Re: [ossec-list] Disable IPv6 for ossec-remoted

[dan (ddp)]

On Sun, Jul 9, 2017 at 8:58 PM, Roman Romanov <558...@gmail.com> wrote:
> Hello, how I can disable IPv6 for ossec-remoted. Such construction doesn't
> work:
>
>   
> secure
> 0.0.0.0
> 
>   
>
> 
> because I have this netstat's output:
> udp6   0  0 0.0.0.0:1514:::*
> 4921/ossec-remoted
> 
> It's the UDP IPv6, but I need v4 only
>
> Thanks in advance
>

Are you experiencing actual issues with it? I think that's just how it
displays in netstat, it should still work with ipv4 agents.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Restart agents, syscheck and rootcheck from ossec manager

[dan (ddp)]

On Mon, Jul 10, 2017 at 4:49 AM, Kazim Koybasi  wrote:
> Hello,
> I am trying to restart all agents and start syscheck and rootcheck but I can
> not achieve it with commands below.I use centralized agent.conf at manager
> and whenever I change agent.conf file I should restart all agents to take
> new agent.conf.
> I have 14 agents and restarting all one bye one takes so much time.
> /var/ossec/bin/agent-control -R -a (To restart all agents )
>
> /var/ossec/bin/agent-control -r -a (To restart syscheck and rootcheck in all
> agents )
>
> What should I do?
>

Make sure active response is enabled, and ossec-execd is running (on
unix-like hosts, not sure about Windows).

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: RDP Alerts / msauth.xml

[dan (ddp)]

On Fri, Mar 3, 2017 at 2:04 PM, Aryn Nakaoka  wrote:
> How do I get OSSEC to log the IP of failed RDP Logins?
>

What do you mean "log the IP?" Is the IP address in the log?
Does it not get identified by the decoding process?
>
>
> On Monday, October 7, 2013 at 12:24:38 PM UTC-10, Gary White wrote:
>>
>> I have edited the msauth file so that I get an email alert when I or
>> anyone remote desktops into my windows machine. However I get several
>> PCname$ alerts as well and I think I need to   another rule
>> to filter the unwanted logs out? here is what I have done:
>>
>>  
>>   
>>windows
>>18104
>>Athlon$
>>Remote access login success.
>>   
>>
>>
>>  
>>   
>>18104
>>^682|^4778|^4624
>>Remote Desktop Connection Established
>>authentication_success
>>   
>> 
>> 
>> The 4778 event ID is for when someone has logged back into an already
>> established session, this works fine. What I also want is when someone logs
>> on creating a new RDP session (4624) however that also generates this email:
>>
>>
>>
>> OSSEC HIDS Notification.
>>
>> 2013 Oct 07 11:52:39
>>
>>
>>
>> Received From: (Athlon) 10.1.1.11->WinEvtLog
>>
>> Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established"
>>
>> Portion of the log(s):
>>
>>
>>
>> WinEvtLog: Security: AUDIT_SUCCESS(4624):
>> Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN:
>> ATHLON.mydomain.local: An account was successfully logged on. Subject:
>> Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0
>> Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  ATHLON$
>> Account Domain:  MYDOMAIN  Logon ID:  0x839f215b  Logon GUID:
>> {666D9506-E849-14C7-8D3A-6550AE9EE889}  Process Information:  Process ID:
>> 0x0  Process Name:  -  Network Information:  Workstation Name:   Source
>> Network Address: ::1  Source Port:  0  Detailed Authentication Information:
>> Logon Process:  Kerberos  Authentication Package: Kerberos  Transited
>> Services: -  Package Name (NTLM only): -  Key Length:  0  This event is
>> generated when a logon session is created. It is generated on the computer
>> that was accessed.
>>
>>
>>
>> If anyone can point me in the right direction that would be great thanks.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.