Re: [ossec-list] trying to install ossec on solaris 10
try installing gcc and then point cc to gcc binary. Eero 2016-09-06 22:28 GMT+03:00 Stephen LuShing : > - I am running bash and fixed some places where the was a /bin/sh to > ./bin/bash. > - Since Solaris 10 has no cc - I install Sun Studio 12.2 and pointed the > path of cc to ./opt/solstudio12.2/bin. > Ran a sh -x install.sh to see wht is going on and here is the problem as > it tried to compile but something is not right when it used -Wall option > > I am not much a programmer (some basic) as I was wondering if anyone has > seem this or maybe it is a simple fix. > > Thanks in advance > > Steve lushing > > FOLLOWING IS PART OF THE COMPILE THAT FAILED > > > + echo 5- Installing the system > 5- Installing the system > + echo DIR="/var/ossec" > + [ X = Xdebug ] > + echo CEXTRA= -DDEFAULTDIR=\"/var/ossec\" -DCLIENT > + echo - Running the Makefile > - Running the Makefile > + cd ./src > + [ X = X ] > + make all > > *** Making zlib (by Jean-loup Gailly and Mark Adler) *** > cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/ > > > *** Making cJSON (by Dave Gamble) *** > cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/var/ossec\" -DCLIENT > -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST -DARGV0=\"cJSON\" -DOSSECHIDS -c > cJSON.c > cc: -W option with unknown program all > *** Error code 1 > make: Fatal error: Command failed for target `libcJSON.a' > Current working directory /export/home/netsml/ossec- > hids-2.8.3/src/external/cJSON > > Error Making cJSON > *** Error code 1 > The following command caused the error: > /bin/bash ./Makeall all > make: Fatal error: Command failed for target `all' > + [ 1 != 0 ] > + cd ../ > + catError 0x5-build > FILE=0x5-build > FILE_PATH=./etc/templates/en/errors/0x5-build.txt > + isFile ./etc/templates/en/errors/0x5-build.txt > FILE=./etc/templates/en/errors/0x5-build.txt > + ls ./etc/templates/en/errors/0x5-build.txt > + [ 0 = 0 ] > + echo true > + return 0 > + [ true = false ] > + cat ./etc/templates/en/errors/0x5-build.txt > > Error 0x5. > Building error. Unable to finish the installation. > > + exit 1 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] trying to install ossec on solaris 10
- I am running bash and fixed some places where the was a /bin/sh to ./bin/bash. - Since Solaris 10 has no cc - I install Sun Studio 12.2 and pointed the path of cc to ./opt/solstudio12.2/bin. Ran a sh -x install.sh to see wht is going on and here is the problem as it tried to compile but something is not right when it used -Wall option I am not much a programmer (some basic) as I was wondering if anyone has seem this or maybe it is a simple fix. Thanks in advance Steve lushing FOLLOWING IS PART OF THE COMPILE THAT FAILED + echo 5- Installing the system 5- Installing the system + echo DIR="/var/ossec" + [ X = Xdebug ] + echo CEXTRA= -DDEFAULTDIR=\"/var/ossec\" -DCLIENT + echo - Running the Makefile - Running the Makefile + cd ./src + [ X = X ] + make all *** Making zlib (by Jean-loup Gailly and Mark Adler) *** cp -pr zlib-1.2.8/zlib.h zlib-1.2.8/zconf.h ../headers/ *** Making cJSON (by Dave Gamble) *** cc -g -Wall -I../../ -I../../headers -DDEFAULTDIR=\"/var/ossec\" -DCLIENT -DUSE_OPENSSL -DSOLARIS -DHIGHFIRST -DARGV0=\"cJSON\" -DOSSECHIDS -c cJSON.c cc: -W option with unknown program all *** Error code 1 make: Fatal error: Command failed for target `libcJSON.a' Current working directory /export/home/netsml/ossec-hids-2.8.3/src/external/cJSON Error Making cJSON *** Error code 1 The following command caused the error: /bin/bash ./Makeall all make: Fatal error: Command failed for target `all' + [ 1 != 0 ] + cd ../ + catError 0x5-build FILE=0x5-build FILE_PATH=./etc/templates/en/errors/0x5-build.txt + isFile ./etc/templates/en/errors/0x5-build.txt FILE=./etc/templates/en/errors/0x5-build.txt + ls ./etc/templates/en/errors/0x5-build.txt + [ 0 = 0 ] + echo true + return 0 + [ true = false ] + cat ./etc/templates/en/errors/0x5-build.txt Error 0x5. Building error. Unable to finish the installation. + exit 1 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 9:51 AM, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 9:47 AM, Daiyue Weng wrote: >> whats the ossec version that you tested with, and how did you configure >> ossec.conf and local.xml? >> > I have just tested this with OSSEC 2.8.3 on Ubuntu 14.whatever LTS. I believe everything not shown below is at the defaults. I added /var/test/four and kicked off a scan (restarted the OSSEC processes because I modified rule 554): alerts.log: ** Alert 1473171543.1836: mail - ossec, 2016 Sep 06 14:19:03 test2->ossec-monitord Rule: 502 (level 3) -> 'Ossec server started.' ossec: Ossec started. ** Alert 1473171599.1990: mail - local,syslog,syscheck, 2016 Sep 06 14:19:59 test2->syscheck Rule: 554 (level 10) -> 'File added to the system.' New file '/var/test/four' added to the file system. # /var/ossec/queue/syscheck/syscheck: +++0:33188:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 !1473171599 /var/test/four # ossec.conf: 79200 yes /var/test # local_rules.xml: ossec syscheck_new_entry File added to the system. syscheck, # Adding realtime into the mix gives me: # ossec.conf: 79200 yes /var/test # alerts.log: ** Alert 1473171866.2189: mail - ossec, 2016 Sep 06 14:24:26 test2->ossec-monitord Rule: 502 (level 3) -> 'Ossec server started.' ossec: Ossec started. ** Alert 1473171922.2343: mail - local,syslog,syscheck, 2016 Sep 06 14:25:22 test2->syscheck Rule: 554 (level 10) -> 'File added to the system.' New file '/var/test/five' added to the file system. # syscheck db: +++0:33188:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 !1473171922 /var/test/five # > All I've tested (in relation to this) is that agent_control did something. > I have in the past tested alert_new_files and realtime, but I can't > say I've tested them recently. > > I'm working on this as fast as I can. > >> I don't know which bit that I missed in the configuration. >> >> On 6 September 2016 at 14:40, dan (ddp) wrote: >>> >>> On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng wrote: >>> > could you show me your ossec.conf and local_rules.xml? >>> > >>> >>> This is for one of my servers. Probably not what I'll be testing with >>> though. >>> ossec.conf: >>> >>> >>> yes >>> d...@ix.example.com >>> 192.168.17.9 >>> >>> ossecm@earth >>> >>> >>> >>> 127.0.0.1 >>> ossecuser >>> TGmmxNsh5TNrKTy8 >>> ossec >>> mysql >>> >>> >>> >>> >>> 79200 >>> no >>> >>> >>> /etc,/usr/bin,/usr/sbin >>> /bin,/sbin >>> /var/test >>> >>> >>> /etc/mtab >>> /etc/mnttab >>> /etc/hosts.deny >>> /etc/mail/statistics >>> /etc/random-seed >>> /etc/adjtime >>> /etc/httpd/logs >>> /etc/utmpx >>> /etc/wtmpx >>> /etc/cups/certs >>> /etc/dumpdates >>> /etc/svc/volatile >>> >>> >>> C:\WINDOWS/System32/LogFiles >>> C:\WINDOWS/Debug >>> C:\WINDOWS/WindowsUpdate.log >>> C:\WINDOWS/iis6.log >>> C:\WINDOWS/system32/wbem/Logs >>> C:\WINDOWS/system32/wbem/Repository >>> C:\WINDOWS/Prefetch >>> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl >>> C:\WINDOWS/SoftwareDistribution >>> C:\WINDOWS/Temp >>> C:\WINDOWS/system32/config >>> C:\WINDOWS/system32/spool >>> C:\WINDOWS/system32/CatRoot >>> >>> >>> >>> /var/ossec/etc/shared/rootkit_files.txt >>> >>> /var/ossec/etc/shared/rootkit_trojans.txt >>> >>> /var/ossec/etc/shared/system_audit_rcl.txt >>> >>> /var/ossec/etc/shared/cis_debian_linux_rcl.txt >>> >>> /var/ossec/etc/shared/cis_rhel_linux_rcl.txt >>> >>> /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt >>> >>> >>> >>> 127.0.0.1 >>> ^localhost.localdomain$ >>> 192.168.17.17 >>> 192.168.17.9 >>> 192.168.18.1 >>> >>> >>> >>> secure >>> >>> >>> >>> 1 >>> 7 >>> >>> >>> >>> host-deny >>> host-deny.sh >>> srcip >>> yes >>> >>> >>> >>> firewall-drop >>> firewall-drop.sh >>> srcip >>> yes >>> >>> >>> >>> disable-account >>> disable-account.sh >>> user >>> yes >>> >>> >>> >>> restart-ossec >>> restart-ossec.sh >>> >>> >>> >>> >>> >>> route-null >>> route-null.sh >>> srcip >>> yes >>> >>> >>> >>> >>> >>> syslog >>> /var/log/auth.log >>> >>> >>> >>> syslog >>> /var/log/syslog >>> >>> >>> >>> s
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 9:47 AM, Daiyue Weng wrote: > whats the ossec version that you tested with, and how did you configure > ossec.conf and local.xml? > All I've tested (in relation to this) is that agent_control did something. I have in the past tested alert_new_files and realtime, but I can't say I've tested them recently. I'm working on this as fast as I can. > I don't know which bit that I missed in the configuration. > > On 6 September 2016 at 14:40, dan (ddp) wrote: >> >> On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng wrote: >> > could you show me your ossec.conf and local_rules.xml? >> > >> >> This is for one of my servers. Probably not what I'll be testing with >> though. >> ossec.conf: >> >> >> yes >> d...@ix.example.com >> 192.168.17.9 >> >> ossecm@earth >> >> >> >> 127.0.0.1 >> ossecuser >> TGmmxNsh5TNrKTy8 >> ossec >> mysql >> >> >> >> >> 79200 >> no >> >> >> /etc,/usr/bin,/usr/sbin >> /bin,/sbin >> /var/test >> >> >> /etc/mtab >> /etc/mnttab >> /etc/hosts.deny >> /etc/mail/statistics >> /etc/random-seed >> /etc/adjtime >> /etc/httpd/logs >> /etc/utmpx >> /etc/wtmpx >> /etc/cups/certs >> /etc/dumpdates >> /etc/svc/volatile >> >> >> C:\WINDOWS/System32/LogFiles >> C:\WINDOWS/Debug >> C:\WINDOWS/WindowsUpdate.log >> C:\WINDOWS/iis6.log >> C:\WINDOWS/system32/wbem/Logs >> C:\WINDOWS/system32/wbem/Repository >> C:\WINDOWS/Prefetch >> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl >> C:\WINDOWS/SoftwareDistribution >> C:\WINDOWS/Temp >> C:\WINDOWS/system32/config >> C:\WINDOWS/system32/spool >> C:\WINDOWS/system32/CatRoot >> >> >> >> /var/ossec/etc/shared/rootkit_files.txt >> >> /var/ossec/etc/shared/rootkit_trojans.txt >> >> /var/ossec/etc/shared/system_audit_rcl.txt >> >> /var/ossec/etc/shared/cis_debian_linux_rcl.txt >> >> /var/ossec/etc/shared/cis_rhel_linux_rcl.txt >> >> /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt >> >> >> >> 127.0.0.1 >> ^localhost.localdomain$ >> 192.168.17.17 >> 192.168.17.9 >> 192.168.18.1 >> >> >> >> secure >> >> >> >> 1 >> 7 >> >> >> >> host-deny >> host-deny.sh >> srcip >> yes >> >> >> >> firewall-drop >> firewall-drop.sh >> srcip >> yes >> >> >> >> disable-account >> disable-account.sh >> user >> yes >> >> >> >> restart-ossec >> restart-ossec.sh >> >> >> >> >> >> route-null >> route-null.sh >> srcip >> yes >> >> >> >> >> >> syslog >> /var/log/auth.log >> >> >> >> syslog >> /var/log/syslog >> >> >> >> syslog >> /var/log/dpkg.log >> >> >> >> apache >> /var/log/nginx/access.log >> >> >> >> apache >> /var/log/nginx/error.log >> >> >> >> apache >> /var/log/apache2/error.log >> >> >> >> command >> df -h >> >> >> >> full_command >> netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort >> >> >> >> full_command >> last -n 5 >> >> >> >> >> >> >> etc/decoders.d >> rules_config.xml >> >> rules/rules.d >> >> >> >> >> local_rules.xml: >> >> >> >> >> >> >> >> >> >> 5711 >> 1.1.1.1 >> Example of rule that will ignore sshd >> failed logins from IP 1.1.1.1. >> >> >> >> >> >> >> >> >> >> >> >> ^TEST TEST TEST >> test test test >> test, >> >> >> >> >> ^collectd >> collectd collected. >> >> >> >> 710001 >> illegal attempt to update using time >> Ignore collectd time issues. >> >> >> >> 710001 >> uc_update: Value too old: name >> ignore collectd valu eerror. >> >> >> >> ^nsd >> nsd grouping. >> >> >> >> 711001 >> failed reading from >> nsd connection failed. >> >> >> >> ^ngircd >> ngircd grouping. >> >> >> >> 712001 >> Shutting down connection >> ngircd shutting down connection. >> >> >> >> 712001 >> Client unregistered >> ngircd client unregistered. >> >> >> >> Non standard syslog message (size too >> large). >> >> >> >> >> >> >> > On 6 September 2016 at 14:17, Daiyue Weng wrote: >> >> >> >> This is what I did, >> >> >> >> 1. restart ossec >> >> >> >> 2. running `ps auxww | grep ossec-execd`, execd is already running. >> >> >> >> 3. add an empty file in /home/user_name >> >> >> >> 4. running /var/ossec/bin/agent_control -r -u 000 >> >> >> >> 5. checking alerts.log, no file addition log was shown. >> >> >> >> I am using Arch Linux. >> >> >> >> On 6 September 2016 at 12:23, dan (ddp) wrote: >> >>> >> >>> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng >> >>> wrote: >> >>> > thanks, how to enable active response in ossec.conf? >> >>> > >> >>> >> >>> If it's disabled, delete t
Re: [ossec-list] ossec email notification not working
whats the ossec version that you tested with, and how did you configure ossec.conf and local.xml? I don't know which bit that I missed in the configuration. On 6 September 2016 at 14:40, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng wrote: > > could you show me your ossec.conf and local_rules.xml? > > > > This is for one of my servers. Probably not what I'll be testing with > though. > ossec.conf: > > > yes > d...@ix.example.com > 192.168.17.9 > > ossecm@earth > > > > 127.0.0.1 > ossecuser > TGmmxNsh5TNrKTy8 > ossec > mysql > > > > > 79200 > no > > > /etc,/usr/bin,/usr/sbin > /bin,/sbin > /var/test > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > > > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > > /var/ossec/etc/shared/rootkit_files.txt > /var/ossec/etc/shared/rootkit_trojans. > txt > /var/ossec/etc/shared/system_audit_rcl.txt system_audit> > /var/ossec/etc/shared/cis_debian_linux_rcl. > txt > /var/ossec/etc/shared/cis_rhel_linux_rcl.txt< > /system_audit> > /var/ossec/etc/shared/cis_rhel5_linux_rcl. > txt > > > > 127.0.0.1 > ^localhost.localdomain$ > 192.168.17.17 > 192.168.17.9 > 192.168.18.1 > > > > secure > > > > 1 > 7 > > > > host-deny > host-deny.sh > srcip > yes > > > > firewall-drop > firewall-drop.sh > srcip > yes > > > > disable-account > disable-account.sh > user > yes > > > > restart-ossec > restart-ossec.sh > > > > > > route-null > route-null.sh > srcip > yes > > > > > > syslog > /var/log/auth.log > > > > syslog > /var/log/syslog > > > > syslog > /var/log/dpkg.log > > > > apache > /var/log/nginx/access.log > > > > apache > /var/log/nginx/error.log > > > > apache > /var/log/apache2/error.log > > > > command > df -h > > > > full_command > netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort > > > > full_command > last -n 5 > > > > > > > etc/decoders.d > rules_config.xml > > rules/rules.d > > > > > local_rules.xml: > > > > > > > > > > 5711 > 1.1.1.1 > Example of rule that will ignore sshd > failed logins from IP 1.1.1.1. > > > > > > > > > > > > ^TEST TEST TEST > test test test > test, > > > > > ^collectd > collectd collected. > > > > 710001 > illegal attempt to update using time > Ignore collectd time issues. > > > > 710001 > uc_update: Value too old: name > ignore collectd valu eerror. > > > > ^nsd > nsd grouping. > > > > 711001 > failed reading from > nsd connection failed. > > > > ^ngircd > ngircd grouping. > > > > 712001 > Shutting down connection > ngircd shutting down connection. > > > > 712001 > Client unregistered > ngircd client unregistered. > > > > Non standard syslog message (size too > large). > > > > > > > > On 6 September 2016 at 14:17, Daiyue Weng wrote: > >> > >> This is what I did, > >> > >> 1. restart ossec > >> > >> 2. running `ps auxww | grep ossec-execd`, execd is already running. > >> > >> 3. add an empty file in /home/user_name > >> > >> 4. running /var/ossec/bin/agent_control -r -u 000 > >> > >> 5. checking alerts.log, no file addition log was shown. > >> > >> I am using Arch Linux. > >> > >> On 6 September 2016 at 12:23, dan (ddp) wrote: > >>> > >>> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng > wrote: > >>> > thanks, how to enable active response in ossec.conf? > >>> > > >>> > >>> If it's disabled, delete that block. If it's not disabled, it should > >>> be running (`ps auxww | grep ossec-execd`) > >>> > >>> > On 6 September 2016 at 12:15, dan (ddp) wrote: > >>> >> > >>> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng > >>> >> wrote: > >>> >> > Could you elaborate the steps you went through? How does it work? > >>> >> > > >>> >> > >>> >> Make sure active response is enabled. > >>> >> run: > >>> >> /var/ossec/bin/agent_control -r -u 000 > >>> >> > >>> >> Wait. > >>> >> > >>> >> > On 6 September 2016 at 12:12, dan (ddp) wrote:
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 9:29 AM, Daiyue Weng wrote: > could you show me your ossec.conf and local_rules.xml? > This is for one of my servers. Probably not what I'll be testing with though. ossec.conf: yes d...@ix.example.com 192.168.17.9 ossecm@earth 127.0.0.1 ossecuser TGmmxNsh5TNrKTy8 ossec mysql 79200 no /etc,/usr/bin,/usr/sbin /bin,/sbin /var/test /etc/mtab /etc/mnttab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile C:\WINDOWS/System32/LogFiles C:\WINDOWS/Debug C:\WINDOWS/WindowsUpdate.log C:\WINDOWS/iis6.log C:\WINDOWS/system32/wbem/Logs C:\WINDOWS/system32/wbem/Repository C:\WINDOWS/Prefetch C:\WINDOWS/PCHEALTH/HELPCTR/DataColl C:\WINDOWS/SoftwareDistribution C:\WINDOWS/Temp C:\WINDOWS/system32/config C:\WINDOWS/system32/spool C:\WINDOWS/system32/CatRoot /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt 127.0.0.1 ^localhost.localdomain$ 192.168.17.17 192.168.17.9 192.168.18.1 secure 1 7 host-deny host-deny.sh srcip yes firewall-drop firewall-drop.sh srcip yes disable-account disable-account.sh user yes restart-ossec restart-ossec.sh route-null route-null.sh srcip yes syslog /var/log/auth.log syslog /var/log/syslog syslog /var/log/dpkg.log apache /var/log/nginx/access.log apache /var/log/nginx/error.log apache /var/log/apache2/error.log command df -h full_command netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort full_command last -n 5 etc/decoders.d rules_config.xml rules/rules.d local_rules.xml: 5711 1.1.1.1 Example of rule that will ignore sshd failed logins from IP 1.1.1.1. ^TEST TEST TEST test test test test, ^collectd collectd collected. 710001 illegal attempt to update using time Ignore collectd time issues. 710001 uc_update: Value too old: name ignore collectd valu eerror. ^nsd nsd grouping. 711001 failed reading from nsd connection failed. ^ngircd ngircd grouping. 712001 Shutting down connection ngircd shutting down connection. 712001 Client unregistered ngircd client unregistered. Non standard syslog message (size too large). > On 6 September 2016 at 14:17, Daiyue Weng wrote: >> >> This is what I did, >> >> 1. restart ossec >> >> 2. running `ps auxww | grep ossec-execd`, execd is already running. >> >> 3. add an empty file in /home/user_name >> >> 4. running /var/ossec/bin/agent_control -r -u 000 >> >> 5. checking alerts.log, no file addition log was shown. >> >> I am using Arch Linux. >> >> On 6 September 2016 at 12:23, dan (ddp) wrote: >>> >>> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng wrote: >>> > thanks, how to enable active response in ossec.conf? >>> > >>> >>> If it's disabled, delete that block. If it's not disabled, it should >>> be running (`ps auxww | grep ossec-execd`) >>> >>> > On 6 September 2016 at 12:15, dan (ddp) wrote: >>> >> >>> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng >>> >> wrote: >>> >> > Could you elaborate the steps you went through? How does it work? >>> >> > >>> >> >>> >> Make sure active response is enabled. >>> >> run: >>> >> /var/ossec/bin/agent_control -r -u 000 >>> >> >>> >> Wait. >>> >> >>> >> > On 6 September 2016 at 12:12, dan (ddp) wrote: >>> >> >> >>> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: >>> >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) >>> >> >> > wrote: >>> >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" >>> >> >> >> wrote: >>> >> >> >>> >>> >> >> >>> since I am running local-ossec, so agent_control doesn't do any >>> >> >> >>> good >>> >> >> >>> here? >>> >> >> >>> >>> >> >> >> >>> >> >> >> I'll install a local instance and try it out for you. I'll >>> >> >> >> report >>> >> >> >> back >>> >> >> >> shortly. >>> >> >> >> >>> >> >> > >>> >> >> > Not positive, but it doesn't look like it's working. I'm not >>> >> >> > keeping >>> >> >> > it around for another try. >>> >> >> > You may just have to restart the syscheckd process. >>> >> >> > >>> >> >> >>> >> >> It does look like this might be working, just had to hav
Re: [ossec-list] ossec email notification not working
yes, ossec 2.8.3 On 6 September 2016 at 14:32, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 9:17 AM, Daiyue Weng wrote: > > This is what I did, > > > > 1. restart ossec > > > > 2. running `ps auxww | grep ossec-execd`, execd is already running. > > > > 3. add an empty file in /home/user_name > > > > 4. running /var/ossec/bin/agent_control -r -u 000 > > > > 5. checking alerts.log, no file addition log was shown. > > > > I am using Arch Linux. > > > > OSSEC 2.8.3? > > > On 6 September 2016 at 12:23, dan (ddp) wrote: > >> > >> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng > wrote: > >> > thanks, how to enable active response in ossec.conf? > >> > > >> > >> If it's disabled, delete that block. If it's not disabled, it should > >> be running (`ps auxww | grep ossec-execd`) > >> > >> > On 6 September 2016 at 12:15, dan (ddp) wrote: > >> >> > >> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng > >> >> wrote: > >> >> > Could you elaborate the steps you went through? How does it work? > >> >> > > >> >> > >> >> Make sure active response is enabled. > >> >> run: > >> >> /var/ossec/bin/agent_control -r -u 000 > >> >> > >> >> Wait. > >> >> > >> >> > On 6 September 2016 at 12:12, dan (ddp) wrote: > >> >> >> > >> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) > wrote: > >> >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) > >> >> >> > wrote: > >> >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" > >> >> >> >> wrote: > >> >> >> >>> > >> >> >> >>> since I am running local-ossec, so agent_control doesn't do > any > >> >> >> >>> good > >> >> >> >>> here? > >> >> >> >>> > >> >> >> >> > >> >> >> >> I'll install a local instance and try it out for you. I'll > report > >> >> >> >> back > >> >> >> >> shortly. > >> >> >> >> > >> >> >> > > >> >> >> > Not positive, but it doesn't look like it's working. I'm not > >> >> >> > keeping > >> >> >> > it around for another try. > >> >> >> > You may just have to restart the syscheckd process. > >> >> >> > > >> >> >> > >> >> >> It does look like this might be working, just had to have execd > >> >> >> running and have a bit more patience. > >> >> >> > >> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) > >> >> >> >>> wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng > >> >> >> > >> >> >> wrote: > >> >> >> > Hi, ideally we like ossec to check file integrity in real > >> >> >> > time, > >> >> >> > if > >> >> >> > not, > >> >> >> > what > >> >> >> > are the other options ossec can offer in that aspect? > >> >> >> > > >> >> >> > >> >> >> It will do some things in real time, not all. I think it > should > >> >> >> be > >> >> >> a > >> >> >> fairly simple code change to add new files to the realtime > >> >> >> options, > >> >> >> but I've never really looked into it. > >> >> >> > >> >> >> > Is there a Syscheck cmd in ossec? > >> >> >> > > >> >> >> > >> >> >> # /var/ossec/bin/agent_control -h > >> >> >> > >> >> >> OSSEC HIDS agent_control: Control remote agents. > >> >> >> Available options: > >> >> >> -h This help message. > >> >> >> -l List available (active or not) agents. > >> >> >> -lc List active agents. > >> >> >> -i Extracts information from an agent. > >> >> >> -R Restarts agent. > >> >> >> -r -a Runs the integrity/rootkit checking on > all > >> >> >> agents > >> >> >> now. > >> >> >> -r -u Runs the integrity/rootkit checking on > one > >> >> >> agent > >> >> >> now. > >> >> >> > >> >> >> -b Blocks the specified ip address. > >> >> >> -f Used with -b, specifies which response to > >> >> >> run. > >> >> >> -L List available active responses. > >> >> >> -s Changes the output to CSV (comma > >> >> >> delimited). > >> >> >> > >> >> >> > >> >> >> > On 5 September 2016 at 17:23, dan (ddp) > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng > >> >> >> >> > >> >> >> >> wrote: > >> >> >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the > >> >> >> >> > addition > >> >> >> >> > of > >> >> >> >> > the > >> >> >> >> > file, > >> >> >> >> > no alerts fired after adding a file to /home/user_name, > >> >> >> >> > which > >> >> >> >> > is > >> >> >> >> > monitored > >> >> >> >> > by ossec. what's the possible problems? > >> >> >> >> > > >> >> >> >> > >> >> >> >> A syscheck scan probably hasn't run since the file was > added > >> >> >> >> (I > >> >> >> >> don't > >> >> >> >> think it works with realtime). > >> >> >> >> Try running a syscheck scan to see if an alert is created. > >> >> >> >> > >> >> >> >> > On Monday, 5 S
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 9:17 AM, Daiyue Weng wrote: > This is what I did, > > 1. restart ossec > > 2. running `ps auxww | grep ossec-execd`, execd is already running. > > 3. add an empty file in /home/user_name > > 4. running /var/ossec/bin/agent_control -r -u 000 > > 5. checking alerts.log, no file addition log was shown. > > I am using Arch Linux. > OSSEC 2.8.3? > On 6 September 2016 at 12:23, dan (ddp) wrote: >> >> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng wrote: >> > thanks, how to enable active response in ossec.conf? >> > >> >> If it's disabled, delete that block. If it's not disabled, it should >> be running (`ps auxww | grep ossec-execd`) >> >> > On 6 September 2016 at 12:15, dan (ddp) wrote: >> >> >> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng >> >> wrote: >> >> > Could you elaborate the steps you went through? How does it work? >> >> > >> >> >> >> Make sure active response is enabled. >> >> run: >> >> /var/ossec/bin/agent_control -r -u 000 >> >> >> >> Wait. >> >> >> >> > On 6 September 2016 at 12:12, dan (ddp) wrote: >> >> >> >> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: >> >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) >> >> >> > wrote: >> >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" >> >> >> >> wrote: >> >> >> >>> >> >> >> >>> since I am running local-ossec, so agent_control doesn't do any >> >> >> >>> good >> >> >> >>> here? >> >> >> >>> >> >> >> >> >> >> >> >> I'll install a local instance and try it out for you. I'll report >> >> >> >> back >> >> >> >> shortly. >> >> >> >> >> >> >> > >> >> >> > Not positive, but it doesn't look like it's working. I'm not >> >> >> > keeping >> >> >> > it around for another try. >> >> >> > You may just have to restart the syscheckd process. >> >> >> > >> >> >> >> >> >> It does look like this might be working, just had to have execd >> >> >> running and have a bit more patience. >> >> >> >> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) >> >> >> >>> wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng >> >> >> >> >> >> wrote: >> >> >> > Hi, ideally we like ossec to check file integrity in real >> >> >> > time, >> >> >> > if >> >> >> > not, >> >> >> > what >> >> >> > are the other options ossec can offer in that aspect? >> >> >> > >> >> >> >> >> >> It will do some things in real time, not all. I think it should >> >> >> be >> >> >> a >> >> >> fairly simple code change to add new files to the realtime >> >> >> options, >> >> >> but I've never really looked into it. >> >> >> >> >> >> > Is there a Syscheck cmd in ossec? >> >> >> > >> >> >> >> >> >> # /var/ossec/bin/agent_control -h >> >> >> >> >> >> OSSEC HIDS agent_control: Control remote agents. >> >> >> Available options: >> >> >> -h This help message. >> >> >> -l List available (active or not) agents. >> >> >> -lc List active agents. >> >> >> -i Extracts information from an agent. >> >> >> -R Restarts agent. >> >> >> -r -a Runs the integrity/rootkit checking on all >> >> >> agents >> >> >> now. >> >> >> -r -u Runs the integrity/rootkit checking on one >> >> >> agent >> >> >> now. >> >> >> >> >> >> -b Blocks the specified ip address. >> >> >> -f Used with -b, specifies which response to >> >> >> run. >> >> >> -L List available active responses. >> >> >> -s Changes the output to CSV (comma >> >> >> delimited). >> >> >> >> >> >> >> >> >> > On 5 September 2016 at 17:23, dan (ddp) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> >> >> >> >> >> >> >> wrote: >> >> >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the >> >> >> >> > addition >> >> >> >> > of >> >> >> >> > the >> >> >> >> > file, >> >> >> >> > no alerts fired after adding a file to /home/user_name, >> >> >> >> > which >> >> >> >> > is >> >> >> >> > monitored >> >> >> >> > by ossec. what's the possible problems? >> >> >> >> > >> >> >> >> >> >> >> >> A syscheck scan probably hasn't run since the file was added >> >> >> >> (I >> >> >> >> don't >> >> >> >> think it works with realtime). >> >> >> >> Try running a syscheck scan to see if an alert is created. >> >> >> >> >> >> >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> > Using the above cmd, adding a file on a monitored >> >> >> >> >> > directory, >> >> >> >> >> > i.e. >> >> >> >> >> > /home
Re: [ossec-list] ossec email notification not working
could you show me your ossec.conf and local_rules.xml? On 6 September 2016 at 14:17, Daiyue Weng wrote: > This is what I did, > > 1. restart ossec > > 2. running `ps auxww | grep ossec-execd`, execd is already running. > > 3. add an empty file in /home/user_name > > 4. running /var/ossec/bin/agent_control -r -u 000 > > 5. checking alerts.log, no file addition log was shown. > > I am using Arch Linux. > > On 6 September 2016 at 12:23, dan (ddp) wrote: > >> On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng wrote: >> > thanks, how to enable active response in ossec.conf? >> > >> >> If it's disabled, delete that block. If it's not disabled, it should >> be running (`ps auxww | grep ossec-execd`) >> >> > On 6 September 2016 at 12:15, dan (ddp) wrote: >> >> >> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng >> wrote: >> >> > Could you elaborate the steps you went through? How does it work? >> >> > >> >> >> >> Make sure active response is enabled. >> >> run: >> >> /var/ossec/bin/agent_control -r -u 000 >> >> >> >> Wait. >> >> >> >> > On 6 September 2016 at 12:12, dan (ddp) wrote: >> >> >> >> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: >> >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) >> wrote: >> >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" >> wrote: >> >> >> >>> >> >> >> >>> since I am running local-ossec, so agent_control doesn't do any >> >> >> >>> good >> >> >> >>> here? >> >> >> >>> >> >> >> >> >> >> >> >> I'll install a local instance and try it out for you. I'll report >> >> >> >> back >> >> >> >> shortly. >> >> >> >> >> >> >> > >> >> >> > Not positive, but it doesn't look like it's working. I'm not >> keeping >> >> >> > it around for another try. >> >> >> > You may just have to restart the syscheckd process. >> >> >> > >> >> >> >> >> >> It does look like this might be working, just had to have execd >> >> >> running and have a bit more patience. >> >> >> >> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) >> wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng >> >> >> >> >> >> wrote: >> >> >> > Hi, ideally we like ossec to check file integrity in real >> time, >> >> >> > if >> >> >> > not, >> >> >> > what >> >> >> > are the other options ossec can offer in that aspect? >> >> >> > >> >> >> >> >> >> It will do some things in real time, not all. I think it >> should be >> >> >> a >> >> >> fairly simple code change to add new files to the realtime >> >> >> options, >> >> >> but I've never really looked into it. >> >> >> >> >> >> > Is there a Syscheck cmd in ossec? >> >> >> > >> >> >> >> >> >> # /var/ossec/bin/agent_control -h >> >> >> >> >> >> OSSEC HIDS agent_control: Control remote agents. >> >> >> Available options: >> >> >> -h This help message. >> >> >> -l List available (active or not) agents. >> >> >> -lc List active agents. >> >> >> -i Extracts information from an agent. >> >> >> -R Restarts agent. >> >> >> -r -a Runs the integrity/rootkit checking on all >> >> >> agents >> >> >> now. >> >> >> -r -u Runs the integrity/rootkit checking on one >> >> >> agent >> >> >> now. >> >> >> >> >> >> -b Blocks the specified ip address. >> >> >> -f Used with -b, specifies which response to >> run. >> >> >> -L List available active responses. >> >> >> -s Changes the output to CSV (comma >> delimited). >> >> >> >> >> >> >> >> >> > On 5 September 2016 at 17:23, dan (ddp) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> >> >> >> >> >> >> >> wrote: >> >> >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the >> >> >> >> > addition >> >> >> >> > of >> >> >> >> > the >> >> >> >> > file, >> >> >> >> > no alerts fired after adding a file to /home/user_name, >> which >> >> >> >> > is >> >> >> >> > monitored >> >> >> >> > by ossec. what's the possible problems? >> >> >> >> > >> >> >> >> >> >> >> >> A syscheck scan probably hasn't run since the file was >> added (I >> >> >> >> don't >> >> >> >> think it works with realtime). >> >> >> >> Try running a syscheck scan to see if an alert is created. >> >> >> >> >> >> >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> > Using the above cmd, adding a file on a monitored >> >> >> >> >> > directory, >> >> >> >> >> > i.e. >> >> >> >> >> > /home/user_name, >> >> >> >> >> > >> >> >> >> >> > nothing is shown on
Re: [ossec-list] ossec email notification not working
This is what I did, 1. restart ossec 2. running `ps auxww | grep ossec-execd`, execd is already running. 3. add an empty file in /home/user_name 4. running /var/ossec/bin/agent_control -r -u 000 5. checking alerts.log, no file addition log was shown. I am using Arch Linux. On 6 September 2016 at 12:23, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng wrote: > > thanks, how to enable active response in ossec.conf? > > > > If it's disabled, delete that block. If it's not disabled, it should > be running (`ps auxww | grep ossec-execd`) > > > On 6 September 2016 at 12:15, dan (ddp) wrote: > >> > >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng > wrote: > >> > Could you elaborate the steps you went through? How does it work? > >> > > >> > >> Make sure active response is enabled. > >> run: > >> /var/ossec/bin/agent_control -r -u 000 > >> > >> Wait. > >> > >> > On 6 September 2016 at 12:12, dan (ddp) wrote: > >> >> > >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: > >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) > wrote: > >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" > wrote: > >> >> >>> > >> >> >>> since I am running local-ossec, so agent_control doesn't do any > >> >> >>> good > >> >> >>> here? > >> >> >>> > >> >> >> > >> >> >> I'll install a local instance and try it out for you. I'll report > >> >> >> back > >> >> >> shortly. > >> >> >> > >> >> > > >> >> > Not positive, but it doesn't look like it's working. I'm not > keeping > >> >> > it around for another try. > >> >> > You may just have to restart the syscheckd process. > >> >> > > >> >> > >> >> It does look like this might be working, just had to have execd > >> >> running and have a bit more patience. > >> >> > >> >> >>> On 5 September 2016 at 17:43, dan (ddp) > wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng > >> >> > >> >> wrote: > >> >> > Hi, ideally we like ossec to check file integrity in real > time, > >> >> > if > >> >> > not, > >> >> > what > >> >> > are the other options ossec can offer in that aspect? > >> >> > > >> >> > >> >> It will do some things in real time, not all. I think it should > be > >> >> a > >> >> fairly simple code change to add new files to the realtime > >> >> options, > >> >> but I've never really looked into it. > >> >> > >> >> > Is there a Syscheck cmd in ossec? > >> >> > > >> >> > >> >> # /var/ossec/bin/agent_control -h > >> >> > >> >> OSSEC HIDS agent_control: Control remote agents. > >> >> Available options: > >> >> -h This help message. > >> >> -l List available (active or not) agents. > >> >> -lc List active agents. > >> >> -i Extracts information from an agent. > >> >> -R Restarts agent. > >> >> -r -a Runs the integrity/rootkit checking on all > >> >> agents > >> >> now. > >> >> -r -u Runs the integrity/rootkit checking on one > >> >> agent > >> >> now. > >> >> > >> >> -b Blocks the specified ip address. > >> >> -f Used with -b, specifies which response to > run. > >> >> -L List available active responses. > >> >> -s Changes the output to CSV (comma delimited). > >> >> > >> >> > >> >> > On 5 September 2016 at 17:23, dan (ddp) > >> >> > wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng > >> >> >> > >> >> >> wrote: > >> >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the > >> >> >> > addition > >> >> >> > of > >> >> >> > the > >> >> >> > file, > >> >> >> > no alerts fired after adding a file to /home/user_name, > which > >> >> >> > is > >> >> >> > monitored > >> >> >> > by ossec. what's the possible problems? > >> >> >> > > >> >> >> > >> >> >> A syscheck scan probably hasn't run since the file was added > (I > >> >> >> don't > >> >> >> think it works with realtime). > >> >> >> Try running a syscheck scan to see if an alert is created. > >> >> >> > >> >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng > >> >> >> >> > >> >> >> >> wrote: > >> >> >> >> > Using the above cmd, adding a file on a monitored > >> >> >> >> > directory, > >> >> >> >> > i.e. > >> >> >> >> > /home/user_name, > >> >> >> >> > > >> >> >> >> > nothing is shown on tcpdump, > >> >> >> >> > > >> >> >> >> > tcpdump: listening on dummy0, link-type EN10MB > (Ethernet), > >> >> >> >> > capture > >> >> >> >> > size > >> >> >> >> > 262144 bytes > >> >> >> >> > > >> >> >> >> > > >> >> >> >> >
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 7:22 AM, Daiyue Weng wrote: > thanks, how to enable active response in ossec.conf? > If it's disabled, delete that block. If it's not disabled, it should be running (`ps auxww | grep ossec-execd`) > On 6 September 2016 at 12:15, dan (ddp) wrote: >> >> On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng wrote: >> > Could you elaborate the steps you went through? How does it work? >> > >> >> Make sure active response is enabled. >> run: >> /var/ossec/bin/agent_control -r -u 000 >> >> Wait. >> >> > On 6 September 2016 at 12:12, dan (ddp) wrote: >> >> >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: >> >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: >> >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: >> >> >>> >> >> >>> since I am running local-ossec, so agent_control doesn't do any >> >> >>> good >> >> >>> here? >> >> >>> >> >> >> >> >> >> I'll install a local instance and try it out for you. I'll report >> >> >> back >> >> >> shortly. >> >> >> >> >> > >> >> > Not positive, but it doesn't look like it's working. I'm not keeping >> >> > it around for another try. >> >> > You may just have to restart the syscheckd process. >> >> > >> >> >> >> It does look like this might be working, just had to have execd >> >> running and have a bit more patience. >> >> >> >> >>> On 5 September 2016 at 17:43, dan (ddp) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng >> >> >> >> wrote: >> >> > Hi, ideally we like ossec to check file integrity in real time, >> >> > if >> >> > not, >> >> > what >> >> > are the other options ossec can offer in that aspect? >> >> > >> >> >> >> It will do some things in real time, not all. I think it should be >> >> a >> >> fairly simple code change to add new files to the realtime >> >> options, >> >> but I've never really looked into it. >> >> >> >> > Is there a Syscheck cmd in ossec? >> >> > >> >> >> >> # /var/ossec/bin/agent_control -h >> >> >> >> OSSEC HIDS agent_control: Control remote agents. >> >> Available options: >> >> -h This help message. >> >> -l List available (active or not) agents. >> >> -lc List active agents. >> >> -i Extracts information from an agent. >> >> -R Restarts agent. >> >> -r -a Runs the integrity/rootkit checking on all >> >> agents >> >> now. >> >> -r -u Runs the integrity/rootkit checking on one >> >> agent >> >> now. >> >> >> >> -b Blocks the specified ip address. >> >> -f Used with -b, specifies which response to run. >> >> -L List available active responses. >> >> -s Changes the output to CSV (comma delimited). >> >> >> >> >> >> > On 5 September 2016 at 17:23, dan (ddp) >> >> > wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> >> >> >> >> >> wrote: >> >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the >> >> >> > addition >> >> >> > of >> >> >> > the >> >> >> > file, >> >> >> > no alerts fired after adding a file to /home/user_name, which >> >> >> > is >> >> >> > monitored >> >> >> > by ossec. what's the possible problems? >> >> >> > >> >> >> >> >> >> A syscheck scan probably hasn't run since the file was added (I >> >> >> don't >> >> >> think it works with realtime). >> >> >> Try running a syscheck scan to see if an alert is created. >> >> >> >> >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> >> >> >> >> >> >> wrote: >> >> >> >> > Using the above cmd, adding a file on a monitored >> >> >> >> > directory, >> >> >> >> > i.e. >> >> >> >> > /home/user_name, >> >> >> >> > >> >> >> >> > nothing is shown on tcpdump, >> >> >> >> > >> >> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >> >> >> >> > capture >> >> >> >> > size >> >> >> >> > 262144 bytes >> >> >> >> > >> >> >> >> > >> >> >> >> >> >> >> >> You can use "-i INTERFACE_NAME" to change the interface it >> >> >> >> listens >> >> >> >> on. >> >> >> >> So make sure you're listening to the interface the emails >> >> >> >> should be >> >> >> >> sent >> >> >> >> from. >> >> >> >> Did any alerts fire while you were using tcpdump (check >> >> >> >> /var/ossec/logs/alerts/alerts.log). >> >> >> >> If not, that'll be a problem. >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) >> >> >> >> > wrote: >> >> >>
Re: [ossec-list] ossec email notification not working
thanks, how to enable active response in ossec.conf? On 6 September 2016 at 12:15, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng wrote: > > Could you elaborate the steps you went through? How does it work? > > > > Make sure active response is enabled. > run: > /var/ossec/bin/agent_control -r -u 000 > > Wait. > > > On 6 September 2016 at 12:12, dan (ddp) wrote: > >> > >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: > >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: > >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: > >> >>> > >> >>> since I am running local-ossec, so agent_control doesn't do any good > >> >>> here? > >> >>> > >> >> > >> >> I'll install a local instance and try it out for you. I'll report > back > >> >> shortly. > >> >> > >> > > >> > Not positive, but it doesn't look like it's working. I'm not keeping > >> > it around for another try. > >> > You may just have to restart the syscheckd process. > >> > > >> > >> It does look like this might be working, just had to have execd > >> running and have a bit more patience. > >> > >> >>> On 5 September 2016 at 17:43, dan (ddp) wrote: > >> > >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng > > >> wrote: > >> > Hi, ideally we like ossec to check file integrity in real time, > if > >> > not, > >> > what > >> > are the other options ossec can offer in that aspect? > >> > > >> > >> It will do some things in real time, not all. I think it should be > a > >> fairly simple code change to add new files to the realtime options, > >> but I've never really looked into it. > >> > >> > Is there a Syscheck cmd in ossec? > >> > > >> > >> # /var/ossec/bin/agent_control -h > >> > >> OSSEC HIDS agent_control: Control remote agents. > >> Available options: > >> -h This help message. > >> -l List available (active or not) agents. > >> -lc List active agents. > >> -i Extracts information from an agent. > >> -R Restarts agent. > >> -r -a Runs the integrity/rootkit checking on all > agents > >> now. > >> -r -u Runs the integrity/rootkit checking on one > agent > >> now. > >> > >> -b Blocks the specified ip address. > >> -f Used with -b, specifies which response to run. > >> -L List available active responses. > >> -s Changes the output to CSV (comma delimited). > >> > >> > >> > On 5 September 2016 at 17:23, dan (ddp) > wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng > >> >> > >> >> wrote: > >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the > addition > >> >> > of > >> >> > the > >> >> > file, > >> >> > no alerts fired after adding a file to /home/user_name, which > is > >> >> > monitored > >> >> > by ossec. what's the possible problems? > >> >> > > >> >> > >> >> A syscheck scan probably hasn't run since the file was added (I > >> >> don't > >> >> think it works with realtime). > >> >> Try running a syscheck scan to see if an alert is created. > >> >> > >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) > wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng > >> >> >> > >> >> >> wrote: > >> >> >> > Using the above cmd, adding a file on a monitored > directory, > >> >> >> > i.e. > >> >> >> > /home/user_name, > >> >> >> > > >> >> >> > nothing is shown on tcpdump, > >> >> >> > > >> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), > >> >> >> > capture > >> >> >> > size > >> >> >> > 262144 bytes > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> You can use "-i INTERFACE_NAME" to change the interface it > >> >> >> listens > >> >> >> on. > >> >> >> So make sure you're listening to the interface the emails > >> >> >> should be > >> >> >> sent > >> >> >> from. > >> >> >> Did any alerts fire while you were using tcpdump (check > >> >> >> /var/ossec/logs/alerts/alerts.log). > >> >> >> If not, that'll be a problem. > >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > >> >> >> >> > >> >> >> >> wrote: > >> >> >> >> > Hi, could you give me an example of using tcpdump in > this > >> >> >> >> > case? > >> >> >> >> > > >> >> >> >> > >> >> >> >> tcpdump -nnXxevvs 0 port 25 > >> >> >> >> > >> >> >> >> > cheers > >> >> >> >> > > >> >> >> >> > On Monday, 5 September 2016 15:57:
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 7:13 AM, Daiyue Weng wrote: > Could you elaborate the steps you went through? How does it work? > Make sure active response is enabled. run: /var/ossec/bin/agent_control -r -u 000 Wait. > On 6 September 2016 at 12:12, dan (ddp) wrote: >> >> On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: >> > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: >> >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: >> >>> >> >>> since I am running local-ossec, so agent_control doesn't do any good >> >>> here? >> >>> >> >> >> >> I'll install a local instance and try it out for you. I'll report back >> >> shortly. >> >> >> > >> > Not positive, but it doesn't look like it's working. I'm not keeping >> > it around for another try. >> > You may just have to restart the syscheckd process. >> > >> >> It does look like this might be working, just had to have execd >> running and have a bit more patience. >> >> >>> On 5 September 2016 at 17:43, dan (ddp) wrote: >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng >> wrote: >> > Hi, ideally we like ossec to check file integrity in real time, if >> > not, >> > what >> > are the other options ossec can offer in that aspect? >> > >> >> It will do some things in real time, not all. I think it should be a >> fairly simple code change to add new files to the realtime options, >> but I've never really looked into it. >> >> > Is there a Syscheck cmd in ossec? >> > >> >> # /var/ossec/bin/agent_control -h >> >> OSSEC HIDS agent_control: Control remote agents. >> Available options: >> -h This help message. >> -l List available (active or not) agents. >> -lc List active agents. >> -i Extracts information from an agent. >> -R Restarts agent. >> -r -a Runs the integrity/rootkit checking on all agents >> now. >> -r -u Runs the integrity/rootkit checking on one agent >> now. >> >> -b Blocks the specified ip address. >> -f Used with -b, specifies which response to run. >> -L List available active responses. >> -s Changes the output to CSV (comma delimited). >> >> >> > On 5 September 2016 at 17:23, dan (ddp) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> >> >> >> wrote: >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition >> >> > of >> >> > the >> >> > file, >> >> > no alerts fired after adding a file to /home/user_name, which is >> >> > monitored >> >> > by ossec. what's the possible problems? >> >> > >> >> >> >> A syscheck scan probably hasn't run since the file was added (I >> >> don't >> >> think it works with realtime). >> >> Try running a syscheck scan to see if an alert is created. >> >> >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> >> >> >> >> wrote: >> >> >> > Using the above cmd, adding a file on a monitored directory, >> >> >> > i.e. >> >> >> > /home/user_name, >> >> >> > >> >> >> > nothing is shown on tcpdump, >> >> >> > >> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >> >> >> > capture >> >> >> > size >> >> >> > 262144 bytes >> >> >> > >> >> >> > >> >> >> >> >> >> You can use "-i INTERFACE_NAME" to change the interface it >> >> >> listens >> >> >> on. >> >> >> So make sure you're listening to the interface the emails >> >> >> should be >> >> >> sent >> >> >> from. >> >> >> Did any alerts fire while you were using tcpdump (check >> >> >> /var/ossec/logs/alerts/alerts.log). >> >> >> If not, that'll be a problem. >> >> >> >> >> >> > >> >> >> > >> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >> >> >> >> >> >> >> wrote: >> >> >> >> > Hi, could you give me an example of using tcpdump in this >> >> >> >> > case? >> >> >> >> > >> >> >> >> >> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >> >> >> >> >> >> >> > cheers >> >> >> >> > >> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't >> >> >> >> >> > get >> >> >> >> >> > any >> >> >> >> >> > emails. >> >> >> >> >> > The >> >> >> >> >> > noti
Re: [ossec-list] ossec email notification not working
Could you elaborate the steps you went through? How does it work? On 6 September 2016 at 12:12, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: > > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: > >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: > >>> > >>> since I am running local-ossec, so agent_control doesn't do any good > here? > >>> > >> > >> I'll install a local instance and try it out for you. I'll report back > >> shortly. > >> > > > > Not positive, but it doesn't look like it's working. I'm not keeping > > it around for another try. > > You may just have to restart the syscheckd process. > > > > It does look like this might be working, just had to have execd > running and have a bit more patience. > > >>> On 5 September 2016 at 17:43, dan (ddp) wrote: > > On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng > wrote: > > Hi, ideally we like ossec to check file integrity in real time, if > not, > > what > > are the other options ossec can offer in that aspect? > > > > It will do some things in real time, not all. I think it should be a > fairly simple code change to add new files to the realtime options, > but I've never really looked into it. > > > Is there a Syscheck cmd in ossec? > > > > # /var/ossec/bin/agent_control -h > > OSSEC HIDS agent_control: Control remote agents. > Available options: > -h This help message. > -l List available (active or not) agents. > -lc List active agents. > -i Extracts information from an agent. > -R Restarts agent. > -r -a Runs the integrity/rootkit checking on all agents > now. > -r -u Runs the integrity/rootkit checking on one agent > now. > > -b Blocks the specified ip address. > -f Used with -b, specifies which response to run. > -L List available active responses. > -s Changes the output to CSV (comma delimited). > > > > On 5 September 2016 at 17:23, dan (ddp) wrote: > >> > >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng > > >> wrote: > >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition > of > >> > the > >> > file, > >> > no alerts fired after adding a file to /home/user_name, which is > >> > monitored > >> > by ossec. what's the possible problems? > >> > > >> > >> A syscheck scan probably hasn't run since the file was added (I > don't > >> think it works with realtime). > >> Try running a syscheck scan to see if an alert is created. > >> > >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng < > daiyu...@gmail.com> > >> >> wrote: > >> >> > Using the above cmd, adding a file on a monitored directory, > i.e. > >> >> > /home/user_name, > >> >> > > >> >> > nothing is shown on tcpdump, > >> >> > > >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), > >> >> > capture > >> >> > size > >> >> > 262144 bytes > >> >> > > >> >> > > >> >> > >> >> You can use "-i INTERFACE_NAME" to change the interface it > listens > >> >> on. > >> >> So make sure you're listening to the interface the emails > should be > >> >> sent > >> >> from. > >> >> Did any alerts fire while you were using tcpdump (check > >> >> /var/ossec/logs/alerts/alerts.log). > >> >> If not, that'll be a problem. > >> >> > >> >> > > >> >> > > >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) > wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > >> >> >> > >> >> >> wrote: > >> >> >> > Hi, could you give me an example of using tcpdump in this > >> >> >> > case? > >> >> >> > > >> >> >> > >> >> >> tcpdump -nnXxevvs 0 port 25 > >> >> >> > >> >> >> > cheers > >> >> >> > > >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng > >> >> >> >> > >> >> >> >> wrote: > >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't > get > >> >> >> >> > any > >> >> >> >> > emails. > >> >> >> >> > The > >> >> >> >> > notification is turn on as > >> >> >> >> > > >> >> >> >> > >> >> >> >> Try using tcpdump (looking for connections to the email > >> >> >> >> server > >> >> >> >> from > >> >> >> >> the OSSEC system) > >> >> >> >> or check the maillogs on the email server to determine if > >> >> >> >> there > >> >> >> >> is > >> >> >> >> an > >>
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 6:59 AM, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: >> On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: >>> >>> since I am running local-ossec, so agent_control doesn't do any good here? >>> >> >> I'll install a local instance and try it out for you. I'll report back >> shortly. >> > > Not positive, but it doesn't look like it's working. I'm not keeping > it around for another try. > You may just have to restart the syscheckd process. > It does look like this might be working, just had to have execd running and have a bit more patience. >>> On 5 September 2016 at 17:43, dan (ddp) wrote: On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng wrote: > Hi, ideally we like ossec to check file integrity in real time, if not, > what > are the other options ossec can offer in that aspect? > It will do some things in real time, not all. I think it should be a fairly simple code change to add new files to the realtime options, but I've never really looked into it. > Is there a Syscheck cmd in ossec? > # /var/ossec/bin/agent_control -h OSSEC HIDS agent_control: Control remote agents. Available options: -h This help message. -l List available (active or not) agents. -lc List active agents. -i Extracts information from an agent. -R Restarts agent. -r -a Runs the integrity/rootkit checking on all agents now. -r -u Runs the integrity/rootkit checking on one agent now. -b Blocks the specified ip address. -f Used with -b, specifies which response to run. -L List available active responses. -s Changes the output to CSV (comma delimited). > On 5 September 2016 at 17:23, dan (ddp) wrote: >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >> wrote: >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of >> > the >> > file, >> > no alerts fired after adding a file to /home/user_name, which is >> > monitored >> > by ossec. what's the possible problems? >> > >> >> A syscheck scan probably hasn't run since the file was added (I don't >> think it works with realtime). >> Try running a syscheck scan to see if an alert is created. >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> wrote: >> >> > Using the above cmd, adding a file on a monitored directory, i.e. >> >> > /home/user_name, >> >> > >> >> > nothing is shown on tcpdump, >> >> > >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >> >> > capture >> >> > size >> >> > 262144 bytes >> >> > >> >> > >> >> >> >> You can use "-i INTERFACE_NAME" to change the interface it listens >> >> on. >> >> So make sure you're listening to the interface the emails should be >> >> sent >> >> from. >> >> Did any alerts fire while you were using tcpdump (check >> >> /var/ossec/logs/alerts/alerts.log). >> >> If not, that'll be a problem. >> >> >> >> > >> >> > >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >> >> >> >> >> wrote: >> >> >> > Hi, could you give me an example of using tcpdump in this >> >> >> > case? >> >> >> > >> >> >> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >> >> >> >> >> > cheers >> >> >> > >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >> >> >> >> >> >> >> >> wrote: >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get >> >> >> >> > any >> >> >> >> > emails. >> >> >> >> > The >> >> >> >> > notification is turn on as >> >> >> >> > >> >> >> >> >> >> >> >> Try using tcpdump (looking for connections to the email >> >> >> >> server >> >> >> >> from >> >> >> >> the OSSEC system) >> >> >> >> or check the maillogs on the email server to determine if >> >> >> >> there >> >> >> >> is >> >> >> >> an >> >> >> >> error when sending. >> >> >> >> >> >> >> >> > yes >> >> >> >> > >> >> >> >> > in ossec.conf >> >> >> >> > >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> > Hi, I installed ossec loca
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 7:01 AM, Daiyue Weng wrote: > I did try restarting ossec, which should restart syscheckd as well Iguess? > Yes. You can see the log messages related to syscheck in /var/ossec/logs/ossec.log. > On 6 September 2016 at 11:59, dan (ddp) wrote: >> >> On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: >> > On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: >> >> >> >> since I am running local-ossec, so agent_control doesn't do any good >> >> here? >> >> >> > >> > I'll install a local instance and try it out for you. I'll report back >> > shortly. >> > >> >> Not positive, but it doesn't look like it's working. I'm not keeping >> it around for another try. >> You may just have to restart the syscheckd process. >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
I did try restarting ossec, which should restart syscheckd as well Iguess? On 6 September 2016 at 11:59, dan (ddp) wrote: > On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: > > On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: > >> > >> since I am running local-ossec, so agent_control doesn't do any good > here? > >> > > > > I'll install a local instance and try it out for you. I'll report back > > shortly. > > > > Not positive, but it doesn't look like it's working. I'm not keeping > it around for another try. > You may just have to restart the syscheckd process. > > >> On 5 September 2016 at 17:43, dan (ddp) wrote: > >>> > >>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng > >>> wrote: > >>> > Hi, ideally we like ossec to check file integrity in real time, if > not, > >>> > what > >>> > are the other options ossec can offer in that aspect? > >>> > > >>> > >>> It will do some things in real time, not all. I think it should be a > >>> fairly simple code change to add new files to the realtime options, > >>> but I've never really looked into it. > >>> > >>> > Is there a Syscheck cmd in ossec? > >>> > > >>> > >>> # /var/ossec/bin/agent_control -h > >>> > >>> OSSEC HIDS agent_control: Control remote agents. > >>> Available options: > >>> -h This help message. > >>> -l List available (active or not) agents. > >>> -lc List active agents. > >>> -i Extracts information from an agent. > >>> -R Restarts agent. > >>> -r -a Runs the integrity/rootkit checking on all agents > >>> now. > >>> -r -u Runs the integrity/rootkit checking on one agent > now. > >>> > >>> -b Blocks the specified ip address. > >>> -f Used with -b, specifies which response to run. > >>> -L List available active responses. > >>> -s Changes the output to CSV (comma delimited). > >>> > >>> > >>> > On 5 September 2016 at 17:23, dan (ddp) wrote: > >>> >> > >>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng > >>> >> wrote: > >>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of > >>> >> > the > >>> >> > file, > >>> >> > no alerts fired after adding a file to /home/user_name, which is > >>> >> > monitored > >>> >> > by ossec. what's the possible problems? > >>> >> > > >>> >> > >>> >> A syscheck scan probably hasn't run since the file was added (I > don't > >>> >> think it works with realtime). > >>> >> Try running a syscheck scan to see if an alert is created. > >>> >> > >>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: > >>> >> >> > >>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng > > >>> >> >> wrote: > >>> >> >> > Using the above cmd, adding a file on a monitored directory, > i.e. > >>> >> >> > /home/user_name, > >>> >> >> > > >>> >> >> > nothing is shown on tcpdump, > >>> >> >> > > >>> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), > >>> >> >> > capture > >>> >> >> > size > >>> >> >> > 262144 bytes > >>> >> >> > > >>> >> >> > > >>> >> >> > >>> >> >> You can use "-i INTERFACE_NAME" to change the interface it > listens > >>> >> >> on. > >>> >> >> So make sure you're listening to the interface the emails should > be > >>> >> >> sent > >>> >> >> from. > >>> >> >> Did any alerts fire while you were using tcpdump (check > >>> >> >> /var/ossec/logs/alerts/alerts.log). > >>> >> >> If not, that'll be a problem. > >>> >> >> > >>> >> >> > > >>> >> >> > > >>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: > >>> >> >> >> > >>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > >>> >> >> >> > >>> >> >> >> wrote: > >>> >> >> >> > Hi, could you give me an example of using tcpdump in this > >>> >> >> >> > case? > >>> >> >> >> > > >>> >> >> >> > >>> >> >> >> tcpdump -nnXxevvs 0 port 25 > >>> >> >> >> > >>> >> >> >> > cheers > >>> >> >> >> > > >>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) > >>> >> >> >> > wrote: > >>> >> >> >> >> > >>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng > >>> >> >> >> >> > >>> >> >> >> >> wrote: > >>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get > >>> >> >> >> >> > any > >>> >> >> >> >> > emails. > >>> >> >> >> >> > The > >>> >> >> >> >> > notification is turn on as > >>> >> >> >> >> > > >>> >> >> >> >> > >>> >> >> >> >> Try using tcpdump (looking for connections to the email > >>> >> >> >> >> server > >>> >> >> >> >> from > >>> >> >> >> >> the OSSEC system) > >>> >> >> >> >> or check the maillogs on the email server to determine if > >>> >> >> >> >> there > >>> >> >> >> >> is > >>> >> >> >> >> an > >>> >> >> >> >> error when sending. > >>> >> >> >> >> > >>> >> >> >> >> > yes > >>> >> >> >> >> > > >>> >> >> >> >> > in ossec.conf > >>> >> >> >> >> > > >>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) > >>> >> >> >> >> > wrote: > >>> >> >> >> >> >> > >>> >> >> >> >> >> On Mon, Sep 5, 2016 at 1
Re: [ossec-list] ossec email notification not working
On Tue, Sep 6, 2016 at 6:36 AM, dan (ddp) wrote: > On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: >> >> since I am running local-ossec, so agent_control doesn't do any good here? >> > > I'll install a local instance and try it out for you. I'll report back > shortly. > Not positive, but it doesn't look like it's working. I'm not keeping it around for another try. You may just have to restart the syscheckd process. >> On 5 September 2016 at 17:43, dan (ddp) wrote: >>> >>> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng >>> wrote: >>> > Hi, ideally we like ossec to check file integrity in real time, if not, >>> > what >>> > are the other options ossec can offer in that aspect? >>> > >>> >>> It will do some things in real time, not all. I think it should be a >>> fairly simple code change to add new files to the realtime options, >>> but I've never really looked into it. >>> >>> > Is there a Syscheck cmd in ossec? >>> > >>> >>> # /var/ossec/bin/agent_control -h >>> >>> OSSEC HIDS agent_control: Control remote agents. >>> Available options: >>> -h This help message. >>> -l List available (active or not) agents. >>> -lc List active agents. >>> -i Extracts information from an agent. >>> -R Restarts agent. >>> -r -a Runs the integrity/rootkit checking on all agents >>> now. >>> -r -u Runs the integrity/rootkit checking on one agent now. >>> >>> -b Blocks the specified ip address. >>> -f Used with -b, specifies which response to run. >>> -L List available active responses. >>> -s Changes the output to CSV (comma delimited). >>> >>> >>> > On 5 September 2016 at 17:23, dan (ddp) wrote: >>> >> >>> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng >>> >> wrote: >>> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of >>> >> > the >>> >> > file, >>> >> > no alerts fired after adding a file to /home/user_name, which is >>> >> > monitored >>> >> > by ossec. what's the possible problems? >>> >> > >>> >> >>> >> A syscheck scan probably hasn't run since the file was added (I don't >>> >> think it works with realtime). >>> >> Try running a syscheck scan to see if an alert is created. >>> >> >>> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >>> >> >> >>> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >>> >> >> wrote: >>> >> >> > Using the above cmd, adding a file on a monitored directory, i.e. >>> >> >> > /home/user_name, >>> >> >> > >>> >> >> > nothing is shown on tcpdump, >>> >> >> > >>> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), >>> >> >> > capture >>> >> >> > size >>> >> >> > 262144 bytes >>> >> >> > >>> >> >> > >>> >> >> >>> >> >> You can use "-i INTERFACE_NAME" to change the interface it listens >>> >> >> on. >>> >> >> So make sure you're listening to the interface the emails should be >>> >> >> sent >>> >> >> from. >>> >> >> Did any alerts fire while you were using tcpdump (check >>> >> >> /var/ossec/logs/alerts/alerts.log). >>> >> >> If not, that'll be a problem. >>> >> >> >>> >> >> > >>> >> >> > >>> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >>> >> >> >> >>> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >>> >> >> >> >>> >> >> >> wrote: >>> >> >> >> > Hi, could you give me an example of using tcpdump in this >>> >> >> >> > case? >>> >> >> >> > >>> >> >> >> >>> >> >> >> tcpdump -nnXxevvs 0 port 25 >>> >> >> >> >>> >> >> >> > cheers >>> >> >> >> > >>> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) >>> >> >> >> > wrote: >>> >> >> >> >> >>> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng >>> >> >> >> >> >>> >> >> >> >> wrote: >>> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get >>> >> >> >> >> > any >>> >> >> >> >> > emails. >>> >> >> >> >> > The >>> >> >> >> >> > notification is turn on as >>> >> >> >> >> > >>> >> >> >> >> >>> >> >> >> >> Try using tcpdump (looking for connections to the email >>> >> >> >> >> server >>> >> >> >> >> from >>> >> >> >> >> the OSSEC system) >>> >> >> >> >> or check the maillogs on the email server to determine if >>> >> >> >> >> there >>> >> >> >> >> is >>> >> >> >> >> an >>> >> >> >> >> error when sending. >>> >> >> >> >> >>> >> >> >> >> > yes >>> >> >> >> >> > >>> >> >> >> >> > in ossec.conf >>> >> >> >> >> > >>> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) >>> >> >> >> >> > wrote: >>> >> >> >> >> >> >>> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >>> >> >> >> >> >> >>> >> >> >> >> >> wrote: >>> >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and >>> >> >> >> >> >> > configure >>> >> >> >> >> >> > ossec.conf >>> >> >> >> >> >> > as >>> >> >> >> >> >> > follows, I tried to detect new additions using >>> >> >> >> >> >> > yes. >>> >> >> >> >> >> > >>> >> >> >> >> >> > >>> >> >> >> >> >> > yes >>> >> >> >> >> >
Re: [ossec-list] is there any way to increase alerts.log file size
okay, I see. thanks for the explanation. syscheck is done every 22 hours by default, so that is what I mean by "new syscheck". cheers On 6 September 2016 at 10:22, Pedro Sanchez wrote: > Hi Daiyue, > > I don't really understand what you mean for "new syscheck" is replacing > previous logs, please could you explain this in detail? > > Regarding to the rotation of alerts.log, we can't configure the log size, > it is rotating daily no matter how much weights, it will rotate every day. > If you open etc/internal_options.conf you will be able to enabled/disabled > compression, but nothing related to log size. > > Best regards, > > Pedro S. > > On Tue, Sep 6, 2016 at 10:11 AM, Daiyue Weng wrote: > >> Hi, I found that alerts.log is rotating that previous logs were replaced >> by new syschecks, so any way to configure ossec to record previous logs, >> like increasing log size? >> >> cheers >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/RkBWz1U-wwg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ossec email notification not working
On Sep 6, 2016 6:32 AM, "Daiyue Weng" wrote: > > since I am running local-ossec, so agent_control doesn't do any good here? > I'll install a local instance and try it out for you. I'll report back shortly. > On 5 September 2016 at 17:43, dan (ddp) wrote: >> >> On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng wrote: >> > Hi, ideally we like ossec to check file integrity in real time, if not, what >> > are the other options ossec can offer in that aspect? >> > >> >> It will do some things in real time, not all. I think it should be a >> fairly simple code change to add new files to the realtime options, >> but I've never really looked into it. >> >> > Is there a Syscheck cmd in ossec? >> > >> >> # /var/ossec/bin/agent_control -h >> >> OSSEC HIDS agent_control: Control remote agents. >> Available options: >> -h This help message. >> -l List available (active or not) agents. >> -lc List active agents. >> -i Extracts information from an agent. >> -R Restarts agent. >> -r -a Runs the integrity/rootkit checking on all agents now. >> -r -u Runs the integrity/rootkit checking on one agent now. >> >> -b Blocks the specified ip address. >> -f Used with -b, specifies which response to run. >> -L List available active responses. >> -s Changes the output to CSV (comma delimited). >> >> >> > On 5 September 2016 at 17:23, dan (ddp) wrote: >> >> >> >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng wrote: >> >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the >> >> > file, >> >> > no alerts fired after adding a file to /home/user_name, which is >> >> > monitored >> >> > by ossec. what's the possible problems? >> >> > >> >> >> >> A syscheck scan probably hasn't run since the file was added (I don't >> >> think it works with realtime). >> >> Try running a syscheck scan to see if an alert is created. >> >> >> >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng >> >> >> wrote: >> >> >> > Using the above cmd, adding a file on a monitored directory, i.e. >> >> >> > /home/user_name, >> >> >> > >> >> >> > nothing is shown on tcpdump, >> >> >> > >> >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture >> >> >> > size >> >> >> > 262144 bytes >> >> >> > >> >> >> > >> >> >> >> >> >> You can use "-i INTERFACE_NAME" to change the interface it listens on. >> >> >> So make sure you're listening to the interface the emails should be >> >> >> sent >> >> >> from. >> >> >> Did any alerts fire while you were using tcpdump (check >> >> >> /var/ossec/logs/alerts/alerts.log). >> >> >> If not, that'll be a problem. >> >> >> >> >> >> > >> >> >> > >> >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng >> >> >> >> wrote: >> >> >> >> > Hi, could you give me an example of using tcpdump in this case? >> >> >> >> > >> >> >> >> >> >> >> >> tcpdump -nnXxevvs 0 port 25 >> >> >> >> >> >> >> >> > cheers >> >> >> >> > >> >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng < daiyu...@gmail.com> >> >> >> >> >> wrote: >> >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any >> >> >> >> >> > emails. >> >> >> >> >> > The >> >> >> >> >> > notification is turn on as >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> Try using tcpdump (looking for connections to the email server >> >> >> >> >> from >> >> >> >> >> the OSSEC system) >> >> >> >> >> or check the maillogs on the email server to determine if there >> >> >> >> >> is >> >> >> >> >> an >> >> >> >> >> error when sending. >> >> >> >> >> >> >> >> >> >> > yes >> >> >> >> >> > >> >> >> >> >> > in ossec.conf >> >> >> >> >> > >> >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng >> >> >> >> >> >> >> >> >> >> >> >> wrote: >> >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and >> >> >> >> >> >> > configure >> >> >> >> >> >> > ossec.conf >> >> >> >> >> >> > as >> >> >> >> >> >> > follows, I tried to detect new additions using >> >> >> >> >> >> > yes. >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > yes >> >> >> >> >> >> > my_e...@example.com >> >> >> >> >> >> > ns0.bt.net. >> >> >> >> >> >> > my_e...@example.com >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > 79200 >> >> >> >> >> >> > yes >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > > >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin >> >> >> >> >> >> > > >> >> >> >> >> > check_all="yes">/bin,/sbin >> >> >> >> >> >> > > >> >> >> >> >> > c
Re: [ossec-list] ossec email notification not working
since I am running local-ossec, so agent_control doesn't do any good here? On 5 September 2016 at 17:43, dan (ddp) wrote: > On Mon, Sep 5, 2016 at 12:29 PM, Daiyue Weng wrote: > > Hi, ideally we like ossec to check file integrity in real time, if not, > what > > are the other options ossec can offer in that aspect? > > > > It will do some things in real time, not all. I think it should be a > fairly simple code change to add new files to the realtime options, > but I've never really looked into it. > > > Is there a Syscheck cmd in ossec? > > > > # /var/ossec/bin/agent_control -h > > OSSEC HIDS agent_control: Control remote agents. > Available options: > -h This help message. > -l List available (active or not) agents. > -lc List active agents. > -i Extracts information from an agent. > -R Restarts agent. > -r -a Runs the integrity/rootkit checking on all agents now. > -r -u Runs the integrity/rootkit checking on one agent now. > > -b Blocks the specified ip address. > -f Used with -b, specifies which response to run. > -L List available active responses. > -s Changes the output to CSV (comma delimited). > > > > On 5 September 2016 at 17:23, dan (ddp) wrote: > >> > >> On Mon, Sep 5, 2016 at 12:14 PM, Daiyue Weng > wrote: > >> > The /var/ossec/logs/alerts/alerts.log didn't show the addition of the > >> > file, > >> > no alerts fired after adding a file to /home/user_name, which is > >> > monitored > >> > by ossec. what's the possible problems? > >> > > >> > >> A syscheck scan probably hasn't run since the file was added (I don't > >> think it works with realtime). > >> Try running a syscheck scan to see if an alert is created. > >> > >> > On Monday, 5 September 2016 17:02:06 UTC+1, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Sep 5, 2016 at 11:53 AM, Daiyue Weng > >> >> wrote: > >> >> > Using the above cmd, adding a file on a monitored directory, i.e. > >> >> > /home/user_name, > >> >> > > >> >> > nothing is shown on tcpdump, > >> >> > > >> >> > tcpdump: listening on dummy0, link-type EN10MB (Ethernet), capture > >> >> > size > >> >> > 262144 bytes > >> >> > > >> >> > > >> >> > >> >> You can use "-i INTERFACE_NAME" to change the interface it listens > on. > >> >> So make sure you're listening to the interface the emails should be > >> >> sent > >> >> from. > >> >> Did any alerts fire while you were using tcpdump (check > >> >> /var/ossec/logs/alerts/alerts.log). > >> >> If not, that'll be a problem. > >> >> > >> >> > > >> >> > > >> >> > On Monday, 5 September 2016 16:44:57 UTC+1, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Mon, Sep 5, 2016 at 11:42 AM, Daiyue Weng > >> >> >> wrote: > >> >> >> > Hi, could you give me an example of using tcpdump in this case? > >> >> >> > > >> >> >> > >> >> >> tcpdump -nnXxevvs 0 port 25 > >> >> >> > >> >> >> > cheers > >> >> >> > > >> >> >> > On Monday, 5 September 2016 15:57:08 UTC+1, dan (ddpbsd) wrote: > >> >> >> >> > >> >> >> >> On Mon, Sep 5, 2016 at 10:47 AM, Daiyue Weng < > daiyu...@gmail.com> > >> >> >> >> wrote: > >> >> >> >> > Hi, since it is a fresh install of ossec, so I didn't get any > >> >> >> >> > emails. > >> >> >> >> > The > >> >> >> >> > notification is turn on as > >> >> >> >> > > >> >> >> >> > >> >> >> >> Try using tcpdump (looking for connections to the email server > >> >> >> >> from > >> >> >> >> the OSSEC system) > >> >> >> >> or check the maillogs on the email server to determine if > there > >> >> >> >> is > >> >> >> >> an > >> >> >> >> error when sending. > >> >> >> >> > >> >> >> >> > yes > >> >> >> >> > > >> >> >> >> > in ossec.conf > >> >> >> >> > > >> >> >> >> > On Monday, 5 September 2016 15:38:25 UTC+1, dan (ddpbsd) > wrote: > >> >> >> >> >> > >> >> >> >> >> On Mon, Sep 5, 2016 at 10:33 AM, Daiyue Weng > >> >> >> >> >> > >> >> >> >> >> wrote: > >> >> >> >> >> > Hi, I installed ossec local on my cloud server, and > >> >> >> >> >> > configure > >> >> >> >> >> > ossec.conf > >> >> >> >> >> > as > >> >> >> >> >> > follows, I tried to detect new additions using > >> >> >> >> >> > yes. > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > yes > >> >> >> >> >> > my_e...@example.com > >> >> >> >> >> > ns0.bt.net. > >> >> >> >> >> > my_e...@example.com > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > 79200 > >> >> >> >> >> > yes > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > >> >> >> >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin > >> >> >> >> >> > >> >> >> >> >> > check_all="yes">/bin,/sbin > >> >> >> >> >> > >> >> >> >> >> > check_all="yes">/home/user_name > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > The local_rules.xml is like, > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > 5711 >
Re: [ossec-list] is there any way to increase alerts.log file size
Hi Daiyue, I don't really understand what you mean for "new syscheck" is replacing previous logs, please could you explain this in detail? Regarding to the rotation of alerts.log, we can't configure the log size, it is rotating daily no matter how much weights, it will rotate every day. If you open etc/internal_options.conf you will be able to enabled/disabled compression, but nothing related to log size. Best regards, Pedro S. On Tue, Sep 6, 2016 at 10:11 AM, Daiyue Weng wrote: > Hi, I found that alerts.log is rotating that previous logs were replaced > by new syschecks, so any way to configure ossec to record previous logs, > like increasing log size? > > cheers > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] is there any way to increase alerts.log file size
Hi, I found that alerts.log is rotating that previous logs were replaced by new syschecks, so any way to configure ossec to record previous logs, like increasing log size? cheers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Multiple agent_id for one active response
you are drop ? check ipables -vnL and flush if needed and whitelist your needed ip in ossec.conf (dns, gateway, etc...) you can check activeresponse log Le 2016-09-05 17:56, C. L. Martinez a écrit : On Mon 5.Sep'16 at 8:59:41 +0200, secucatc...@free.fr wrote: hi 003,004 doesn't work but each section separetely is working firewall-drop defined-agent 067 864000 117154,31510,117159,117162 firewall-drop defined-agent 038 864000 117154,31510,117159,117162 be carefull with that case https://github.com/ossec/ossec-hids/issues/701 if you have a lot of attacks the script can't be fast enough (i have the case with a chinese dns pointing one of our server by error) cheers Many thanks. That is what I am doing ... But until today, I didn't see any problem, but this servers are not reachable from Internet... -- Greetings, C. L. Martinez -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.