[ossec-list] About active responses
Hey guys, Can I have an active response only activated for a specific agent? (active reponse's location is on ossec server) Example: I have agent1 and agent2, I have 2 active responses AR1 and AR2. I want AR1 to be triggered only by agent1 events and AR2 to be triggered only by agent2 events. Is this possible? Example config: commandname1 server // some config here? specifying agent1 3 commandname2 server // some config here? specifying agent2 3 Thanks! have a nice day! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/2a4319d3-dc11-4cd8-913c-e7d3fba3ece5%40googlegroups.com.
[ossec-list] Not receiving email alert for file changes(FIM)
ossec.conf ___ yes my email 127.0.0.1 ossecm@fcappiee yes my email 550, 553, 554 rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml symantec-av_rules.xml symantec-ws_rules.xml pix_rules.xml named_rules.xml smbd_rules.xml vsftpd_rules.xml pure-ftpd_rules.xml proftpd_rules.xml ms_ftpd_rules.xml ftpd_rules.xml hordeimp_rules.xml roundcube_rules.xml wordpress_rules.xml cimserver_rules.xml vpopmail_rules.xml vmpop3d_rules.xml courier_rules.xml web_rules.xml web_appsec_rules.xml apache_rules.xml nginx_rules.xml php_rules.xml mysql_rules.xml postgresql_rules.xml ids_rules.xml squid_rules.xml firewall_rules.xml apparmor_rules.xml cisco-ios_rules.xml netscreenfw_rules.xml sonicwall_rules.xml postfix_rules.xml sendmail_rules.xml imapd_rules.xml mailscanner_rules.xml dovecot_rules.xml ms-exchange_rules.xml racoon_rules.xml vpn_concentrator_rules.xml spamd_rules.xml msauth_rules.xml mcafee_av_rules.xml trend-osce_rules.xml ms-se_rules.xml zeus_rules.xml solaris_bsm_rules.xml vmware_rules.xml ms_dhcp_rules.xml asterisk_rules.xml ossec_rules.xml attack_rules.xml openbsd_rules.xml clam_av_rules.xml dropbear_rules.xml sysmon_rules.xml opensmtpd_rules.xml exim_rules.xml local_rules.xml 60 yes /etc,/usr/bin,/usr/sbin,/data,/home,/opt /bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt /etc/mtab /etc/mnttab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile /data/helpkit/shared/log /data/haystack-shipper/logs /data/haystack-shipper/data /data/helpkit/shared/tmp/cache /data/helpkit/current/log /dev/pts /dev/null /dev/tty /etc/blkid/blkid.tab /etc/sudoers /opt/confd/confd.txt /var/log /opt/SumoCollector/config /opt/SumoCollector/logs /var/lib /var/run /var/spool /var/cache /tmp /var/log /var/ossec /home/^/.ssh /home/^/.bash_history /opt/aws/opsworks/releases /root/.bash_history /root/.monit.state /root/.viminfo /root/.viminfo.tmp /dev/char 60 no yes yes yes yes yes yes yes yes /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt 7 7 ** local_rules.xml ___ ossec syscheck_new_entry File added to the system. syscheck, I am not getting email alert if a file is modified / added to my sysytem -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/fbeee503-7f90-4bd2-9432-34843e81f1e2%40googlegroups.com.
[ossec-list] Re: Not receiving email alert for file changes(FIM)
On Thursday, October 10, 2019 at 3:57:41 PM UTC+5:30, Prashanthi Soundarajan wrote: > > ossec.conf > ___ > > > > yes > my email > 127.0.0.1 > ossecm@fcappiee > yes > > > > my email > 550, 553, 554 > > > > > rules_config.xml > pam_rules.xml > sshd_rules.xml > telnetd_rules.xml > syslog_rules.xml > arpwatch_rules.xml > symantec-av_rules.xml > symantec-ws_rules.xml > pix_rules.xml > named_rules.xml > smbd_rules.xml > vsftpd_rules.xml > pure-ftpd_rules.xml > proftpd_rules.xml > ms_ftpd_rules.xml > ftpd_rules.xml > hordeimp_rules.xml > roundcube_rules.xml > wordpress_rules.xml > cimserver_rules.xml > vpopmail_rules.xml > vmpop3d_rules.xml > courier_rules.xml > web_rules.xml > web_appsec_rules.xml > apache_rules.xml > nginx_rules.xml > php_rules.xml > mysql_rules.xml > postgresql_rules.xml > ids_rules.xml > squid_rules.xml > firewall_rules.xml > apparmor_rules.xml > cisco-ios_rules.xml > netscreenfw_rules.xml > sonicwall_rules.xml > postfix_rules.xml > sendmail_rules.xml > imapd_rules.xml > mailscanner_rules.xml > dovecot_rules.xml > ms-exchange_rules.xml > racoon_rules.xml > vpn_concentrator_rules.xml > spamd_rules.xml > msauth_rules.xml > mcafee_av_rules.xml > trend-osce_rules.xml > ms-se_rules.xml > > zeus_rules.xml > solaris_bsm_rules.xml > vmware_rules.xml > ms_dhcp_rules.xml > asterisk_rules.xml > ossec_rules.xml > attack_rules.xml > openbsd_rules.xml > clam_av_rules.xml > dropbear_rules.xml > sysmon_rules.xml > opensmtpd_rules.xml > exim_rules.xml > local_rules.xml > > > > > 60 > yes > > check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt > check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > /data/helpkit/shared/log > /data/haystack-shipper/logs > /data/haystack-shipper/data > /data/helpkit/shared/tmp/cache > /data/helpkit/current/log > /dev/pts > /dev/null > /dev/tty > /etc/blkid/blkid.tab > /etc/sudoers > /opt/confd/confd.txt > /var/log > /opt/SumoCollector/config > /opt/SumoCollector/logs > /var/lib > /var/run > /var/spool > /var/cache > /tmp > /var/log > /var/ossec > /home/^/.ssh > /home/^/.bash_history > /opt/aws/opsworks/releases > /root/.bash_history > /root/.monit.state > /root/.viminfo > /root/.viminfo.tmp > /dev/char > > > > > > 60 > no > yes > yes > yes > yes > yes > yes > yes > yes > > /var/ossec/etc/shared/rootkit_files.txt > > /var/ossec/etc/shared/rootkit_trojans.txt > > /var/ossec/etc/shared/system_audit_rcl.txt > > /var/ossec/etc/shared/cis_debian_linux_rcl.txt > > /var/ossec/etc/shared/cis_rhel_linux_rcl.txt > > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt > > > > 7 > 7 > > > > > ** > > local_rules.xml > ___ > > > >ossec >syscheck_new_entry >File added to the system. >syscheck, > > > > > I am not getting email alert if a file is modified / added / deleted to my > system. > Installtion type : Local OS : Amazon Linux -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/4e627d64-3384-4022-8968-96a35e908312%40googlegroups.com.
Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)
On Thu, Oct 10, 2019 at 7:02 AM Prashanthi Soundarajan wrote: > > > > On Thursday, October 10, 2019 at 3:57:41 PM UTC+5:30, Prashanthi Soundarajan > wrote: >> >> ossec.conf >> ___ >> >> >> >> yes >> my email >> 127.0.0.1 >> ossecm@fcappiee >> yes >> >> >> >> my email >> 550, 553, 554 >> >> >> >> >> rules_config.xml >> pam_rules.xml >> sshd_rules.xml >> telnetd_rules.xml >> syslog_rules.xml >> arpwatch_rules.xml >> symantec-av_rules.xml >> symantec-ws_rules.xml >> pix_rules.xml >> named_rules.xml >> smbd_rules.xml >> vsftpd_rules.xml >> pure-ftpd_rules.xml >> proftpd_rules.xml >> ms_ftpd_rules.xml >> ftpd_rules.xml >> hordeimp_rules.xml >> roundcube_rules.xml >> wordpress_rules.xml >> cimserver_rules.xml >> vpopmail_rules.xml >> vmpop3d_rules.xml >> courier_rules.xml >> web_rules.xml >> web_appsec_rules.xml >> apache_rules.xml >> nginx_rules.xml >> php_rules.xml >> mysql_rules.xml >> postgresql_rules.xml >> ids_rules.xml >> squid_rules.xml >> firewall_rules.xml >> apparmor_rules.xml >> cisco-ios_rules.xml >> netscreenfw_rules.xml >> sonicwall_rules.xml >> postfix_rules.xml >> sendmail_rules.xml >> imapd_rules.xml >> mailscanner_rules.xml >> dovecot_rules.xml >> ms-exchange_rules.xml >> racoon_rules.xml >> vpn_concentrator_rules.xml >> spamd_rules.xml >> msauth_rules.xml >> mcafee_av_rules.xml >> trend-osce_rules.xml >> ms-se_rules.xml >> >> zeus_rules.xml >> solaris_bsm_rules.xml >> vmware_rules.xml >> ms_dhcp_rules.xml >> asterisk_rules.xml >> ossec_rules.xml >> attack_rules.xml >> openbsd_rules.xml >> clam_av_rules.xml >> dropbear_rules.xml >> sysmon_rules.xml >> opensmtpd_rules.xml >> exim_rules.xml >> local_rules.xml >> >> >> >> >> 60 >> yes >> >> > check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt >> > check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt >> >> >> /etc/mtab >> /etc/mnttab >> /etc/hosts.deny >> /etc/mail/statistics >> /etc/random-seed >> /etc/adjtime >> /etc/httpd/logs >> /etc/utmpx >> /etc/wtmpx >> /etc/cups/certs >> /etc/dumpdates >> /etc/svc/volatile >> /data/helpkit/shared/log >> /data/haystack-shipper/logs >> /data/haystack-shipper/data >> /data/helpkit/shared/tmp/cache >> /data/helpkit/current/log >> /dev/pts >> /dev/null >> /dev/tty >> /etc/blkid/blkid.tab >> /etc/sudoers >> /opt/confd/confd.txt >> /var/log >> /opt/SumoCollector/config >> /opt/SumoCollector/logs >> /var/lib >> /var/run >> /var/spool >> /var/cache >> /tmp >> /var/log >> /var/ossec >> /home/^/.ssh >> /home/^/.bash_history >> /opt/aws/opsworks/releases >> /root/.bash_history >> /root/.monit.state >> /root/.viminfo >> /root/.viminfo.tmp >> /dev/char >> >> >> >> >> >> 60 >> no >> yes >> yes >> yes >> yes >> yes >> yes >> yes >> yes >> /var/ossec/etc/shared/rootkit_files.txt >> >> /var/ossec/etc/shared/rootkit_trojans.txt >> /var/ossec/etc/shared/system_audit_rcl.txt >> >> /var/ossec/etc/shared/cis_debian_linux_rcl.txt >> >> /var/ossec/etc/shared/cis_rhel_linux_rcl.txt >> >> /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt >> >> >> >> 7 >> 7 >> >> >> >> >> ** >> >> local_rules.xml >> ___ >> >> >> >>ossec >>syscheck_new_entry >>File added to the system. >>syscheck, >> >> >> >> >> I am not getting email alert if a file is modified / added / deleted to my >> system. > > Installtion type : Local > OS : Amazon Linux > Are you getting any email alerts? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/4e627d64-3384-4022-8968-96a35e908312%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrVuFG1Zv-hc%2BwbBPWZ0354sNqJWPDhvT%2B23vz9ZsyxHw%40mail.gmail.com.
Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)
Yes, I am getting email alerts like " Level 2 - Unknown problem somewhere in the system"," Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," Level 13 - Non standard syslog message" I am not getting alerts for new file creation/Deletion/Modification On Thursday, October 10, 2019 at 6:17:54 PM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Oct 10, 2019 at 7:02 AM Prashanthi Soundarajan > > wrote: > > > > > > > > On Thursday, October 10, 2019 at 3:57:41 PM UTC+5:30, Prashanthi > Soundarajan wrote: > >> > >> ossec.conf > >> ___ > >> > >> > >> > >> yes > >> my email > >> 127.0.0.1 > >> ossecm@fcappiee > >> yes > >> > >> > >> > >> my email > >> 550, 553, 554 > >> > >> > >> > >> > >> rules_config.xml > >> pam_rules.xml > >> sshd_rules.xml > >> telnetd_rules.xml > >> syslog_rules.xml > >> arpwatch_rules.xml > >> symantec-av_rules.xml > >> symantec-ws_rules.xml > >> pix_rules.xml > >> named_rules.xml > >> smbd_rules.xml > >> vsftpd_rules.xml > >> pure-ftpd_rules.xml > >> proftpd_rules.xml > >> ms_ftpd_rules.xml > >> ftpd_rules.xml > >> hordeimp_rules.xml > >> roundcube_rules.xml > >> wordpress_rules.xml > >> cimserver_rules.xml > >> vpopmail_rules.xml > >> vmpop3d_rules.xml > >> courier_rules.xml > >> web_rules.xml > >> web_appsec_rules.xml > >> apache_rules.xml > >> nginx_rules.xml > >> php_rules.xml > >> mysql_rules.xml > >> postgresql_rules.xml > >> ids_rules.xml > >> squid_rules.xml > >> firewall_rules.xml > >> apparmor_rules.xml > >> cisco-ios_rules.xml > >> netscreenfw_rules.xml > >> sonicwall_rules.xml > >> postfix_rules.xml > >> sendmail_rules.xml > >> imapd_rules.xml > >> mailscanner_rules.xml > >> dovecot_rules.xml > >> ms-exchange_rules.xml > >> racoon_rules.xml > >> vpn_concentrator_rules.xml > >> spamd_rules.xml > >> msauth_rules.xml > >> mcafee_av_rules.xml > >> trend-osce_rules.xml > >> ms-se_rules.xml > >> > >> zeus_rules.xml > >> solaris_bsm_rules.xml > >> vmware_rules.xml > >> ms_dhcp_rules.xml > >> asterisk_rules.xml > >> ossec_rules.xml > >> attack_rules.xml > >> openbsd_rules.xml > >> clam_av_rules.xml > >> dropbear_rules.xml > >> sysmon_rules.xml > >> opensmtpd_rules.xml > >> exim_rules.xml > >> local_rules.xml > >> > >> > >> > >> > >> 60 > >> yes > >> > >> check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt > >> check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt > > > >> > >> > >> /etc/mtab > >> /etc/mnttab > >> /etc/hosts.deny > >> /etc/mail/statistics > >> /etc/random-seed > >> /etc/adjtime > >> /etc/httpd/logs > >> /etc/utmpx > >> /etc/wtmpx > >> /etc/cups/certs > >> /etc/dumpdates > >> /etc/svc/volatile > >> /data/helpkit/shared/log > >> /data/haystack-shipper/logs > >> /data/haystack-shipper/data > >> /data/helpkit/shared/tmp/cache > >> /data/helpkit/current/log > >> /dev/pts > >> /dev/null > >> /dev/tty > >> /etc/blkid/blkid.tab > >> /etc/sudoers > >> /opt/confd/confd.txt > >> /var/log > >> /opt/SumoCollector/config > >> /opt/SumoCollector/logs > >> /var/lib > >> /var/run > >> /var/spool > >> /var/cache > >> /tmp > >> /var/log > >> /var/ossec > >> /home/^/.ssh > >> /home/^/.bash_history > >> /opt/aws/opsworks/releases > >> /root/.bash_history > >> /root/.monit.state > >> /root/.viminfo > >> /root/.viminfo.tmp > >> /dev/char > >> > >> > >> > >> > >> > >> 60 > >> no > >> yes > >> yes > >> yes > >> yes > >> yes > >> yes > >> yes > >> yes > >> > /var/ossec/etc/shared/rootkit_files.txt > >> > /var/ossec/etc/shared/rootkit_trojans.txt > > >> > /var/ossec/etc/shared/system_audit_rcl.txt > >> > /var/ossec/etc/shared/cis_debian_linux_rcl.txt > >> > /var/ossec/etc/shared/cis_rhel_linux_rcl.txt > >> > /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt > >> > >> > >> > >> 7 > >> 7 > >> > >> > >> > >> > >> ** > >> > >> local_rules.xml > >> ___ > >> > >> > >> > >>ossec > >>syscheck_new_entry > >>File added to the system. > >>syscheck, > >> > >> > >> > >> > >> I am not getting email alert if a file is modified / added / deleted to > my system. > > > > Installtion type : Local > > OS : Amazon Linux > > > > Are you getting any e
Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)
On Thu, Oct 10, 2019 at 8:54 AM Prashanthi Soundarajan wrote: > > Yes, I am getting email alerts like " Level 2 - Unknown problem somewhere in > the system"," > Level 8 - Log file size reduced","Level 7 - Integrity checksum changed."," > Level 13 - Non standard syslog message" > > I am not getting alerts for new file creation/Deletion/Modification > Are these alerts getting triggered (check /var/ossec/logs/alerts/alerts.log)? > On Thursday, October 10, 2019 at 6:17:54 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Thu, Oct 10, 2019 at 7:02 AM Prashanthi Soundarajan >> wrote: >> > >> > >> > >> > On Thursday, October 10, 2019 at 3:57:41 PM UTC+5:30, Prashanthi >> > Soundarajan wrote: >> >> >> >> ossec.conf >> >> ___ >> >> >> >> >> >> >> >> yes >> >> my email >> >> 127.0.0.1 >> >> ossecm@fcappiee >> >> yes >> >> >> >> >> >> >> >> my email >> >> 550, 553, 554 >> >> >> >> >> >> >> >> >> >> rules_config.xml >> >> pam_rules.xml >> >> sshd_rules.xml >> >> telnetd_rules.xml >> >> syslog_rules.xml >> >> arpwatch_rules.xml >> >> symantec-av_rules.xml >> >> symantec-ws_rules.xml >> >> pix_rules.xml >> >> named_rules.xml >> >> smbd_rules.xml >> >> vsftpd_rules.xml >> >> pure-ftpd_rules.xml >> >> proftpd_rules.xml >> >> ms_ftpd_rules.xml >> >> ftpd_rules.xml >> >> hordeimp_rules.xml >> >> roundcube_rules.xml >> >> wordpress_rules.xml >> >> cimserver_rules.xml >> >> vpopmail_rules.xml >> >> vmpop3d_rules.xml >> >> courier_rules.xml >> >> web_rules.xml >> >> web_appsec_rules.xml >> >> apache_rules.xml >> >> nginx_rules.xml >> >> php_rules.xml >> >> mysql_rules.xml >> >> postgresql_rules.xml >> >> ids_rules.xml >> >> squid_rules.xml >> >> firewall_rules.xml >> >> apparmor_rules.xml >> >> cisco-ios_rules.xml >> >> netscreenfw_rules.xml >> >> sonicwall_rules.xml >> >> postfix_rules.xml >> >> sendmail_rules.xml >> >> imapd_rules.xml >> >> mailscanner_rules.xml >> >> dovecot_rules.xml >> >> ms-exchange_rules.xml >> >> racoon_rules.xml >> >> vpn_concentrator_rules.xml >> >> spamd_rules.xml >> >> msauth_rules.xml >> >> mcafee_av_rules.xml >> >> trend-osce_rules.xml >> >> ms-se_rules.xml >> >> >> >> zeus_rules.xml >> >> solaris_bsm_rules.xml >> >> vmware_rules.xml >> >> ms_dhcp_rules.xml >> >> asterisk_rules.xml >> >> ossec_rules.xml >> >> attack_rules.xml >> >> openbsd_rules.xml >> >> clam_av_rules.xml >> >> dropbear_rules.xml >> >> sysmon_rules.xml >> >> opensmtpd_rules.xml >> >> exim_rules.xml >> >> local_rules.xml >> >> >> >> >> >> >> >> >> >> 60 >> >> yes >> >> >> >> > >> check_all="yes">/etc,/usr/bin,/usr/sbin,/data,/home,/opt >> >> > >> check_all="yes">/bin,/sbin,/boot,/dev,/null,/lib,/media,/proc,/srv,/mnt >> >> >> >> >> >> /etc/mtab >> >> /etc/mnttab >> >> /etc/hosts.deny >> >> /etc/mail/statistics >> >> /etc/random-seed >> >> /etc/adjtime >> >> /etc/httpd/logs >> >> /etc/utmpx >> >> /etc/wtmpx >> >> /etc/cups/certs >> >> /etc/dumpdates >> >> /etc/svc/volatile >> >> /data/helpkit/shared/log >> >> /data/haystack-shipper/logs >> >> /data/haystack-shipper/data >> >> /data/helpkit/shared/tmp/cache >> >> /data/helpkit/current/log >> >> /dev/pts >> >> /dev/null >> >> /dev/tty >> >> /etc/blkid/blkid.tab >> >> /etc/sudoers >> >> /opt/confd/confd.txt >> >> /var/log >> >> /opt/SumoCollector/config >> >> /opt/SumoCollector/logs >> >> /var/lib >> >> /var/run >> >> /var/spool >> >> /var/cache >> >> /tmp >> >> /var/log >> >> /var/ossec >> >> /home/^/.ssh >> >> /home/^/.bash_history >> >> /opt/aws/opsworks/releases >> >> /root/.bash_history >> >> /root/.monit.state >> >> /root/.viminfo >> >> /root/.viminfo.tmp >> >> /dev/char >> >> >> >> >> >> >> >> >> >> >> >> 60 >> >> no >> >> yes >> >> yes >> >> yes >> >> yes >> >> yes >> >> yes >> >> yes >> >> yes >> >> >> >> /var/ossec/etc/shared/rootkit_files.txt >> >> >> >> /var/ossec/etc/shared/rootkit_trojans.txt >> >> >> >> /var/ossec/etc/shared/system_audit_rcl.txt >> >> >> >> /var/ossec/etc/shared/cis_debian_linux_rcl.txt >> >> >> >> /var/ossec/etc/shared/cis_rhel_linux_rcl.txt >> >> >> >> /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt >> >> >> >> >> >> >> >> 7 >> >> 7 >> >> >> >> >> >> >> >> >> >> ** >> >> >> >> local_rules.xml >> >> ___ >> >> >> >> >> >> >> >>ossec >> >>syscheck_new_entry >> >>File added to the system. >> >>syscheck, >> >> >> >> >> >> >> >> >
Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)
Yes, I able see the alerts which I mentioned (" Level 2 - Unknown problem
somewhere in the system","Level 8 - Log file size reduced","Level 7 -
Integrity checksum changed."," Level 13 - Non standard syslog message") in
/var/ossec/logs/alerts/alerts.log
Sample:_
** Alert 1570713203.436414: mail - syslog,errors,
2019 Oct 10 13:13:23 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr:
/data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
`transmit' : This dangerous monkey patch leaves you open to MITM attacks!
(StandardWarning)
** Alert 1570713205.436799: mail - syslog,errors,
2019 Oct 10 13:13:25 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr:
/data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
`transmit' : This dangerous monkey patch leaves you open to MITM attacks!
(StandardWarning)
** Alert 1570713207.437184: mail - syslog,errors,
2019 Oct 10 13:13:27 fc-app-7->/var/log/nginx/error.log
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
App 1663 stderr:
/data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
`transmit' : This dangerous monkey patch leaves you open to MITM attacks!
(StandardWarning)
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec...@googlegroups.com .
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/9fc6a473-a9ac-4aa3-ac09-48162be0064e%40googlegroups.com.
