Re: [ossec-list] OpenBSD 6 - Real Monitoring

[dan (ddp)]

On Sep 29, 2016 4:10 PM, "R0me0 ***"  wrote:
>
> Hello guys.
>
> I'm trying to use real monitoring.
>
> I have installed inotify-tools from OpenBSD packages
>
> Initially I guess something related with run_realtime.c and I point
inotify.h path.
>
> But I still without be able to use Real monitoring with the follow error
in ossec.conf
>
> ( OpenBSD - OSSEC AGENT )
>
> ossec-syscheckd: WARN: Ignoring flag for real time monitoring on
directory: '/etc/pf'.
>
> Anyone has this setup working ? Any directions will be really appreciated
>
> Thanks in advance,
>

I spent some time messing with it awhile back, but never got it working.
There are some Makefile changes you have to make, as well as possible src
changes.

>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OpenBSD 6 - Real Monitoring

[R0me0 ***]

Hello guys.

I'm trying to use real monitoring.

I have installed inotify-tools from OpenBSD packages

Initially I guess something related with run_realtime.c and I point
inotify.h path.

But I still without be able to use Real monitoring with the follow error in
ossec.conf

( OpenBSD - OSSEC AGENT )

ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory:
'/etc/pf'.

Anyone has this setup working ? Any directions will be really appreciated

Thanks in advance,

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: How to change the OSSEC installation directory in windows

[Jose Luis Ruiz]

Hi Dustin

You can use Wazuh API and one PowerShell script.

http://blog.wazuh.com/automatically-deploying-ossec-to-windows-using-wazuh-api/

And in our documentation you have the procedure to install Wazuh RESTful API

http://documentation.wazuh.com/en/latest/ossec_api.html

I hope this helps.

Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On September 29, 2016 at 12:55:19 PM, Dustin Church (church...@gmail.com)
wrote:

Victor,

I currently have 78 servers that will be recreated nightly using a single
image. I understand that I can install OSSEC to a secondary partition, but
how do I handle the keys for each server that is created from the image,
and ensure proper communication after the image is built without having to
manually enter the server IP and key for the server at boot time?

On Friday, September 23, 2016 at 4:22:59 AM UTC-6, Victor Fernandez wrote:
>
> You may follow these steps:
>
>1. Run the OSSEC installer and click "Next" until you reach the screen
>"Choose the Install Location".
>2. Select the directory where you want to install OSSEC in (another
>disk partition).
>3. Finish the installation steps.
>4. At this point, OSSEC has been installed into the partition that you
>chose, but it has be also registered a service on Windows.
>5. Now create the Windows C: drive image (which now contains the OSSEC
>agent service).
>6. You can configure the agents independently.
>
> Kind regards.
> Victor.
>
>
>
> On Thursday, September 22, 2016 at 12:00:29 PM UTC+2, Eero Volotinen
> wrote:
>>
>> How about modifying the installation package?
>>
>> Eero
>>
>> 2016-09-22 12:56 GMT+03:00 Victor Fernandez :
>>
>>> Hi,
>>>
>>> when you run the OSSEC installer for Windows, you can choose the
>>> location where OSSEC will be installed. This shouldn't be a problem.
>>>
>>> Since OSSEC registers a background service on Windows, you should first
>>> install OSSEC into another partition and then create the C:\ drive image.
>>>
>>> Hope it helps.
>>> Best regards.
>>>
>>> Victor.
>>>
>>>
>>>
>>> On Thursday, September 22, 2016 at 10:13:30 AM UTC+2, vikas wrote:

 Hello all,

 We have a group of servers where the C:/ drive gets re-imaged daily
 with a standard image. Since its going to be same image that all the
 servers use, not sure how to make OSSEC part of that image and avoid
 agent-server registration issues. So we wanted to install it on a different
 drive to avoid the complications, but couldn't find an option to specify
 custom path for installation. Is it possible?

 Thank you for your help!

>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: How to change the OSSEC installation directory in windows

[Dustin Church]

Victor,

I currently have 78 servers that will be recreated nightly using a single 
image. I understand that I can install OSSEC to a secondary partition, but 
how do I handle the keys for each server that is created from the image, 
and ensure proper communication after the image is built without having to 
manually enter the server IP and key for the server at boot time?

On Friday, September 23, 2016 at 4:22:59 AM UTC-6, Victor Fernandez wrote:
>
> You may follow these steps:
>
>1. Run the OSSEC installer and click "Next" until you reach the screen 
>"Choose the Install Location".
>2. Select the directory where you want to install OSSEC in (another 
>disk partition).
>3. Finish the installation steps.
>4. At this point, OSSEC has been installed into the partition that you 
>chose, but it has be also registered a service on Windows.
>5. Now create the Windows C: drive image (which now contains the OSSEC 
>agent service).
>6. You can configure the agents independently.
>
> Kind regards.
> Victor.
>
>
>
> On Thursday, September 22, 2016 at 12:00:29 PM UTC+2, Eero Volotinen wrote:
>>
>> How about modifying the installation package? 
>>
>> Eero
>>
>> 2016-09-22 12:56 GMT+03:00 Victor Fernandez :
>>
>>> Hi,
>>>
>>> when you run the OSSEC installer for Windows, you can choose the 
>>> location where OSSEC will be installed. This shouldn't be a problem.
>>>
>>> Since OSSEC registers a background service on Windows, you should first 
>>> install OSSEC into another partition and then create the C:\ drive image.
>>>
>>> Hope it helps.
>>> Best regards.
>>>
>>> Victor.
>>>
>>>
>>>
>>> On Thursday, September 22, 2016 at 10:13:30 AM UTC+2, vikas wrote:

 Hello all,

 We have a group of servers where the C:/ drive gets re-imaged daily 
 with a standard image. Since its going to be same image that all the 
 servers use, not sure how to make OSSEC part of that image and avoid 
 agent-server registration issues. So we wanted to install it on a 
 different 
 drive to avoid the complications, but couldn't find an option to specify 
 custom path for installation. Is it possible? 

 Thank you for your help!

>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[dan (ddp)]

On Wed, Sep 28, 2016 at 11:37 AM, Laura Herrera  wrote:
> Hi Dan,
>
> Yes, thank you, i have been trying to get this working all day.
>
> I am running ossec on an ubuntu 14.04 server and i need to be able to email
> alerts of course.
>
> I saw in a separate post that ossec actually needs smtp listening on the
> local server, and so i decided to use postfix as a relay.
> To make things more complicated, my mail server is in office 365.
>
> Here my configurations:
> /etc/postfix/main.cf   (changes from original)
>
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_generic_maps = hash:/etc/postfix/generic
>
> myhostname = ossec-1.example.com
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = localhost.localdomain, localhost
> relayhost = smtp.office365.com:587
> mynetworks = 127.0.0.0/8, 10.0.0.0/8
>
> /etc/postfix/generic
> /.*/  u...@example.com
>
>
> /etc/postfix/sasl_passwd
> [smtp.office365.com]:587 u...@example.com:MyPassword
>
>
> ossec.conf
>   
> no
> yes
> localhost
> dev...@example.com
> u...@example.com
>   
>
> I am sure postfix is listening on port 25:
> tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
> 947/master
>
> The error i get, even after enabling debug mode in ossec is not very helpful
> at all:
> 2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to
> 127.0.0.1 (smtp server)
>
> nothing before or after that can be of help...
>

Have you checked postfix's logs to see if it is logging the error?

> Sorry i don't know what else to say
>
> Thanks a lot, hope you can help
> Laura
>
>
> On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>>
>> On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>> >
>> > Hi Theresa,
>> >
>> > Please can i ask how did you solve this problem?
>> >
>>
>> If you're having issues, you could post details and we could try to help.
>>
>> > Thanks a lot,
>> > Laura
>> >
>> >
>> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>> >>
>> >> OK, managed to fix this and face-palming myself
>> >>
>> >> i've tweaked the postfix config a bit, enabled the service and there we
>> >> go...
>> >> ossec-maild is now officially sending out alerts to my email address.
>> >>
>> >> theresa happy :)
>> >>
>> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>> >>>
>> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable
>> >>> debug. It will increase log verbosity. Then restart OSSEC, and check
>> >>> /var/ossec/log/ossec.log.
>> >>> Also after restart try to issue command "ps aux | grep ossec", and
>> >>> check, that ossec-maild process is running.
>> >>>
>> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>> 
>>  i've also tried disabling iptables, but that didn't help either...
>>  but then again i can send out emails with mailx just find, so i don't
>>  think it's iptables blocking anyway...
>> 
>>  any ideas?
>> 
>> 
>>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>> >
>> > Hi Daniil,
>> >
>> > I've already done that. The maillog doesn't show the mail being
>> > sent, but there isn't an error either. It seems that the ossec-maild 
>> > isn't
>> > even relaying it to the local smtp mta (ssmtp) because as said before 
>> > I can
>> > send out mails with mailx just fine.
>> >
>> > The ossec.log doesn't even mention the ossec-maild even though the
>> > process is running...
>> > Hmm
>> 
>>  --
>> 
>>  ---
>>  You received this message because you are subscribed to the Google
>>  Groups "ossec-list" group.
>>  To unsubscribe from this group and stop receiving emails from it,
>>  send an email to ossec-list+...@googlegroups.com.
>>  For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> --
>> >>> С уважением, Светлов Даниил.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit 

Re: [ossec-list] Using active-response instead of email alerts

[dan (ddp)]

On Wed, Sep 28, 2016 at 2:29 PM, Laura Herrera  wrote:
> Hi guys,
>
> I need to get ossec to use a script every time that an alert is fired by any
> of my servers.
>
> There is an example of this in
> http://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-custom.html
> which uses a script on the server when a specific rule is fired.
>
> How can i make that generic, so that this script gets called every time
> there is any alert for which an email would've been sent?
>

There isn't really. The best option is to write something that either
monitors one of the alert log files (alerts.json is probably easy) or
monitors the zeromq publisher, and then performs actions based on
that.
I personally use the zeromq route, and it's really neat.


> Thanks a lot
> Laura
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] AGENT WINDOWS 2012 R2 NOT COMUNICATE WITH OSSEC SERVER

[dan (ddp)]

On Thu, Sep 29, 2016 at 10:03 AM, Eduardo Reichert Figueiredo
 wrote:
> Hi,
> i have a serious problem with ossec. Windows 2012 r2 servers not comunicate
> with ossec server. I am use ossec  just integrity check, only! So i need
> that my agent to send logs of syscheck for ossec server, only, but is not
> ok. I viewed many foruns about this, but i dont found solution.
>
> - Client.keys OK
> - Agent Windows send logs for OSSEC server OK
> - OSSEC proccess running OK
>
> The ossec not created automatically file in /var/ossec/queue/syscheck
>
> Can someone help me?
>

Enable debug on the OSSEC server:
`/var/ossec/bin/ossec-control enable debug`

Restart the OSSEC processes:
`/var/ossec/bin/ossec-control restart`

Check `/var/ossec/logs/ossec.log` for errors related to that agent.
Check with tcpdump on the OSSEC server for packets from the agent. Do
they come from the expected IP address?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

[dan (ddp)]

On Wed, Sep 28, 2016 at 12:56 PM, Laura Herrera  wrote:
> Hi Dan,
>
> Changing subject a bit,  do you know if it's possible to have alerts in
> ossec calling a script instead of sending an email directly?
>

Other than active response, no.

> Ta
> Laura
>
>
> On Wednesday, 28 September 2016 16:37:57 UTC+1, Laura Herrera wrote:
>>
>> Hi Dan,
>>
>> Yes, thank you, i have been trying to get this working all day.
>>
>> I am running ossec on an ubuntu 14.04 server and i need to be able to
>> email alerts of course.
>>
>> I saw in a separate post that ossec actually needs smtp listening on the
>> local server, and so i decided to use postfix as a relay.
>> To make things more complicated, my mail server is in office 365.
>>
>> Here my configurations:
>> /etc/postfix/main.cf   (changes from original)
>>
>> smtp_sasl_auth_enable = yes
>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>> smtp_generic_maps = hash:/etc/postfix/generic
>>
>> myhostname = ossec-1.example.com
>> alias_maps = hash:/etc/aliases
>> alias_database = hash:/etc/aliases
>> myorigin = /etc/mailname
>> mydestination = localhost.localdomain, localhost
>> relayhost = smtp.office365.com:587
>> mynetworks = 127.0.0.0/8, 10.0.0.0/8
>>
>> /etc/postfix/generic
>> /.*/  u...@example.com
>>
>>
>> /etc/postfix/sasl_passwd
>> [smtp.office365.com]:587 u...@example.com:MyPassword
>>
>>
>> ossec.conf
>>   
>> no
>> yes
>> localhost
>> dev...@example.com
>> u...@example.com
>>   
>>
>> I am sure postfix is listening on port 25:
>> tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
>> 947/master
>>
>> The error i get, even after enabling debug mode in ossec is not very
>> helpful at all:
>> 2016/09/28 09:36:04 ossec-maild(1223): ERROR: Error Sending email to
>> 127.0.0.1 (smtp server)
>>
>> nothing before or after that can be of help...
>>
>> Sorry i don't know what else to say
>>
>> Thanks a lot, hope you can help
>> Laura
>>
>>
>> On Wednesday, 28 September 2016 11:47:20 UTC+1, dan (ddpbsd) wrote:
>>>
>>> On Sep 28, 2016 6:42 AM, "Laura Herrera"  wrote:
>>> >
>>> > Hi Theresa,
>>> >
>>> > Please can i ask how did you solve this problem?
>>> >
>>>
>>> If you're having issues, you could post details and we could try to help.
>>>
>>> > Thanks a lot,
>>> > Laura
>>> >
>>> >
>>> > On Monday, 6 July 2015 18:35:50 UTC+1, theresa mic-snare wrote:
>>> >>
>>> >> OK, managed to fix this and face-palming myself
>>> >>
>>> >> i've tweaked the postfix config a bit, enabled the service and there
>>> >> we go...
>>> >> ossec-maild is now officially sending out alerts to my email address.
>>> >>
>>> >> theresa happy :)
>>> >>
>>> >> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>>> >>>
>>> >>> Theresa, try to issue command /var/ossec/bin/ossec-control enable
>>> >>> debug. It will increase log verbosity. Then restart OSSEC, and check
>>> >>> /var/ossec/log/ossec.log.
>>> >>> Also after restart try to issue command "ps aux | grep ossec", and
>>> >>> check, that ossec-maild process is running.
>>> >>>
>>> >>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>>> 
>>>  i've also tried disabling iptables, but that didn't help either...
>>>  but then again i can send out emails with mailx just find, so i
>>>  don't think it's iptables blocking anyway...
>>> 
>>>  any ideas?
>>> 
>>> 
>>>  Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>>> >
>>> > Hi Daniil,
>>> >
>>> > I've already done that. The maillog doesn't show the mail being
>>> > sent, but there isn't an error either. It seems that the ossec-maild 
>>> > isn't
>>> > even relaying it to the local smtp mta (ssmtp) because as said before 
>>> > I can
>>> > send out mails with mailx just fine.
>>> >
>>> > The ossec.log doesn't even mention the ossec-maild even though the
>>> > process is running...
>>> > Hmm
>>> 
>>>  --
>>> 
>>>  ---
>>>  You received this message because you are subscribed to the Google
>>>  Groups "ossec-list" group.
>>>  To unsubscribe from this group and stop receiving emails from it,
>>>  send an email to ossec-list+...@googlegroups.com.
>>>  For more options, visit https://groups.google.com/d/optout.
>>> >>>
>>> >>> --
>>> >>>
>>> >>> --
>>> >>> С уважением, Светлов Даниил.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 

Re: [ossec-list] OSSEC 2.8.3 in SOLARIS 10 ./MAKEALL ALL failed

[dan (ddp)]

On Wed, Sep 28, 2016 at 12:42 PM, Aj Navarro  wrote:
> Running install.sh in SunOS 5.10 appears the next error message:
>
> 5- Installing the system
>  - Running the Makefile
> ./Makeall: test: argument expected
> *** Error code 1
> The following command caused the error:
> /bin/sh ./Makeall all
> make: Fatal error: Command failed for target `all'
>  Error 0x5.
>  Building error. Unable to finish the installation.
>
> When I running sh -x Makeaall appears the next message:
>
> -bash-3.2# sh -x Makeall all
> ARGV=all
> + [ Xall = X ]
> + [ Xall = Xsetmaxagents ]
> CJSONV=external/cJSON/
> LUAV=external/lua/
> LUA_PLAT=posix
> + uname -m
> MACH=sun4v
> + uname
> OS=SunOS
> + cat ./VERSION
> VERSION=v2.8.3
> MSG=
> LIBS=os_xml os_regex os_net os_crypto
> SOURCES=shared config
> BINARIES=os_maild os_dbd os_csyslogd agentlessd os_execd analysisd
> logcollector remoted client-agent addagent util rootcheck syscheckd monitord
> os_auth
> ROOTCHECKBIN=rootcheck
> DIRECTORIES=
> + [ XSunOS = XSunOS ]
> PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/xpg4/bin:/opt/csw/gcc3/bin:/opt/csw/bin:/usr/sfw/bin
> + export PATH
> + [ Xall = Xall -o Xall = Xtest -o Xall = Xrootcheck -o Xall = Xlibs ]
> + ls ./Config.OS
> + [ ! 0 = 0 ]
> + [ -e /usr/include/openssl/opensslconf.h ]
> Makeall: test: argument expected
>

It looks like the `sh` you're using doesn't like the " [ -e
/usr/include/openssl/opensslconf.h ]" syntax.
Check the man page for what the syntax should look like.

>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC 2.8 build on Solaris 10 (Sparc) - "./Makeall all" fails

[dan (ddp)]

On Wed, Sep 28, 2016 at 12:22 PM, Aj Navarro  wrote:
> Do you have an example that how the makeall file is edited.
>
> I have OSSEC 2.8.3. and send the next line:
>
> # Setting SunOS path
> if [ "X$OS" = "XSunOS" ]; then
>
> PATH=$PATH:/usr/ccs/bin:/usr/xpg4/bin:/opt/csw/gcc3/bin:/opt/csw/bin:/usr/sfw/bin
> export  PATH
> fi
>
> And when I run  sh -x Makeall all
> ARGV=all
> + [ Xall = X ]
> + [ Xall = Xsetmaxagents ]
> CJSONV=external/cJSON/
> LUAV=external/lua/
> LUA_PLAT=posix
> + uname -m
> MACH=sun4v
> + uname
> OS=SunOS
> + cat ./VERSION
> VERSION=v2.8.3
> MSG=
> LIBS=os_xml os_regex os_net os_crypto
> SOURCES=shared config
> BINARIES=os_maild os_dbd os_csyslogd agentlessd os_execd analysisd
> logcollector remoted client-agent addagent util rootcheck syscheckd monitord
> os_auth
> ROOTCHECKBIN=rootcheck
> DIRECTORIES=
> + [ XSunOS = XSunOS ]
> PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/xpg4/bin:/opt/csw/gcc3/bin:/opt/csw/bin:/usr/sfw/bin
> + export PATH
> + [ Xall = Xall -o Xall = Xtest -o Xall = Xrootcheck -o Xall = Xlibs ]
> + ls ./Config.OS
> + [ ! 0 = 0 ]
> + [ -e /usr/include/openssl/opensslconf.h ]
> Makeall: test: argument expected
>

Not positive, but it looks like your `sh` doesn't like the "[ -e
/usr/include/openssl/opensslconf.h ]" bit.
Check the shell's man page to see what the correct format should be
for that line.

>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] AGENT WINDOWS 2012 R2 NOT COMUNICATE WITH OSSEC SERVER

[Eduardo Reichert Figueiredo]

Hi,
i have a serious problem with ossec. Windows 2012 r2 servers not comunicate 
with ossec server. I am use ossec  just integrity check, only! So i need 
that my agent to send logs of syscheck for ossec server, only, but is not 
ok. I viewed many foruns about this, but i dont found solution.

- Client.keys OK
- Agent Windows send logs for OSSEC server OK
- OSSEC proccess running OK

The ossec not created automatically file in /var/ossec/queue/syscheck

Can someone help me?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Unable to connect to remoted

[Eduardo Reichert Figueiredo]

you have a solution for this?

Em segunda-feira, 30 de abril de 2012 04:52:29 UTC-3, Mike Sievers escreveu:
>
> Hi List,
>
> I am always getting the following error:
>
> agent_control -r -a
> 2012/04/30 09:44:19 agent_control(1210): ERROR: Queue '/queue/alerts/ar' 
> not accessible: 'Queue not found'.
>
> 2012/04/30 09:44:34 agent_control(1301): ERROR: Unable to connect to 
> active response queue.
>
> ** Unable to connect to remoted.
>
> What could it be? It is the newest version running in linux. Inst type is 
> local.
>
> ???
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: reindexing logs

[Jose Luis Ruiz]

Hi Roberto,

About your osseccall you wrote this in the mail

But the file "template =>" /etc/logstash/elastic-ossec-template2.json
"I modified the lines 3 and 8.
Line 3: from "template", "ossec *" to "template", "ossecall *"
Line 8: from "ossec": to "ossecall":

You have an space between ossec, ossecall and the wildcard?, if you have,
you should not. And with the curl procedure:

$ Cd ~ / ossec_tmp / ossec-wazuh / extensions / ElasticSearch / &&
curl -XPUT "http: // localhost: 9200 / _template / ossec /" -d "@
elastic-ossec-template.json"

You need to apply the templates for both index.

For your last question, in this mail you have a bash script to reindex the
index. Please use carefully and check with curl
'localhost:9200/_cat/indices?v' after every step that the script is doing
well.

This script has 4 steps:

   1. We move all index without mapping applied to a backup index, we do
   that with the option reindex to apply the new template.
   2. After the reindex is has finished we can delete the old index.
   3. Now we can move the backup index to the original name.
   4. When the step 3 has finished we can delete the backup index.

Pleas take a look the lines 72, 73 and 76, 77 in order to change the index
name from ossec-$index_elastic_name and ossec-$index_elastic_name by
ossecall-$index_elastic_name and ossecall-$index_elastic_name because
probably you need to run this script for your two index.

This one of a few utils that wazuh will release soon.

#!/bin/bash

# Copyright (C) 2015-2016 Wazuh, Inc.All rights reserved.
# Wazuh.com
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

# Elasticsearch Reindexing
# Requires:
#  Elasticsearch 2.3  or superior

if [ $# -ne 4 ]
  then
echo "Usage: ./wazuh_elastic_reindex_index.sh date_from date_to
elasticsearch_ip step"
echo -e "\tDate format: -MM-DD"
echo -e "\tStep: 1|2|3|4"
echo -e "\tExample: ./wazuh_elastic_reindex_index.sh 20160826
20160901 10.0.0.20 1"
echo -e "\tNote: Each step takes its time to perform the actions
required. Review: tail -f /var/log/elasticsearch/ossec.log"
exit 0
fi

## Arguments
FROM=$1
TO=$2
ELASTIC_IP=$3
STEP=$4

## Main
startdate=$(date -d $FROM +"%Y%m%d")
enddate=$(date -d $TO +"%Y%m%d")

if [ $startdate -ge $enddate ];
then
 echo "The date_from $startdate is bigger than date_to $enddate,
please review this arguments";
 exit 1
fi

startdate=$(date -I -d "$FROM") || exit -1
enddate=$(date -I -d "$TO") || exit -1

echo -e "\n### Start reindexing [STEP $STEP], from $startdate to
$enddate are you sure? please confirm with YES/NO?"
read ADDRANSWER

exist_index () {
request="$ELASTIC_IP:9200/$1"
exist=`curl -s -XHEAD -i $request | head -n 1 | cut -d' ' -f2`
}

reindex () {
request="$ELASTIC_IP:9200/_reindex"
request_body='{ "source": { "index": "'"$1"'" }, "dest": {
"index": "'"$2"'" }}'
curl_result=`curl -s -XPOST $request -d "$request_body"`
echo $curl_result
}

delete_index () {
request="$ELASTIC_IP:9200/$1"
curl_result=`curl -s -XDELETE $request`
echo $curl_result
}

if [ $ADDRANSWER == 'YES' ]
then
   d="$FROM"
   while [ "$d" != "$enddate" ]; do
index_elastic_name=` echo $d | sed 's/-/\./g'`

if [ $STEP == '1' ] || [ $STEP == '2' ]; then
src_index="ossec-$index_elastic_name"
dst_index="ossec-$index_elastic_name-b"
exist_index $src_index
elif [ $STEP == '3' ] || [ $STEP == '4' ]; then
src_index="ossec-$index_elastic_name-b"
dst_index="ossec-$index_elastic_name"
exist_index $src_index
else
echo "Bad argument: step: $STEP"
exit 1
fi

if [ $exist != '404' ]; then
if [ $STEP == '1' ]; then
echo "### 1. Reindexing: $src_index -> $dst_index"
reindex $src_index $dst_index
elif [ $STEP == '2' ]; then
echo "### 2. Deleting old index: $src_index"
delete_index $src_index
elif [ $STEP == '3' ]; then
echo "### 3. Reindexing: $src_index"
reindex $src_index $dst_index
elif [ $STEP == '4' ]; then
echo "### 4. Deleting intemediate index: $src_index"
delete_index $src_index
fi
else
echo "### Index $src_index doest not exist. Skipping."
fi

# Update date.
d=$(date -I -d "$d + 1 day")
   done

   echo -e "\nPlease check  'curl -XGET
${ELASTIC_IP}:9200/_cat/indices' to re-check the indices"
   echo "Reindexing ended [STEP $STEP]."
else
   echo "This script is finished because you don't confirm with YES"
fi

i hope this helps.

Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On September 29, 2016 at 7:25:09 AM,

Re: [ossec-list] Re: reindexing logs

[roberto . mendonca]

Hi Jose, thanks for reply!

Indeed, today the index is in template format. But only ossec index, the 
index ossecall did not work, the fields still appear as "Analyzed Field".

I did not do the procedure:
$ Cd ~ / ossec_tmp / ossec-wazuh / extensions / ElasticSearch / && curl 
-XPUT "http: // localhost: 9200 / _template / ossec /" -d "@ elastic-ossec-
template.json"

Just put the logstash output that I said.

But the file "template =>" /etc/logstash/elastic-ossec-template*2*.json "I 
modified the lines 3 and 8.
Line 3: *from* "template", "ossec *" *to* "template", "ossecall *"
Line 8: *from *"ossec": *to *"ossecall":

I do not know if it was really necessary to do this. I did this because I 
decided to create a separate index for logs archives.json file. Where ossec are 
logging all.

About "After that, probably you will need to reindex all your index to 
apply the new template."
Do you have any procedure to do this?


Em quarta-feira, 28 de setembro de 2016 18:01:12 UTC-3, jose escreveu:
>
> Hi Roberto,
>
> Have you applied the custom mapping?
>
>
> http://documentation.wazuh.com/en/latest/ossec_elk_elasticsearch.html#ossec-alerts-template
>
> If you have the custom mapping applied, and the template in Logstash, you 
> need to wait until next day, when the next index is created with the new 
> mapping and template.
>
> After that, probably you will need to reindex all your index to apply the 
> new template.
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
>
> On September 28, 2016 at 3:26:38 PM, roberto@phoebustecnologia.com.br 
>  (roberto@phoebustecnologia.com.br ) wrote:
>
> Hi Pedro!
>
> I am using the ossec wazuh, I have a question about indexes.
> I had implemented the logstash without using the file "elastic-ossec-
> template.json". But I saw it would be good to use it. I am wanting use 
> some indexes and Kibana shows "Analyzed Field", like "AgentName".
>
> I put the template in the configuration of logstash and the index has not 
> changed to "not analized".
>
>
> My logstash output :
>
> output {
>
>  #for archives.json log
>  if [type] == "ossecall" {
>elasticsearch {
>hosts => "127.0.0.1:9200"
>index => "ossecall-%{+.MM.dd}"
>document_type => "ossecall"
>template => "/etc/logstash/elastic-ossec-template2.json"
>template_name => "ossecall"
>template_overwrite => true
>}
> }
>  #for alerts.json log
>  else {
>  elasticsearch {
>   hosts => "127.0.0.1:9200"
>   index => "ossec-%{+.MM.dd}"
>   document_type => "ossec"
>   template => "/etc/logstash/elastic-ossec-template.json"
>   template_name => "ossec"
>   template_overwrite => true
>   }
>   }
> }
>
> Can you help me?
>
>
>
> Em quinta-feira, 2 de junho de 2016 08:25:09 UTC-3, Pedro S escreveu: 
>>
>> Hi Maxim,  
>>
>> How are you forwarding the alerts/archives to Kibana?
>>
>> I think you will need the archives JSON output setting, if you are using 
>> Wazuh , edit *ossec.conf* and add the following 
>> setting:
>>
>>   
>>> *yes*
>>>   
>>
>>
>>
>> Once you do it, you will find new archives.json events files at:
>>
>> /var/ossec/logs/archives/archives.json
>>
>>
>>
>> The next step is forward these archives events to Elasticsearch, in order 
>> to do it we need to edit Logstash configuration.
>>
>> My personal advice to index archives events is to create a dedicated 
>> index pattern just for them, so you will be able to distinguish between 
>> events and alerts, adding inside "output" section the following 
>> configuration:
>>
>> output {
>> if [type] == "ossec-alerts" {
>> elasticsearch {
>>  hosts => ["127.0.0.1:9200"]
>>  index => "ossec-%{+.MM.dd}"
>>  document_type => "ossec"
>>  template => "/etc/logstash/elastic-ossec-template.json"
>>  template_name => "ossec"
>>  template_overwrite => true
>> }
>> }
>> if [type] == "ossec-archives" {
>> elasticsearch {
>>  hosts => ["127.0.0.1:9200"]
>>  index => "ossec-archives-%{+.MM.dd}"
>>  document_type => "ossec"
>>  template => "/etc/logstash/elastic-ossec-template.json"
>>  template_name => "ossec"
>>  template_overwrite => true
>> }
>> }
>> }
>>
>>
>> Later in Kibana you will need to create a new index pattern 
>> (Settings->indices) matching for "ossec-archives-*".
>>
>> If you need to "reindex" or read the a log file from the beginning using 
>> Logstash, you can use the file input with option *start_position* set to 
>> *beginning* (+ info) 
>> 
>>
>>
>>
>> On Monday, May 30, 2016 at 4:53:10 PM UTC+2, Maxim Surdu wrote: 
>>>
>>> i have this archives files with logs but in kibana i can not see them 
>>> can i reindex this files?
>>> if i can, please help me step by step