[ossec-list] Re: Update OSSEC Server
Hello Kyriakos. Thank you for your recomendations :D i will try it. Regards El viernes, 7 de agosto de 2020, 4:47:16 (UTC-5), Kyriakos Stavridis escribió: > > Hello sparks, > > From my experience, I suggest you follow the below steps to complete your > upgrade. > > - First backup your current ossec rules, decoders, active-responses > scripts and ossec.conf (JUST IN CASE YOU LATER NEED THEM, perhaps you've > written custom rules and decoders) > - Then download and extract the latest ossec server version > - Initiate the installation and OSSEC should detect that you already have > a prior version installed. It will ask you if you want to upgrade it. > *You already have OSSEC installed. Do you want to update it? > (y/n): y* > > - It will ask you if you want to update the rules as well. I suggest you > do it. > *Do you want to update the rules? (y/n): y* > > - Installation and upgrade will begin. > - After the installation is finished, just check if every process is > running and you're done. > *$ **sudo /var/ossec/bin/ossec-control status* > > > > > On Friday, August 7, 2020 at 12:09:57 AM UTC+3 sparks@gmail.com wrote: > >> Hello Community, >> >> Do you know if there is a procedure to update the OSSEC server from 2.9.3 >> to the latest version? I was looking on Internet for information but i cant >> find anything. >> >> I appreciate your help. >> >> Regards >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/07b50241-3a41-4767-8152-563cd6bd8ebdo%40googlegroups.com.
[ossec-list] Update OSSEC Server
Hello Community, Do you know if there is a procedure to update the OSSEC server from 2.9.3 to the latest version? I was looking on Internet for information but i cant find anything. I appreciate your help. Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/d25334f5-c228-4873-b955-1444d5c17e8bo%40googlegroups.com.
[ossec-list] Uninstall OSSEC Server
Hello to everybody, I need to do the uninstall the OSSEC server from a Redhat OS. I was searching info in the group post but idont find anything. How can i do this? Thank you. Regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/78308faa-ecf1-4495-abef-122bfdcf4794o%40googlegroups.com.
[ossec-list] Stop alerting for specific agentless
Hello good morning, Somebody know if exist some option to stop alerting for a specific agentless host during OS linux updates? For example if i have 10 agentless host how can i stop the alerts for 5 of they? For example something like that (i know that this doesnt work jeje): ssh_integrity_check_linux *no* 36000 ossec@172.17.1.77 periodic /home/ossec Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c6e89b31-0b4e-4a5e-9344-572b307fd40d%40googlegroups.com.
[ossec-list] Re: Stop alerting
Hello Zach Thank you for your comments. I ll check it and im going to do tests. Exist some to apply on agentless? Regards El miércoles, 1 de abril de 2020, 8:12:08 (UTC-6), Carlos Islas escribió: > > Good day community. > > I need to stop the alerts for specific hosts , for example when we update > the OS or when we made maintenance window. How can we do that? I don't know > if I explain :) > > I appreciate your help > > Regards > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/855a0c4a-d060-4418-bf50-ec566ed63d57%40googlegroups.com.
[ossec-list] Re: Stop alerting
Hello Somebody have any suggestion? El miércoles, 1 de abril de 2020, 8:12:08 (UTC-6), Carlos Islas escribió: > > Good day community. > > I need to stop the alerts for specific hosts , for example when we update > the OS or when we made maintenance window. How can we do that? I don't know > if I explain :) > > I appreciate your help > > Regards > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e4bd7428-9571-479e-9ab4-aef559fdfcd9%40googlegroups.com.
[ossec-list] Stop alerting
Good day community. I need to stop the alerts for specific hosts , for example when we update the OS or when we made maintenance window. How can we do that? I don't know if I explain :) I appreciate your help Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/52932946-2387-4e92-bddf-2b00927b4248%40googlegroups.com.
[ossec-list] All the agents is not connected | Port 1514 is not listening
Hello good aftenoon, I have an issue so strange, all my agents is not reporting. When i saw the status of my ports i cannot see the port 1514 *root@TMCVPLMT01:/var/ossec/bin# nmap localhost* *Starting Nmap 7.40 ( https://nmap.org ) at 2018-10-29 16:16 CST* *Nmap scan report for localhost (127.0.0.1)* *Host is up (0.030s latency).* *Other addresses for localhost (not scanned): ::1* *Not shown: 999 closed ports* *PORT STATE SERVICE* *22/tcp open ssh* *Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds* If restart the the process ossec-remoted that happens in ossec: *2018/10/29 16:19:28 ossec-remoted(1206): ERROR: Unable to Bind port '1514'* I think that the problem is about the port because is not open or listening... =S *udp6 0 0 :::1514 :::* 3029/ossec-remoted* Somebody have an idea? what can i do? Thank you Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [EXTERNAL] [ossec-list] Installing ossec agent in RedHat
Hi Vicente, What does it mean* from source*? sorry im rookie. Regards El viernes, 17 de agosto de 2018, 13:56:48 (UTC-5), Vicente Munoz escribió: > > Hello Carlos, > > > > Maybe this will be a bit overkill (like hitting a nail with an anvil) but > why don’t you try compiling OSSEC from source instead of using the package > from RedHat and see if maybe that is the issue? > > > VR, > *Vicente Muñoz* > > *From:* ossec...@googlegroups.com > *On Behalf Of *Carlos Islas > *Sent:* Friday, August 17, 2018 11:51 AM > *To:* ossec-list > > *Subject:* Re: [EXTERNAL] [ossec-list] Installing ossec agent in RedHat > > > > Hi Vicente, > > > > Thank you by your ideas. Is the first time that im trying to install in > this host. I had uninstalled the agent and tried to install again but the > problem continue. > > > > Regards > > > El viernes, 17 de agosto de 2018, 13:33:26 (UTC-5), Vicente Munoz escribió: > > Hello Carlos, > > > > Had you previously installed it in this host or is this the first time, > sounds a bit to me like an issue I had once trying to update an agent which > I ended up solving by deleting the core folder and letting it be > reinstalled fresh. > > > VR, > *Vicente Muñoz* > > > > *From:* ossec...@googlegroups.com *On Behalf > Of *Carlos Islas > *Sent:* Friday, August 17, 2018 11:00 AM > *To:* ossec-list > *Subject:* [EXTERNAL] [ossec-list] Installing ossec agent in RedHat > > > > Hi to everyone, > > > > Im trying to install an agent in a host RedHat, but im rookie in this SO. > Following the instructions of the official site, i did that: > > > > *[root@VKNXSEGRHFIM home]# sudo yum install ossec-hids-agent* > > *Loaded plugins: product-id, security, subscription-manager* > > *This system is not registered to Red Hat Subscription Management. You can > use subscription-manager to register.* > > *Setting up Install Process* > > *Resolving Dependencies* > > *--> Running transaction check* > > *---> Package ossec-hids-agent.x86_64 0:3.0.0-5505.el6.art will be > installed* > > *--> Finished Dependency Resolution* > > > > *Dependencies Resolved* > > > > > *=* > > * Package Arch > Version Repository >Size* > > > *=* > > *Installing:* > > * ossec-hids-agent x86_64 > 3.0.0-5505.el6.art atomic > 330 k* > > > > *Transaction Summary* > > > *=* > > *Install 1 Package(s)* > > > > *Total download size: 330 k* > > *Installed size: 1.8 M* > > *Is this ok [y/N]: y* > > *Downloading Packages:* > > *ossec-hids-agent-3.0.0-5505.el6.art.x86_64.rpm > | 330 kB > 00:00* > > *Running rpm_check_debug* > > *Running Transaction Test* > > *Transaction Test Succeeded* > > *Running Transaction* > > * Installing : ossec-hids-agent-3.0.0-5505.el6.art.x86_64 > > 1/1* > > *Non-fatal POSTIN scriptlet failure in rpm package > ossec-hids-agent-3.0.0-5505.el6.art.x86_64* > > *touch: no se puede efectuar `touch' sobre «/var/ossec/logs/ossec.log»: No > existe el fichero o el directorio* > > *chown: no se puede acceder a «/var/ossec/logs/ossec.log»: No existe el > fichero o el directorio* > > *chmod: no se puede acceder a «/var/ossec/logs/ossec.log»: No existe el > fichero o el directorio* > > *warning: %post(ossec-hids-agent-0:3.0.0-5505.el6.art.x86_64) scriptlet > failed, exit status 1* > > * Verifying : ossec-hids-agent-3.0.0-5505.el6.art.x86_64 > > 1/1* > > > > *Installed:* > > * ossec-hids-agent.x86_64 0:3.0.0-5505.el6.art* > > > > *Complete!* > > > > Obvioulsy something is wrong. Do
[ossec-list] Installing ossec agent in RedHat
Hi to everyone, Im trying to install an agent in a host RedHat, but im rookie in this SO. Following the instructions of the official site, i did that: *[root@VKNXSEGRHFIM home]# sudo yum install ossec-hids-agent* *Loaded plugins: product-id, security, subscription-manager* *This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.* *Setting up Install Process* *Resolving Dependencies* *--> Running transaction check* *---> Package ossec-hids-agent.x86_64 0:3.0.0-5505.el6.art will be installed* *--> Finished Dependency Resolution* *Dependencies Resolved* *=* * Package Arch Version Repository Size* *=* *Installing:* * ossec-hids-agent x86_64 3.0.0-5505.el6.art atomic 330 k* *Transaction Summary* *=* *Install 1 Package(s)* *Total download size: 330 k* *Installed size: 1.8 M* *Is this ok [y/N]: y* *Downloading Packages:* *ossec-hids-agent-3.0.0-5505.el6.art.x86_64.rpm | 330 kB 00:00* *Running rpm_check_debug* *Running Transaction Test* *Transaction Test Succeeded* *Running Transaction* * Installing : ossec-hids-agent-3.0.0-5505.el6.art.x86_64 1/1* *Non-fatal POSTIN scriptlet failure in rpm package ossec-hids-agent-3.0.0-5505.el6.art.x86_64* *touch: no se puede efectuar `touch' sobre «/var/ossec/logs/ossec.log»: No existe el fichero o el directorio* *chown: no se puede acceder a «/var/ossec/logs/ossec.log»: No existe el fichero o el directorio* *chmod: no se puede acceder a «/var/ossec/logs/ossec.log»: No existe el fichero o el directorio* *warning: %post(ossec-hids-agent-0:3.0.0-5505.el6.art.x86_64) scriptlet failed, exit status 1* * Verifying : ossec-hids-agent-3.0.0-5505.el6.art.x86_64 1/1* *Installed:* * ossec-hids-agent.x86_64 0:3.0.0-5505.el6.art* *Complete!* Obvioulsy something is wrong. Do you have an idea about this? Thank you by your help. Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ignore path
Hi dan, That is my configuration: E:\Program Files (x86)\Websense\Web Security\bin\postgres\data\base E:\Program Files (x86)/Websense/Web Security/bin/postgres/data/base But i keep receiving alerting email: Integrity checksum changed for: 'E:\Program Files (x86)/Websense/Web Security/bin/postgres/data/base/16384/16469.3' Size changed from '217948160' to '328515584' Do you have an idea about what is happening? =( Regards. El lunes, 23 de abril de 2018, 17:30:26 (UTC-5), dan (ddpbsd) escribió: > > On Thu, Apr 19, 2018 at 1:36 PM, Carlos Islas <sparks@gmail.com > > wrote: > > Hello to everybody > > > > I have this exclusion in my agent.conf: > > > > C:\Program Files (x86)\ossec-agent\rids > > > > Try: > C:\Program Files (x86)/ossec-agent/rids > > > But i continue receiving email notifications. Is necesary "escaped" the > > space? > > > > Thanks to all! > > > > Regards > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ignore path
Hi dan, That is my configuration: E:\Program Files (x86)\Websense\Web Security\bin\postgres\data\base E:\Program Files (x86)/Websense/Web Security/bin/postgres/data/base But i keep receiving alerting email: Integrity checksum changed for: 'E:\Program Files (x86)/Websense/Web Security/bin/postgres/data/base/16384/16469.3' Size changed from '217948160' to '328515584' Do you have an idea about what is happening? =( Regards. El jueves, 19 de abril de 2018, 12:36:38 (UTC-5), Carlos Islas escribió: > > Hello to everybody > > I have this exclusion in my agent.conf: > > C:\Program Files (x86)\ossec-agent\rids > > But i continue receiving email notifications. Is necesary "escaped" the > space? > > Thanks to all! > > Regards > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Ignore path
Hello, One doubt, my exclusion is ok? is about the "space" my doubt. Regards El jueves, 19 de abril de 2018, 12:36:38 (UTC-5), Carlos Islas escribió: > > Hello to everybody > > I have this exclusion in my agent.conf: > > C:\Program Files (x86)\ossec-agent\rids > > But i continue receiving email notifications. Is necesary "escaped" the > space? > > Thanks to all! > > Regards > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Ignore path
Hello to everybody I have this exclusion in my agent.conf: C:\Program Files (x86)\ossec-agent\rids But i continue receiving email notifications. Is necesary "escaped" the space? Thanks to all! Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Common directories to scan
Thanks dan I colud configure it. Regards El miércoles, 14 de marzo de 2018, 16:21:38 (UTC-6), dan (ddpbsd) escribió: > > On Wed, Mar 14, 2018 at 5:25 PM, Carlos Islas <sparks@gmail.com > > wrote: > > Hi dan > > > > Thank you for your suggestion. And whats do you think for Windows paths? > > > > Sorry, I don't do much with Windows. I'd assume it's the same type of > thing though. Binary paths, and static data. > > > Regards > > > > El miércoles, 14 de marzo de 2018, 15:23:32 (UTC-6), dan (ddpbsd) > escribió: > >> > >> On Fri, Mar 2, 2018 at 2:01 PM, Carlos Islas <sparks@gmail.com> > wrote: > >> > Hello, > >> > > >> > Firstly, im sorry for my bad english. I want to know, based on your > >> > experience, which directories are the most common to realize a > syscheck > >> > on > >> > Windows or Linux devices? > >> > > >> > >> /etc, /bin, /sbin, /usr/sbin, /usr/bin > >> Directories with static data. bin directories for web applications > >> > >> I like to monitor /var/ossec/bin and /var/ossec/etc > >> > >> > Thank you to all of you for your attention. > >> > > >> > Regards! > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Directories to check and ignore directories
Hi dan, I could configure the path for the agents creating the file agent.conf in the server in the path /var/ossec/etc/shared Thank you for your help. Regards El martes, 10 de abril de 2018, 16:40:02 (UTC-5), Carlos Islas escribió: > > > > El martes, 10 de abril de 2018, 16:13:21 (UTC-5), dan (ddpbsd) escribió: >> >> >> >> On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <sparks@gmail.com> wrote: >> >>> Hello to everybody, >>> >>> I´ve a problem, in my ossec server i had added new directories to check >>> or to ignore, example: >>> >>> /etc,/usr/bin,/usr/sbin >>> >> check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv >>> C:\Windows\Test >>> C:\Program Files >>> (x86)\ossec-agent >>> C:\Program Files >>> C:\Program Files (x86) >>> D:\Program Files >>> >>>E:\Program Files (x86)\Websense\Web >>> Security\tomcat\logs >>> >> >> >> If you added these to the server's ossec.conf, they will be checked on >> the server. To get them checked on an agent they should be added to the >> agent's ossec.conf or the agent.conf. >> >> *Sorry, one doubt, then if i want to check an specific path i need to add >> the path agent by agent?* >> > > >> >>> But im not sure that this configuration is working, because in the ossec >>> agent log dont has the registry: >>> >>> 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. >>> 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. >>> 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\boot.ini': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/CONFIG.NT': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/debug.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/drwatson.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/drwtsn32.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/edlin.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/eventtriggers.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rcp.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rexec.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rsh.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/telnet.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent:
Re: [ossec-list] Directories to check and ignore directories
El martes, 10 de abril de 2018, 16:13:21 (UTC-5), dan (ddpbsd) escribió: > > > > On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <sparks@gmail.com > > wrote: > >> Hello to everybody, >> >> I´ve a problem, in my ossec server i had added new directories to check >> or to ignore, example: >> >> /etc,/usr/bin,/usr/sbin >> > check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv >> C:\Windows\Test >> C:\Program Files >> (x86)\ossec-agent >> C:\Program Files >> C:\Program Files (x86) >> D:\Program Files >> >>E:\Program Files (x86)\Websense\Web >> Security\tomcat\logs >> > > > If you added these to the server's ossec.conf, they will be checked on the > server. To get them checked on an agent they should be added to the agent's > ossec.conf or the agent.conf. > > *Sorry, one doubt, then if i want to check an specific path i need to add > the path agent by agent?* > > >> But im not sure that this configuration is working, because in the ossec >> agent log dont has the registry: >> >> 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. >> 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry >> key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. >> 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry >> key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\boot.ini': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/CONFIG.NT': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/debug.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwatson.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwtsn32.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/edlin.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/eventtriggers.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rcp.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rexec.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rsh.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/telnet.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tftp.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tlntsvr.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such >> file or directory >> 2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan. >> >> Somebody could help me to make sure if this configuration is cor
[ossec-list] Directories to check and ignore directories
Hello to everybody, I´ve a problem, in my ossec server i had added new directories to check or to ignore, example: /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot,/lib,/opt,/srv C:\Windows\Test C:\Program Files (x86)\ossec-agent C:\Program Files C:\Program Files (x86) D:\Program Files E:\Program Files (x86)\Websense\Web Security\tomcat\logs But im not sure that this configuration is working, because in the ossec agent log dont has the registry: 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\boot.ini': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/CONFIG.NT': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/debug.exe': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwatson.exe': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwtsn32.exe': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/edlin.exe': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/eventtriggers.exe': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rcp.exe': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rexec.exe': No such file or directory 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rsh.exe': No such file or directory 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/telnet.exe': No such file or directory 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tftp.exe': No such file or directory 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tlntsvr.exe': No such file or directory 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such file or directory 2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan. Somebody could help me to make sure if this configuration is correct? In adition, when i restart the service ossec in the server, this appear: abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted... abr 10 15:15:16 TMCVPLMT01 ossec[27132]:* 2018/04/10 15:15:16 ossec-syscheckd: DEBUG: Starting ...* abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 20*18/04/10 15:15:16 rootcheck: DEBUG: Starting ...* abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: Starting queue ... abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'. abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd... abr 10 15:15:16 TMCVPLMT01 ossec[27132]: *2018/04/10 15:15:16 ossec-monitord: DEBUG: Starting ..*. abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord... abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed. This is related with the principal issue? Regards... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] New agent dont report to the console
Hello, I installed a new agent in a server Windows. But the problem is that the agent is not reporting to the console. Looking in the rids folder (agent and console) confirm that the numeric file is empity (agent) and dont have any file there. Someone have an idea that what could it happens? or if exist a process to force the comunication? Regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Common directories to scan
Hi dan Thank you for your suggestion. And whats do you think for Windows paths? Regards El miércoles, 14 de marzo de 2018, 15:23:32 (UTC-6), dan (ddpbsd) escribió: > > On Fri, Mar 2, 2018 at 2:01 PM, Carlos Islas <sparks@gmail.com > > wrote: > > Hello, > > > > Firstly, im sorry for my bad english. I want to know, based on your > > experience, which directories are the most common to realize a syscheck > on > > Windows or Linux devices? > > > > /etc, /bin, /sbin, /usr/sbin, /usr/bin > Directories with static data. bin directories for web applications > > I like to monitor /var/ossec/bin and /var/ossec/etc > > > Thank you to all of you for your attention. > > > > Regards! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Common directories to scan
Does anyone have any recommendations? =( Regards... El viernes, 2 de marzo de 2018, 13:01:11 (UTC-6), Carlos Islas escribió: > > Hello, > > Firstly, im sorry for my bad english. I want to know, based on your > experience, which directories are the most common to realize a syscheck on > Windows or Linux devices? > > Thank you to all of you for your attention. > > Regards! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Common directories to scan
Hello, Firstly, im sorry for my bad english. I want to know, based on your experience, which directories are the most common to realize a syscheck on Windows or Linux devices? Thank you to all of you for your attention. Regards! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: ERROR: Unable to Bind port '1514'
Hello dan, I killed the instance but anything happend, i had that start the process manualy because de services get down. =S Regards... El viernes, 25 de agosto de 2017, 11:01:25 (UTC-5), dan (ddpbsd) escribió: > > > > On Aug 25, 2017 11:32 AM, "Carlos Islas" <sparks@gmail.com > > wrote: > > Hi dan, > > Sorry, im newbie in that kind of commands. How can i kill the instance? > > > I usually use `pkill ossec-remoted` > You can also use `ps` to get the pid (or look for the pid in /var/ossec > somewhere) and kill it that way. > > > Regards... > > > > El jueves, 24 de agosto de 2017, 16:19:57 (UTC-5), Carlos Islas escribió: >> >> Hello, >> >> I am having this issue when i execute the command ./ossec-remoted >> >> ossec.log: >> >> 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350). >> 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514' >> >> Somebody could help me to examine that error? >> >> Regards... >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: ERROR: Unable to Bind port '1514'
Hi dan, Sorry, im newbie in that kind of commands. How can i kill the instance? Regards... El jueves, 24 de agosto de 2017, 16:19:57 (UTC-5), Carlos Islas escribió: > > Hello, > > I am having this issue when i execute the command ./ossec-remoted > > ossec.log: > > 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350). > 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514' > > Somebody could help me to examine that error? > > Regards... > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] ERROR: Unable to Bind port '1514'
Hello dan, Yes is remoted. Here is the result for netstat root@vknxsegfim:/var/ossec/logs# netstat -an | grep 1514 udp0 0 0.0.0.0:15140.0.0.0:* root@vknxsegfim:/var/ossec/logs# Regarads El jueves, 24 de agosto de 2017, 16:39:53 (UTC-5), dan (ddpbsd) escribió: > > > > On Aug 24, 2017 5:20 PM, "Carlos Islas" <sparks@gmail.com > > wrote: > > Hello, > > I am having this issue when i execute the command ./ossec-remoted > > ossec.log: > > 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350). > 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514' > > Somebody could help me to examine that error? > > > Is remoted running? > Is something else listening on 1514? `netstat -an |grep 1514` > > > Regards... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] ERROR: Unable to Bind port '1514'
Hello, I am having this issue when i execute the command ./ossec-remoted ossec.log: 2017/08/24 16:16:22 ossec-remoted: INFO: Started (pid: 19350). 2017/08/24 16:16:22 ossec-remoted(1206): ERROR: Unable to Bind port '1514' Somebody could help me to examine that error? Regards... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Agents Disconnected
Hello dan, I did that you recommend me but the problem still keep going. The only that appears connect is ID: 000, Name: vknxsegfim (server), IP: 127.0.0.1, Active/Local and the logs dont help me so mucho XD Regards El miércoles, 9 de agosto de 2017, 15:54:45 (UTC-5), dan (ddpbsd) escribió: > > On Mon, Aug 7, 2017 at 10:49 AM, Carlos Islas <sparks@gmail.com > > wrote: > > > > Thank you Dan, > > > > Sorry but i still confuse, I dont want to do something that get worse > this > > situation. Do you have any idea to fix the error? > > > > 2 temporary fixes are to either stop the OSSEC server processes, > delete the rids files, and start the processes > or stop the ossec server processes, disable rids, and start the processes. > > Trying to figure out why the rids files either weren't updated on the > agent, or why they were overwritten might be worthwhile. > > > Regards... > > > > > > El viernes, 4 de agosto de 2017, 12:20:15 (UTC-5), dan (ddpbsd) > escribió: > >> > >> On Fri, Aug 4, 2017 at 11:59 AM, Carlos Islas <sparks@gmail.com> > >> wrote: > >> > Hi! > >> > > >> > The manager hasn´t agent. The alerts came from the other host. > >> > > >> > root@vknxsegfim:/var/ossec/bin# ./agent_control -lc > >> > > >> > OSSEC HIDS agent_control. List of available agents: > >> >ID: 000, Name: vknxsegfim (server), IP: 127.0.0.1, Active/Local > >> > > >> > but i dont know why all the host appear disconnected > >> > > >> > ID: 054, Name: knxvozdb, IP: 172.27.1.153, Disconnected > >> >ID: 102, Name: posmexngs, IP: 172.17.2.24, Disconnected > >> >ID: 103, Name: knxsegk01, IP: 172.27.4.45, Disconnected > >> >ID: 104, Name: websense, IP: 172.17.2.228, Disconnected > >> >ID: 105, Name: websense1, IP: 172.17.2.22, Disconnected > >> >ID: 106, Name: wspsknx, IP: 172.27.4.131, Disconnected > >> >ID: 055, Name: KNXVOZMSERVER-1, IP: 172.27.1.173, Disconnected > >> >ID: 056, Name: OGNODE1, IP: 172.27.1.70, Disconnected > >> >ID: 057, Name: OGNODE2, IP: 172.27.1.71, Disconnected > >> >ID: 058, Name: OGNODE3, IP: 172.27.1.72, Disconnected > >> >ID: 059, Name: KNXVOZPREDB, IP: 172.27.1.74, Disconnected > >> >ID: 060, Name: siem_indexer, IP: 172.27.4.78, Disconnected > >> >ID: 061, Name: VKNXSEG07, IP: 172.27.200.178, Disconnected > >> >ID: 062, Name: F3Mpwmordc01, IP: 172.27.4.10, Disconnected > >> >ID: 063, Name: V3Mpwmordc01, IP: 172.27.200.95, Disconnected > >> >ID: 064, Name: Vknxmorwsus, IP: 172.27.200.99, Disconnected > >> >ID: 066, Name: Posmexdc01, IP: 172.17.1.80, Disconnected > >> > > >> > Some idea that why is happen this? > >> > > >> > >> The duplicated rids errors are a clue. For some reason (agents were > >> re-imaged, rids files were deleted on the agents, etc), the agents are > >> presenting the same counters as they had previously. The rids counters > >> are an attempt to prevent replay attacks, so duplicate counters are > >> bad. > >> > >> > > >> > > >> > Regards... > >> > > >> > > >> > El viernes, 4 de agosto de 2017, 5:57:46 (UTC-5), jose escribió: > >> >> > >> >> Hi Carlos, > >> >> > >> >> The manager has his own agent, probably the alerts are from the > manager > >> >> it > >> >> self. > >> >> > >> >> > >> >> > >> >> Regards > >> >> --- > >> >> Jose Luis Ruiz > >> >> Wazuh Inc. > >> >> jo...@wazuh.com > >> >> > >> >> On August 3, 2017 at 7:57:59 PM, Carlos Islas (sparks@gmail.com) > > >> >> wrote: > >> >> > >> >> In adition the host send alerts to my email but still > disconnected... > >> >> how > >> >> can it be? > >> >> > >> >> =S > >> >> > >> >> El jueves, 3 de agosto de 2017, 12:48:04 (UTC-5), Carlos Islas > >> >> escribió: > >> >>> > >> >>> Hi Jose, > >> >>> > >> >>> Thanks for your answer, i send you the log: > &
Re: [ossec-list] Agents Disconnected
Thank you Dan, Sorry but i still confuse, I dont want to do something that get worse this situation. Do you have any idea to fix the error? Regards... El viernes, 4 de agosto de 2017, 12:20:15 (UTC-5), dan (ddpbsd) escribió: > > On Fri, Aug 4, 2017 at 11:59 AM, Carlos Islas <sparks@gmail.com > > wrote: > > Hi! > > > > The manager hasn´t agent. The alerts came from the other host. > > > > root@vknxsegfim:/var/ossec/bin# ./agent_control -lc > > > > OSSEC HIDS agent_control. List of available agents: > >ID: 000, Name: vknxsegfim (server), IP: 127.0.0.1, Active/Local > > > > but i dont know why all the host appear disconnected > > > > ID: 054, Name: knxvozdb, IP: 172.27.1.153, Disconnected > >ID: 102, Name: posmexngs, IP: 172.17.2.24, Disconnected > >ID: 103, Name: knxsegk01, IP: 172.27.4.45, Disconnected > >ID: 104, Name: websense, IP: 172.17.2.228, Disconnected > >ID: 105, Name: websense1, IP: 172.17.2.22, Disconnected > >ID: 106, Name: wspsknx, IP: 172.27.4.131, Disconnected > >ID: 055, Name: KNXVOZMSERVER-1, IP: 172.27.1.173, Disconnected > >ID: 056, Name: OGNODE1, IP: 172.27.1.70, Disconnected > >ID: 057, Name: OGNODE2, IP: 172.27.1.71, Disconnected > >ID: 058, Name: OGNODE3, IP: 172.27.1.72, Disconnected > >ID: 059, Name: KNXVOZPREDB, IP: 172.27.1.74, Disconnected > >ID: 060, Name: siem_indexer, IP: 172.27.4.78, Disconnected > >ID: 061, Name: VKNXSEG07, IP: 172.27.200.178, Disconnected > >ID: 062, Name: F3Mpwmordc01, IP: 172.27.4.10, Disconnected > >ID: 063, Name: V3Mpwmordc01, IP: 172.27.200.95, Disconnected > >ID: 064, Name: Vknxmorwsus, IP: 172.27.200.99, Disconnected > >ID: 066, Name: Posmexdc01, IP: 172.17.1.80, Disconnected > > > > Some idea that why is happen this? > > > > The duplicated rids errors are a clue. For some reason (agents were > re-imaged, rids files were deleted on the agents, etc), the agents are > presenting the same counters as they had previously. The rids counters > are an attempt to prevent replay attacks, so duplicate counters are > bad. > > > > > > > Regards... > > > > > > El viernes, 4 de agosto de 2017, 5:57:46 (UTC-5), jose escribió: > >> > >> Hi Carlos, > >> > >> The manager has his own agent, probably the alerts are from the manager > it > >> self. > >> > >> > >> > >> Regards > >> ------- > >> Jose Luis Ruiz > >> Wazuh Inc. > >> jo...@wazuh.com > >> > >> On August 3, 2017 at 7:57:59 PM, Carlos Islas (sparks@gmail.com) > >> wrote: > >> > >> In adition the host send alerts to my email but still disconnected... > how > >> can it be? > >> > >> =S > >> > >> El jueves, 3 de agosto de 2017, 12:48:04 (UTC-5), Carlos Islas > escribió: > >>> > >>> Hi Jose, > >>> > >>> Thanks for your answer, i send you the log: > >>> > >>> 2017/08/01 13:44:10 ossec-remoted(1103): ERROR: Unable to open file > >>> '/queue/rids > >>> /001'. > >>> 2017/08/01 15:19:33 ossec-remoted(1103): ERROR: Unable to open file > >>> '/queue/rids > >>> /001'. > >>> 2017/08/01 15:19:37 ossec-remoted(1103): ERROR: Unable to open file > >>> '/queue/rids > >>> /001'. > >>> 2017/08/01 15:22:01 ossec-remoted(1103): ERROR: Unable to open file > >>> '/queue/rids > >>> /001'. > >>> 2017/08/01 15:22:06 ossec-analysisd(1210): ERROR: Queue > >>> '/queue/alerts/ar' not a > >>> ccessible: 'Connection refused'. > >>> 2017/08/01 15:22:06 ossec-analysisd(1301): ERROR: Unable to connect to > >>> active re > >>> sponse queue. > >>> 2017/08/01 15:41:06 ossec-remoted(1103): ERROR: Unable to open file > >>> '/queue/rids > >>> /001'. > >>> 2017/08/01 15:58:14 ossec-remoted(1103): ERROR: Unable to open file > >>> '/queue/rids > >>> /001'. > >>> 2017/08/01 15:58:20 ossec-analysisd(1210): ERROR: Queue > >>> '/queue/alerts/ar' not a > >>> ccessible: 'Connection refused'. > >>> 2017/08/01 15:58:20 ossec-analysisd(1301): ERROR: Unable to connect to > >>> active re > >>> sponse queue. > >>> 2017/08/01 16:06:12 ossec-remoted(1103): ERROR: Unable to open fi
Re: [ossec-list] Agents Disconnected
Hi! The manager hasn´t agent. The alerts came from the other host. root@vknxsegfim:/var/ossec/bin# ./agent_control -lc OSSEC HIDS agent_control. List of available agents: ID: 000, Name: vknxsegfim (server), IP: 127.0.0.1, Active/Local but i dont know why all the host appear disconnected ID: 054, Name: knxvozdb, IP: 172.27.1.153, Disconnected ID: 102, Name: posmexngs, IP: 172.17.2.24, Disconnected ID: 103, Name: knxsegk01, IP: 172.27.4.45, Disconnected ID: 104, Name: websense, IP: 172.17.2.228, Disconnected ID: 105, Name: websense1, IP: 172.17.2.22, Disconnected ID: 106, Name: wspsknx, IP: 172.27.4.131, Disconnected ID: 055, Name: KNXVOZMSERVER-1, IP: 172.27.1.173, Disconnected ID: 056, Name: OGNODE1, IP: 172.27.1.70, Disconnected ID: 057, Name: OGNODE2, IP: 172.27.1.71, Disconnected ID: 058, Name: OGNODE3, IP: 172.27.1.72, Disconnected ID: 059, Name: KNXVOZPREDB, IP: 172.27.1.74, Disconnected ID: 060, Name: siem_indexer, IP: 172.27.4.78, Disconnected ID: 061, Name: VKNXSEG07, IP: 172.27.200.178, Disconnected ID: 062, Name: F3Mpwmordc01, IP: 172.27.4.10, Disconnected ID: 063, Name: V3Mpwmordc01, IP: 172.27.200.95, Disconnected ID: 064, Name: Vknxmorwsus, IP: 172.27.200.99, Disconnected ID: 066, Name: Posmexdc01, IP: 172.17.1.80, Disconnected Some idea that why is happen this? Regards... El viernes, 4 de agosto de 2017, 5:57:46 (UTC-5), jose escribió: > > Hi Carlos, > > The manager has his own agent, probably the alerts are from the manager it > self. > > > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On August 3, 2017 at 7:57:59 PM, Carlos Islas (sparks@gmail.com > ) wrote: > > In adition the host send alerts to my email but still disconnected... how > can it be? > > =S > > El jueves, 3 de agosto de 2017, 12:48:04 (UTC-5), Carlos Islas escribió: >> >> Hi Jose, >> >> Thanks for your answer, i send you the log: >> >> 2017/08/01 13:44:10 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 15:19:33 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 15:19:37 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 15:22:01 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 15:22:06 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/ar' not a >> ccessible: 'Connection refused'. >> 2017/08/01 15:22:06 ossec-analysisd(1301): ERROR: Unable to connect to >> active re >> sponse queue. >> 2017/08/01 15:41:06 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 15:58:14 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 15:58:20 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/ar' not a >> ccessible: 'Connection refused'. >> 2017/08/01 15:58:20 ossec-analysisd(1301): ERROR: Unable to connect to >> active re >> sponse queue. >> 2017/08/01 16:06:12 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 16:06:17 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/ar' not a >> ccessible: 'Connection refused'. >> 2017/08/01 16:06:17 ossec-analysisd(1301): ERROR: Unable to connect to >> active re >> sponse queue. >> 2017/08/01 16:36:50 ossec-remoted(1103): ERROR: Unable to open file >> '/queue/rids >> /001'. >> 2017/08/01 16:36:55 ossec-analysisd(1210): ERROR: Queue >> '/queue/alerts/ar' not a
Re: [ossec-list] Agents Disconnected
In adition the host send alerts to my email but still disconnected... how can it be? =S El jueves, 3 de agosto de 2017, 12:48:04 (UTC-5), Carlos Islas escribió: > > Hi Jose, > > Thanks for your answer, i send you the log: > > 2017/08/01 13:44:10 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 15:19:33 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 15:19:37 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 15:22:01 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 15:22:06 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not a > ccessible: 'Connection refused'. > 2017/08/01 15:22:06 ossec-analysisd(1301): ERROR: Unable to connect to > active re > sponse queue. > 2017/08/01 15:41:06 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 15:58:14 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 15:58:20 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not a > ccessible: 'Connection refused'. > 2017/08/01 15:58:20 ossec-analysisd(1301): ERROR: Unable to connect to > active re > sponse queue. > 2017/08/01 16:06:12 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 16:06:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not a > ccessible: 'Connection refused'. > 2017/08/01 16:06:17 ossec-analysisd(1301): ERROR: Unable to connect to > active re > sponse queue. > 2017/08/01 16:36:50 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 16:36:55 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not a > ccessible: 'Connection refused'. > 2017/08/01 16:36:55 ossec-analysisd(1301): ERROR: Unable to connect to > active re > sponse queue. > 2017/08/01 16:54:19 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 16:54:24 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not a > ccessible: 'Connection refused'. > 2017/08/01 16:54:24 ossec-analysisd(1301): ERROR: Unable to connect to > active re > sponse queue. > 2017/08/01 16:55:02 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 16:55:12 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 16:55:17 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not a > ccessible: 'Connection refused'. > 2017/08/01 16:55:17 ossec-analysisd(1301): ERROR: Unable to connect to > active re > sponse queue. > 2017/08/01 17:00:35 ossec-remoted(1103): ERROR: Unable to open file > '/queue/rids > /001'. > 2017/08/01 17:00:40 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not a > ccessible: 'Connection refused'. >
Re: [ossec-list] Agents Disconnected
): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 06:26:36 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 06:26:41 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 06:26:47 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 08:27:40 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 08:27:46 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 08:27:50 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 08:27:55 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 08:28:01 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 08:37:19 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 08:37:25 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 08:37:29 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 08:37:34 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 08:37:40 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 10:48:30 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 10:48:36 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 10:48:40 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 10:48:45 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 10:48:51 ossec-remoted(1407): ERROR: Duplicated counter for 'posmexng s'. 2017/08/03 11:09:45 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 11:09:51 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 11:09:55 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 11:10:00 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. 2017/08/03 11:10:06 ossec-remoted(1403): ERROR: Incorrectly formated message fro m '172.27.1.122'. Regards... El miércoles, 2 de agosto de 2017, 13:29:24 (UTC-5), jose escribió: > > Hi Carlos, > > Take a look from the log file /var/ossec/logs/ossec.log, this is the main > log file for managers and agents. > > You can do something like *cat /var/ossec/logs/ossec.log | grep ERROR, *to > verify if you have errors in some point. > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On August 2, 2017 at 8:25:59 PM, Carlos Islas (sparks@gmail.com > ) wrote: > > Good day, > > I am having a trouble with OSSEC v2.8.3. I had added more or less 20 hosts > and it were reporting correctly in my server but now all the agents appears > disconnected. I tried to restart it remotely and local but dont show the > Status Active this using the command ./agent_control -lc > > What can i do? all the comments will be useful. Or what kid of logs can i > check? sorr
[ossec-list] Agents Disconnected
Good day, I am having a trouble with OSSEC v2.8.3. I had added more or less 20 hosts and it were reporting correctly in my server but now all the agents appears disconnected. I tried to restart it remotely and local but dont show the Status Active this using the command ./agent_control -lc What can i do? all the comments will be useful. Or what kid of logs can i check? sorry but iam a new user. Thank you. Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.