[ossec-list] active-response.log vs active-responses.log
In one our clients at /var/ossec/logs we have the following: root@ops-bastion-1:/var/ossec/logs# ll total 56 -rw-r- 1 root ossec 0 Jul 4 06:23 active-response.log -rw-r--r-- 1 root ossec 21296 Jul 5 10:33 active-responses.log -rw-rw-r-- 1 ossec ossec 17632 Jul 5 10:16 ossec.log >From what I can tell in all the ossec configs, only the singular active-response.log is defined. Where is the plural file coming from? On this host, in ossec.conf: ossec.conf:/var/ossec/logs/active-response.log -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] active-response.log vs active-responses.log
On Tue, Jul 5, 2016 at 6:49 AM, dan (ddp) wrote:
> On Tue, Jul 5, 2016 at 6:37 AM, Barry Kaplan wrote:
>> In one our clients at /var/ossec/logs we have the following:
>>
>> root@ops-bastion-1:/var/ossec/logs# ll
>> total 56
>> -rw-r- 1 root ossec 0 Jul 4 06:23 active-response.log
>> -rw-r--r-- 1 root ossec 21296 Jul 5 10:33 active-responses.log
>> -rw-rw-r-- 1 ossec ossec 17632 Jul 5 10:16 ossec.log
>>
>> From what I can tell in all the ossec configs, only the singular
>> active-response.log is defined. Where is the plural file coming from?
>>
>
> Are you using any of these AR scripts?
>
> [ddp@ix] :; pwd
> /home/ddp/src/projects/git/github/ddpbsd/ossec-hids/active-response
> [ddp@ix] :; grep -r 'active-responses.log' *
> disable-account.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../log/active-responses.log
> firewall-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
> firewalld-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
> firewalls/ipfw.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> firewalls/ipfw_mac.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> firewalls/npf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> firewalls/pf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> host-deny.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> host-deny.sh:echo "`date` Invalid ip/hostname entry: ${IP}" >>
> ${PWD}/../logs/active-responses.log
> ip-customblock.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> ossec-slack.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
> ${PWD}/../logs/active-responses.log
> ossec-slack.sh:wget --keep-session-cookies
> --post-data="${PAYLOAD}" ${SITE}
> 2>>${PWD}/../logs/active-responses.log
> ossec-slack.sh:curl -X POST --data-urlencode "payload=${PAYLOAD}"
> ${SITE} 2>>${PWD}/../logs/active-responses.log
> ossec-slack.sh:echo "`date` $0: Unable to find curl or wget." >>
> ${PWD}/../logs/active-responses.log
> ossec-tweeter.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
> ${PWD}/../logs/active-responses.log
> ossec-tweeter.sh:wget --keep-session-cookies
> --http-user=$TWITTERUSER --http-password=$TWITTERPASS
> --post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
> 2>>${PWD}/../logs/active-responses.log
> ossec-tweeter.sh:curl -u "$TWITTERUSER:$TWITTERPASS" -d
> "source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
> 2>>${PWD}/../logs/active-responses.log
> ossec-tweeter.sh:echo "`date` $0: Unable to find curl or wget." >>
> ${PWD}/../logs/active-responses.log
> restart-ossec.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> route-null.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
> ${PWD}/../logs/active-responses.log
> win/netsh.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >>
> active-response/active-responses.log
> win/restart-ossec.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9
>>> active-response/active-responses.log
> win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >>
> "%OSSECPATH%active-response\active-responses.log"
> win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >>
> "%OSSECPATH%active-response\active-responses.log"
> win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >>
> "%OSSECPATH%active-response\active-responses.log"
> win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >>
> "%OSSECPATH%active-response\active-responses.log"
>
Interestingly:
[ddp@ix] :; grep -r 'active-response.log' *
[ddp@ix] :;
So it looks like active-responses.log is the proper log location?
>
>
>> On this host, in ossec.conf:
>>
>> ossec.conf:/var/ossec/logs/active-response.log
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] active-response.log vs active-responses.log
On Tue, Jul 5, 2016 at 6:37 AM, Barry Kaplan wrote:
> In one our clients at /var/ossec/logs we have the following:
>
> root@ops-bastion-1:/var/ossec/logs# ll
> total 56
> -rw-r- 1 root ossec 0 Jul 4 06:23 active-response.log
> -rw-r--r-- 1 root ossec 21296 Jul 5 10:33 active-responses.log
> -rw-rw-r-- 1 ossec ossec 17632 Jul 5 10:16 ossec.log
>
> From what I can tell in all the ossec configs, only the singular
> active-response.log is defined. Where is the plural file coming from?
>
Are you using any of these AR scripts?
[ddp@ix] :; pwd
/home/ddp/src/projects/git/github/ddpbsd/ossec-hids/active-response
[ddp@ix] :; grep -r 'active-responses.log' *
disable-account.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../log/active-responses.log
firewall-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
firewalld-drop.sh:LOG_FILE="${PWD}/../logs/active-responses.log"
firewalls/ipfw.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
firewalls/ipfw_mac.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
firewalls/npf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
firewalls/pf.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
host-deny.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
host-deny.sh:echo "`date` Invalid ip/hostname entry: ${IP}" >>
${PWD}/../logs/active-responses.log
ip-customblock.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
ossec-slack.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
${PWD}/../logs/active-responses.log
ossec-slack.sh:wget --keep-session-cookies
--post-data="${PAYLOAD}" ${SITE}
2>>${PWD}/../logs/active-responses.log
ossec-slack.sh:curl -X POST --data-urlencode "payload=${PAYLOAD}"
${SITE} 2>>${PWD}/../logs/active-responses.log
ossec-slack.sh:echo "`date` $0: Unable to find curl or wget." >>
${PWD}/../logs/active-responses.log
ossec-tweeter.sh:echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
${PWD}/../logs/active-responses.log
ossec-tweeter.sh:wget --keep-session-cookies
--http-user=$TWITTERUSER --http-password=$TWITTERPASS
--post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
2>>${PWD}/../logs/active-responses.log
ossec-tweeter.sh:curl -u "$TWITTERUSER:$TWITTERPASS" -d
"source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE
2>>${PWD}/../logs/active-responses.log
ossec-tweeter.sh:echo "`date` $0: Unable to find curl or wget." >>
${PWD}/../logs/active-responses.log
restart-ossec.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
route-null.sh:echo "`date` $0 $1 $2 $3 $4 $5" >>
${PWD}/../logs/active-responses.log
win/netsh.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >>
active-response/active-responses.log
win/restart-ossec.cmd:ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9
>> active-response/active-responses.log
win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >>
"%OSSECPATH%active-response\active-responses.log"
win/route-null.cmd:ECHO %DAT%%TIM% %~dp0%0 %1 %2 %3 >>
"%OSSECPATH%active-response\active-responses.log"
win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >>
"%OSSECPATH%active-response\active-responses.log"
win/route-null.cmd.orig:ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >>
"%OSSECPATH%active-response\active-responses.log"
> On this host, in ossec.conf:
>
> ossec.conf:/var/ossec/logs/active-response.log
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC syscheck frequency does not honour the config file
In the OSSEC configuration file (ossec.conf) we have set syscheck frequency for 300 seconds: 300` However it appears that this is not honoured by syscheck and instead it does the syscheck every 10 minutes. 2016/07/05 16:06:31 ossec-syscheckd: INFO: Starting syscheck scan. 2016/07/05 16:07:09 ossec-syscheckd: INFO: Ending syscheck scan. 2016/07/05 16:17:09 ossec-syscheckd: INFO: Starting syscheck scan. 2016/07/05 16:17:48 ossec-syscheckd: INFO: Ending syscheck scan. Why is this? Sleep has been set to 0 in the internal_options.conf as well. Cheers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
