions, so the service starts and exits suddenly, but it prints the access error in the "ossec.log". So, make sure that SYSTEM has permissions for executable files inside directory "ossec-agent" and "ossec.conf". Kind regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec service in windows 10
Hi For install ossec, First i create an Administrators group and add the users to this group(this user belong to Administrator local group too), then install it without error in for example "d:\ossec\ossec-agent". For config the agent (ossec server and key) i use the gui and try start with this with error: "Unable to start agent(check config)". If i try to start with service the error is "windows cannot start OSSEC HIDS in local computer. Error 5: Access Deny". If i setup the OssecSvc service with the administrator account instead of local system account all is ok. The permissions for the folder d:\ossec\ossec-agent are: full control to system, local service, network service, administradores group , usuarios group and Administrators group. When i try start with local system account in the services no printing into ossec.log I tried to uninstall and install again in other folder and change permissions but nothing.. only run when i change the service account to an user, not for local system account. Best Regards El martes, 19 de abril de 2016, 20:41:00 (UTC+2), Victor Fernandez escribió: > > Hi Diego. > > How do you start the service, with the UI or from Services? > > Does OSSEC print something into the file "ossec.log"? > > Best regards. > > Victor Fernandez. > > > > On Tuesday, April 19, 2016 at 12:15:49 PM UTC+2, Diego Arranz wrote: >> >> Hi all, >> >>I´m testing wazuh server on CentOS and ossec 2.8.3 as agent in windows >> 10 profesional (spanish language), the problem is when i try to start the >> ossec service as local account, the service don´t run with error 5: acces >> deny error, if i setup any administrator account to run the service is all >> ok. >> >> I try to do full permissions to network service account and local >> services account over the folder but the error is the same (error 5: acces >> deny) >> >> >> >> Somebody have any idea about this problem?? >> >> Thanks in advance. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ossec service in windows 10
P.D.: I detected that sometimes, if I already created the group "Administrators" (for non-English Windows versions), the OSSEC grants files permissions only to the group "Administrators". In order to start a service, executable files must have execution permissions for "SYSTEM". So, please make sure that "ossec-agent.exe" and every ".exe" file has permissions for SYSTEM. I did the following steps: 1. Open properties for directory "C:\Program Files\ossec-agent" (or "C:\Program Files (x86)\ossec-agent") 2. Go to tab "Security". Make sure there are permissions for "SYSTEM". 3. Now click on button "Advanced". 4. On tab "Permissions", you may have to click "Change permissions". 5. Mark box "Replace all child object permission entries with inheritable permission entries from this object". (In Spanish: "Reemplazar todas las entradas de permisos secundarios por entradas de permisos heredables de este objeto".) 6. Click "Accept" and confirm the dialog box that will appear. 7. Try to start the agent. I hope this will be useful for you. Best regards. Victor Fernandez. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3
awesome, thanks for sharing your experience with us Alexandre. I'm sure this could be beneficial to others as well! Am Dienstag, 19. April 2016 21:13:00 UTC+2 schrieb Alexandre Laquerre: > > So the final result was as follows, the first step i exported the agent > list and updated the list ( i basically erased 1000 agents that were no > longer used (#***) and then saved it in csv format. Following that i used > the script managed_agents -f to reimport the whole agent list with new IDS. > It basically took a good hour. Once done i creatied a script that would > uninstall + install the Ossec Agent (2.8.3) and then attribute its key to > the installation which basically takes 5 seconds and then it is up and > running. > > So all is now good. > > Hopefully this can help anyone that has a similar issue as well. > > Cheers, > > > On Wednesday, April 13, 2016 at 11:23:28 AM UTC-4, Alexandre Laquerre > wrote: >> >> I have added my ossec.conf and agent.conf , Is it possible to have a >> look to see if there is something that is off ? ( i have removed the IP >> adress for the agentless section) >> >> Thank you, >> >> Alex >> >> On Wednesday, April 13, 2016 at 10:40:00 AM UTC-4, Kat wrote: >>> >>> You should disable RIDS: >>> >>> remoted.verify_msg_id=0 >>> >>> The errors should go away. The problem is, RIDS must be removed on both >>> agent and server, that may be causing issues. >>> >>> Kat >>> >>> On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote: Hi, I have been using Ossec for quite a while and we decided to upgrade the version (2.7.1) to 2.8.3 and that was relatively successful except for the fact that it pulled a number on my Ossec.conf by creating indent problems and adding open brackets in the wrong area but anyway it works. My issue is that for the moment our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have not seen any documentation that would indicate a compatibility issue however I noticed that no matter what I do , the agents will end up disconnecting. They will start out all active and then after 20 minutes or so they will all be disconnected except for a small minority. When I performed the install I have set the maximum number of agents to 4096 because the client has about … I would say close to 3000 agents, furthermore the installation did go well however I suspect that the agent.conf file in the shared folder got messed up due to this update being very significant. I have been working on this issue for at least three days and I am no longer certain where to look. I would like to specify that I have already tried to erase the RIDS while Ossec Is stop (server) and when I start it back up again the same issue occurs. Now I am hoping the solution will not be to erase the rids from the client as it would be a long process for our customer. Thank you, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Disk usage monitor not working in RHEL5
I added custom rules to alert if space is over 90%. On 20 April 2016 at 02:16, Santiago Bassettwrote: > Out of curiosity, what is the rule supposed to trigger the alert? The one > is see by default looks for full partitions... > > > https://github.com/ossec/ossec-hids/blob/a7ca63d6d074f2f6bdb49f4bc79a054c31dcafc7/etc/rules/ossec_rules.xml#L137 > > On Mon, Apr 18, 2016 at 2:07 AM, Robert Micallef > wrote: > >> I tested it on CentOS 5 and the output of df is as expected (Single line). >> >> We don't have a lot of RHEL5 but this happens on every 1 I tried so far >> (I tried 7). >> >> Here is the output of df -h on RHEL5: >> >> FilesystemSize Used Avail Use% Mounted on >> /dev/mapper/VolGroup00-LogVol00 >>23G 16G 5.4G 75% / >> /dev/hda1 99M 13M 82M 14% /boot >> tmpfs 4.9G 0 4.9G 0% /dev/shm >> >> Here is the output of a CentOS 5 machine: >> >> FilesystemSize Used Avail Use% Mounted on >> /dev/sda3 1.9T 1.7T 104G 95% / >> /dev/sda1 99M 36M 58M 39% /boot >> tmpfs 3.9G 0 3.9G 0% /dev/shm >> >> So the CentOS is a single line and OSSEC picks that log perfectly. But >> RHEL5 it will see 2 logs: >> >> ossec: output: 'df -h': /dev/mapper/VolGroup00-LogVol00 >> ossec: output: 'df -h':23G 16G 5.4G 75% / >> >> And doesn't work. Tested in RHEL 5.8 and 5.11. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/A8ekjtycKY4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.