[ossec-list] Re: Too much noise in alerts

2016-07-11 Thread Kat 
Hi Brad,

My guess is you have extended auditing enabled. Both of these alerts are 
typical of access requests (file handles) or successful use of privs - in 
both cases, I would be more interested in failed use of privs and/or 
blocked access. However, you have to judge for your environment.  Without 
knowing everything about your setup, I would say you could probably safely 
ignore these for now, then focus on the rest of the alerts to try to get a 
clear understanding of what "normal" is.

Cheers
Kat

On Friday, July 8, 2016 at 2:34:20 PM UTC-5, Brad Carey wrote:
>
> We have deployed OSSEC company wide to probably 60-80 PCs and servers. 
> Problem is our hourly emails are 4-5MB, way too much to wade through. The 
> vast majority of the events are Event ID 4656, with a good number of Event 
> ID 4673 too. How do I determine whether or not I can suppress all of these 
> from the alert emails? I don't mean in the technical sense, but security 
> sense. Might these particular events ever be thrown when there is malicious 
> activity?
>
> Thanks!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Where does agentless data go? No alerts on hash changes.

2016-07-11 Thread Chris Young 
hi there,

Jeff - I see that you can get

'2015/02/23 15:50:18 ossec-agentlessd: INFO: ssh_integrity_check_linux: 
admin@agentless-test-rh6: use_sudo specified and 'sudo sh;' worked.'

out in the log.

when I try use_sudo I get no reference what so ever.

have you managed to progress this any further? I really want to be able to 
run with out opening root up.

I've tried 2.9RC2 as well - no joy.



On Tuesday, 24 February 2015 22:22:47 UTC, Jeff Blaine wrote:
>
> I use agents for systems that can run them, so I don't know. Try 
>> turning on the logall option to see if the output ends up in 
>> archives.log.
>>
>
> Nothing there with yes. Bummer.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.