[ossec-list] Reprocess logs archived by ossec

2019-07-18 Thread Jailson TenĂ³rio do Nascimento 
I would like to reprocess a series of logs archived by ossec (
option). When performing reprocessing, removing the header added logs in
the archived logs, using ossec-logtest -a got some different results from
the processed in real time. ASA / PIX firewall logs were not counted
because rule 4101 does not work with ossec-logtest (action is actually Deny
and not DROP according to rule). The data was also not accurate in first
use rules and in rules with related multiple matches. Is there any other
way to reprocess archived ossec logs?
The version I am using is 3.2.

Jailson TenĂ³rio do Nascimento

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAOkUAMNXB0bhinjpwQY0KrZYjOciyZzUZ40mYgtpYi1dQxWunA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-analysisd memory leak?

2019-07-18 Thread Jim M 
Hi

I'm running CentOS 7.5.1804.  I'm running 
OSSEC ossec-hids-server-3.3.0-7006.el7.art.x86_64.  This is running on a 
t2.small instance with 2 GB RAM.  I'm seeing an issue that appears to be 
similar to https://github.com/ossec/ossec-hids/issues/1727

This box has been sitting pretty dormant for awhile now.  I tried 
implementing some custom rules but that's when the memory leak started.  I 
backed out all my custom rules and the ossec-analysisd process is still 
consuming all the memory and eventually OOMs the box (this never happened 
before I started implementing some rules, so I thought backing out my 
changes would stop the leak).  Temporarily, I've cron'd a job to restart 
OSSEC every night, but even after about 12 hours, memory usage on the 
process has jumped to 11.9%.

list_agents shows that there are only 76 agents active.  

What other information would be useful to help diagnose the issue?  

Thanks.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/cbbe9f4c-430c-473d-8bc2-0439c2287c97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Agents are not Connecting to Different Network Segments

2019-07-18 Thread dan (ddp) 
On Thu, Jul 18, 2019 at 1:39 AM sunitha s  wrote:
>
> Hii All,
>
>   I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC.
> I Have Installed OSSEC Agents in the same Network segment, the Agents are 
> connected and sending logs to OSSEC Server, and also installed agents in 
> different network segments,all the Configuration are done properly(like that 
> agent ip's are pinging,disabled the internal firewall),when i run the command 
> /var/ossec/bin/manage-agents it list down all the agents from the different 
> network segments, But when I am Run the command /var/ossec/bin/agent-control 
> -l it shows the  agent state like "NEVER CONNECTED".
>
>
> Can Anyone Help Me For Connecting the Agents From the Different Network 
> Segments.
>

Make sure they aren't communicating by checking for alerts from the
not-connected agents.
Make sure the IP address that the OSSEC server sees the agents as is
the IP configured in manage_agents (no NAT).
Use tcpdump to make sure the traffic from the agent is making it to
the OSSEC server (default: port 1514 udp).
Check the agent's ossec.log for errors.
Check the server's ossec.log for errors.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/d239b3dc-bc99-4336-9573-44ead7916a44%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp-U0kZKM9%2B-34d%3DmR2_S%2BpnUnKBU0ojCdQ0O_jxPRmyg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] "ossec-dbd: Database not configured.

2019-07-18 Thread dan (ddp) 
On Thu, Jul 18, 2019 at 1:24 AM sunitha s  wrote:
>
> Hii,
>  Yes I enabled the Schema.
>

Looking at the source, it looks like dbd isn't able to read the
configuration properly.
/* Read configuration */
if ((c = OS_ReadDBConf(test_config, cfg, _config)) < 0) {
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
...
/* Not configured */
if (c == 0) {
verbose("%s: Database not configured. Clean exit.", ARGV0);
exit(0);
}

So maybe there's an error in the database section of your ossec.conf?
You can try running dbd in debug mode and in the foreground to try and
get more information:
`sudo /var/ossec/bin/ossec-dbd -df`

>
> On Thu, 18 Jul 2019 at 10:19, dan (ddp)  wrote:
>>
>> On Thu, Jul 18, 2019 at 12:43 AM sunitha s  wrote:
>> >
>> > Hi All,
>> >I am Trying to configure Database in OSSEC Server  Version 3.1.0, For 
>> > that i enable /var/ossec/bin/ossec-control enable database,  but it is 
>> > Showing ossec-dbd not running
>> > and I Run the Logtest grep ossec-dbd /var/ossec/logs/ossec.log,It Showing 
>> > the Result "ossec-dbd: Database not configured. Clean exit.".
>> >
>> >  Can Anyone Suggest me how can I Rectify the error.
>> >
>>
>> Did you load the schema into the database?
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/e4f1cdc5-63c4-4bb9-ab25-5af5edf3476f%40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ossec-list/CAMyQvMof233iZe%2BqRZGFu_mVo6aS9A7d_xG1YY%2BxW9186mkVZw%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAEHLbbZPccCThsry5_DROCFch8HZLqdOQQhY2iQ8k%2BiE2crtMw%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrQ_%3DpXEicvYVxqwq_uPkHyYh2rnpR%3Dnk7izmGC3J3iFg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: CDB format problem

2019-07-18 Thread Brian Candler 
My mistake: I was looking at source code from wazuh 
.  
The corresponding code in ossec 
 
doesn't support double quotes.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/c365dab6-722d-4588-ac1f-a1666e847e44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: CDB format problem

2019-07-18 Thread Kyriakos Stavridis 
Tested your 1st point, doesn't seem to work. I tried inserting 
"192.168.1.x" instead of 192.168.1.x (which I know it worked), and I didn't 
get a match.


On Wednesday, July 17, 2019 at 12:46:39 PM UTC+3, Brian Candler wrote:
>
> On Tuesday, 16 July 2019 13:44:33 UTC+1, Kyriakos Stavridis wrote:
>>
>> How can I surpass that obstacle (double : in every entry) when compiling 
>> the cdb list with ossec-makelists? Any ideas?
>>
>>
> Looking in src/analysisd/lists_make.c, it appears that both keys and 
> values can be surrounded by double quotes, which should solve your problem 
> (if the code works).
>  
> Otherwise, CDB  files are 8-bit clean.  You 
> could compile them with the native cdbmake 
>  utility instead, which has a 
> different input format with explicit lengths for key and value parts.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/6c4a6b2e-0048-4e6a-bdc1-16058a18227d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.