Re: [ossec-list] ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

[dan (ddp)]

On Nov 3, 2017 18:33,  wrote:

I am receiving the error: ossec-maild(1223): ERROR: Error Sending email to
127.0.0.1 (smtp server)

postfix is working on my client. `echo 'message' | mail -s 'subject'
recipi...@email.com` works as expected.

I have changed smtp_relay in my global config to localhost and 127.0.0.1
but neither worked.

Not sure what to try next.


Look at your postfix logs



-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)

[this . iz . not . a . drill]

I am receiving the error: ossec-maild(1223): ERROR: Error Sending email to 
127.0.0.1 (smtp server)

postfix is working on my client. `echo 'message' | mail -s 'subject' 
recipi...@email.com` works as expected.

I have changed smtp_relay in my global config to localhost and 127.0.0.1 
but neither worked.

Not sure what to try next. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Ossec and information about delete Files and Folders

[L R]

Hi All,

I have problem with my ossec - on website ossec-wui I don't see any 
information about delete files or folders ( on Windows machines) 

Ossec SRV is on Centos 6.7 , ossec ver is 2.9.2.
When I delete folder from Windows 7 ( File Auditing is on and I see in 
EventLog information about delete files ID 4663) I don't see info in ossec 
about delete folder and I don't know why? :( Anyone Can help me?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Centralized agent.conf

[mark van de giessen]

Hi Eddi Bento,

I'm experiencing the same issue, i assume.
In windows, there currently is a bug that prevents a 'client-server' model 
as the md5 checksum fails due to End-Of-Line conversion errors. See 
(https://github.com/ossec/ossec-hids/pull/1207)
To resolve this, either wait for the fix mentioned in issue 1207, or 
compile it yourself with the fix included.

Coincidentally, i myself am also waiting for a new release, mainly for this 
issue.

Hopefully i've provided some help.

Sincerely,

Mark

Op donderdag 2 november 2017 22:01:23 UTC+1 schreef Eddi Bento:
>
> Hello.
>
> I'm trying to set up a proof of concept for OSSEC.  It's all set up and 
> monitoring a few computers, but I can't seem to get the agent.conf file to 
> push.  Originally, I was told to copy the ossec.conf file on the Manager 
> and remove the Global entries on it.  Since then, I've completely killed 
> the file and created an empty agent.conf that has the following:
>
> 
> 
> C:\OSSEC-Test\something.log
> syslog
> 
> 
>
> This is only line as I want to get this one file monitored first before I 
> continue.  I save this file and restart OSSEC.
>
> When I run:
>
> agent_control -i 002
>
> (where 002 is the AgentID for agent01)
>
> ..it never updates the MD5 Checksum of this file next to Client Version: 
> OSSEC HIDS v2.9.2
>
> Does anyone have an idea on what I'm doing wrong?  Is there an place where 
> I can see in the log that the agent.conf push fails?
>
> Regards,
> Eddi
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Need to whitelist a message from message file

[Stephen LuShing]

It looks good with the statement as we not getting large amount of email
alerts

Thanks for the help

Steve lushing

On Thu, Nov 2, 2017 at 11:18 AM, Branch Family 
wrote:

> Actually, you would need this:
>
> MYAGENT|MYAGENT1|MYAGENT2
>
> Kevin
>
> On Thu, Nov 2, 2017 at 10:26 AM, Stephen LuShing 
> wrote:
>
>> Question
>>
>> The rule you provided
>>
>> 
>> 5104
>> MYAGENT
>> Ignore promisc mode events for specific
>> agent(s)
>>   
>>
>> If I have more than 1 server that giving this ,essage will the entry be
>> like
>>
>> MYAGENT, MYAGENT1, MYAGENT2
>>
>> or do I copy the same statement fordifferent servers.
>>
>>
>> Thanks in advance
>>
>> steve lushing
>>
>> On Tue, Oct 31, 2017 at 10:59 AM, dan (ddp)  wrote:
>>
>>> On Tue, Oct 31, 2017 at 10:58 AM, Stephen LuShing 
>>> wrote:
>>> > Does this child rule go on my main ossec server or on the agent side.
>>> - I
>>> > still learning OSSEC.
>>> >
>>>
>>> Rules go on the OSSEC manager.
>>>
>>> > Thanks in advance
>>> >
>>> > Steve Lushing
>>> >
>>> > On Mon, Oct 30, 2017 at 11:43 AM, Branch Family >> >
>>> > wrote:
>>> >>
>>> >> Stephen,
>>> >>
>>> >> If you want to granularly de-escalate or whitelist this alert, then
>>> create
>>> >> a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml
>>> like this,
>>> >> somewhere in the sid range 10-12, with the agent name in
>>> question
>>> >> substituted for MYAGENT.
>>> >>
>>> >>   
>>> >> 5104
>>> >> MYAGENT
>>> >> Ignore promisc mode events for specific
>>> >> agent(s)
>>> >>   
>>> >>
>>> >> This would drop the severity level of the rule down to 5 for promisc
>>> >> events involving MYAGENT, hopefully low enough to be below your
>>> >>  in ossec.conf so you don't get emailed about it.
>>> >> Actually 5104 is only a level 8, which would imply your
>>> 
>>> >> is 8 or lower.  I imagine that would email you about a heap of events
>>> of
>>> >> little alert value.  You might want to consider bumping up that
>>> threshold.
>>> >> I personally would be deluged with emails even with an
>>> 
>>> >> value of 10.
>>> >>
>>> >> Reegards,
>>> >> Kevin
>>> >>
>>> >> On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <
>>> smlush...@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> I do not want to block the whole event or this alert. Is there a way
>>> to
>>> >>> block or whitelist a specific message from this alert. On this
>>> server we are
>>> >>> getting the Interface entered in promiscuous(sniffing) mode for one
>>> server
>>> >>> and a specific network interface.
>>> >>>
>>> >>> Can this be done on the agent level. We are basically getting "Oct 27
>>> >>> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode"
>>> message -
>>> >>> we want to stop getting this as a email but still record it on the
>>> logs. Is
>>> >>> there a way to do this.
>>> >>>
>>> >>> Else we may have to filter this email.
>>> >>>
>>> >>> Stephen LuShing
>>> >>>
>>> >>> On Fri, Oct 27, 2017 at 9:09 PM, 
>>> wrote:
>>> 
>>>  Hello Stephen
>>> 
>>>    I do not know if I understood well, but if you want to disable
>>> this
>>>  alert, you only need to add the following block to your file
>>> local_rules.xml
>>> 
>>>    
>>>  5100
>>>  Promiscuous mode enabled|
>>>  device \S+ entered promiscuous mode
>>>  Interface entered in promiscuous(sniffing)
>>>  mode.
>>>  promisc,
>>>    
>>> 
>>>  This block will overwrite the official 5104 rule.
>>>  If you want to do that, you have to be sure, because you are
>>> changing
>>>  the level value of the event in order to dismiss it. Could be
>>> possible that
>>>  other similar events (i.e. a malicious script which change the
>>> network
>>>  interface to promiscuous mode), then the event will no be
>>> registered as an
>>>  alert too.
>>> 
>>>  Hope it helps.
>>>  Best regards,
>>> 
>>> 
>>> 
>>>  On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing
>>> wrote:
>>> >
>>> > We recently been getting the following message from OSSEC:
>>> >
>>> >
>>> >
>>> > OSSEC HIDS Notification.
>>> >
>>> > 2017 Oct 27 09:40:01
>>> >
>>> > Received From: (lxbandt2) 10.8.6.31->/var/log/messages
>>> >
>>> > Rule: 5104 fired (level 8) -> "Interface entered in
>>> > promiscuous(sniffing) mode."
>>> >
>>> > Portion of the log(s):
>>> >
>>> > Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous
>>> mode
>>> >
>>> > --END OF NOTIFICATION
>>> >
>>> > Question
>>> >
>>> >
>>> >
>>> > Is there a way to ignore this message (other that are similar) as
>>> we
>>> > determine that this is not a issue for the server (It seems like
>>> Oracle is
>>> > running a process)
>>> >