Re: [ossec-list] HOW TO CONFIGURE OSSEC WARNING THROUGH EMAIL
my bad Dan, i thought i remembered somewhere that it was only getting critical updates. Thanks for the people's time that gets put into it! Sorry for the confusion, on my part. On Thu, Jul 9, 2020 at 8:05 AM dan (ddp) wrote: > On Wed, Jul 8, 2020 at 8:45 PM Jeff Dyke wrote: > > > > As Dan alluded to, I use a local postfix null mailer on my lan that > sends to a postfix relay from a single/failover point that then sends to > gmail. > > > > Dan. I have a question for you, perhaps i should start a new thread, > but you're so damn diligent about responding to queries, i thought i may > just append to my answer. I know that OSSEC is EOL except for serious > changes/bugs. I've used ossec for years and eventually moved to wazuh, > which I appreciate the fact that your name is in the credits, What is the > plan to support the current and non moving version of OSSEC? > > > > This is news to me. AFAIK the project isn't dead, just moving very > slowly. There's no commercial entity behind development, so it gets > the time and energy people put into it. > > > Thank you for all of your efforts, being on this list for many years has > taught me a lot about the underpinnings of your project! > > > > Thanks, > > Jeff > > > > On Wed, Jul 8, 2020 at 2:55 PM dan (ddp) wrote: > >> > >> On Tue, Jul 7, 2020 at 4:29 AM lê danh wrote: > >> > > >> > I am a new user, I just have ossec installed and I want to try its > email feature. I have configured the email address in ossec.conf as follows: > >> > > >> > > >> > > >> > yes > >> > conme...@gmail.com > >> > alt4.gmail-smtp-in.l.google.com. > >> > ossecm @ ubuntu > >> > > >> > > >> > > >> > conme...@gmail.com > >> > 5 > >> > > >> > > >> > and expect to receive email alerts at level 5 or higher, but the > error has occurred as follows: > >> > 2020/07/06 02:51:42 ossec-maild (1261): ERROR: Waiting for child > process. (status: 139). > >> > 2020/07/06 02:51:42 ossec-maild (1223): ERROR: Error Sending email to > alt4.gmail-smtp > >> > > >> > It didn't work, I hope everyone can help me fix this problem as soon > as possible. Sincerely thank you. > >> > > >> > >> I'm pretty sure gmail requires authentication. So you'll have to relay > >> the OSSEC emails through an smtp server that doesn't require auth. > >> Luckily, the OSSEC server is running on a Linux or other unix-like > >> system. An smtpd usually comes installed on the good ones. > >> Configure the locally installed smtpd to relay the messages through > gmail. > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+unsubscr...@googlegroups.com. > >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c337727b-7a3b-4fa6-a428-3af96a0c4c54o%40googlegroups.com > . > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > >> To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMob1QOQCTti8ryS1Ow9Ezkz5BrMd2Zy2jq1TzoPqarhrA%40mail.gmail.com > . > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAHmnZdaGUok%2BijTLnPxXc3izRkcXhPEDMqeVWQH7QJVZT2aWmw%40mail.gmail.com > . > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMrMtRcuw8J4%3DLz%2BAnEw8myd2H2Pd-wLPSwZgRfapUWgng%40mail.gmail.com > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAHmnZdZgNmcb4v0UP_MbTVne4-HobBuFuXJ6Mh8%2BqbLkSScKHA%40mail.gmail.com.
Re: [ossec-list] HOW TO CONFIGURE OSSEC WARNING THROUGH EMAIL
As Dan alluded to, I use a local postfix null mailer on my lan that sends to a postfix relay from a single/failover point that then sends to gmail. Dan. I have a question for you, perhaps i should start a new thread, but you're so damn diligent about responding to queries, i thought i may just append to my answer. I know that OSSEC is EOL except for serious changes/bugs. I've used ossec for years and eventually moved to wazuh, which I appreciate the fact that your name is in the credits, What is the plan to support the current and non moving version of OSSEC? Thank you for all of your efforts, being on this list for many years has taught me a lot about the underpinnings of your project! Thanks, Jeff On Wed, Jul 8, 2020 at 2:55 PM dan (ddp) wrote: > On Tue, Jul 7, 2020 at 4:29 AM lê danh wrote: > > > > I am a new user, I just have ossec installed and I want to try its email > feature. I have configured the email address in ossec.conf as follows: > > > > > > > > yes > > conme...@gmail.com > > alt4.gmail-smtp-in.l.google.com. > > ossecm @ ubuntu > > > > > > > > conme...@gmail.com > > 5 > > > > > > and expect to receive email alerts at level 5 or higher, but the error > has occurred as follows: > > 2020/07/06 02:51:42 ossec-maild (1261): ERROR: Waiting for child > process. (status: 139). > > 2020/07/06 02:51:42 ossec-maild (1223): ERROR: Error Sending email to > alt4.gmail-smtp > > > > It didn't work, I hope everyone can help me fix this problem as soon as > possible. Sincerely thank you. > > > > I'm pretty sure gmail requires authentication. So you'll have to relay > the OSSEC emails through an smtp server that doesn't require auth. > Luckily, the OSSEC server is running on a Linux or other unix-like > system. An smtpd usually comes installed on the good ones. > Configure the locally installed smtpd to relay the messages through gmail. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/c337727b-7a3b-4fa6-a428-3af96a0c4c54o%40googlegroups.com > . > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/CAMyQvMob1QOQCTti8ryS1Ow9Ezkz5BrMd2Zy2jq1TzoPqarhrA%40mail.gmail.com > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAHmnZdaGUok%2BijTLnPxXc3izRkcXhPEDMqeVWQH7QJVZT2aWmw%40mail.gmail.com.
Re: [ossec-list] Warning errors on OSSEC GUI
i thought that project was dead: https://github.com/ossec/ossec-wui? Or at least not maintained as the heading on the github page states. On Thu, Feb 14, 2019 at 12:05 PM Jatin wrote: > I recently installed OSSEC on one of our Redhat linux boxes. Ever sice the > installation of the agent I am seeing the following error on the GUI. Not > sure, what this is? Would you be able to help us find what is causing this? > > > > > > > > [image: Capture.PNG] > > *Warning*: time() expects exactly 0 parameters, 1 given in > */var/www/html/site/stats.php* on line *32* > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] trouble upgrading client
I've had ossec-hids-agent and server installed for well over a year, perhaps two. Today a new package hit Ubuntu's 18.04 repository and it would not update, the errors follow, unfortunately there is no helpful information in /var/log/dpkg.log. Just says that its running the 'update' command. Console output --- Preparing to unpack .../ossec-hids-agent_3.1.0-5711bionic_amd64.deb ... prerm called with unknown argument `upgrade' dpkg: warning: old ossec-hids-agent package pre-removal script subprocess returned error exit status 1 dpkg: trying script from the new package instead ... prerm called with unknown argument `failed-upgrade' dpkg: error processing archive /var/cache/apt/archives/ossec-hids-agent_3.1.0-5711bionic_amd64.deb (--unpack): new ossec-hids-agent package pre-removal script subprocess returned error exit status 1 Errors were encountered while processing: /var/cache/apt/archives/ossec-hids-agent_3.1.0-5711bionic_amd64.deb E: Sub-process /usr/bin/dpkg returned an error code (1) --- End Output --- I've not run into this too much, so if this is general and not specific to a package, any pointers are helpful, otherwise, hopefully this will help the maintainer update the package. Best, Jeff -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Install OSSEC in Ubuntu via APT
Unless you can say what the broken packages are I'm not sure how much i can help, i use salt to install OSSEC and my main state is simply: pkg.installed is just the equivalent of apt install ossec-hids-server ossec-hids-server: pkg.installed: - require: - /root/ossec-debconf-answers.sh - require_in: - /root/ossec-generate-cert.sh where deb-conf-answers.sh contains #!/usr/bin/env bash HOST=$(hostname) debconf-set-selections <<< ossec-hids-server ossec-hids/email_to string root@${HOST} debconf-set-selections <<< ossec-hids-server ossec-hids/email_from string ossecm@${HOST} debconf-set-selections <<< ossec-hids-server ossec-hids/email_notification select yes debconf-set-selections <<< ossec-hids-server ossec-hids/smtp_server string ${HOST} and ossec-generate-certs.sh is DIR=/var/ossec/etc openssl genrsa -out ${DIR}/sslmanager.key 4096 >/dev/null 2>&1 openssl req -new -x509 -key ${DIR}/sslmanager.key -out ${DIR}/sslmanager.cert -days 3650 -subj /C=US/ST=MA/L=Boston/O=Engineering/OU=Security/CN=ossec.{{pillar['network-configuration'][grains['environment']]['ossec-server-name']}}.{{ domain }} Obviously there is some salt stuff in there, but ultimately they just return strings. Everyones evironments are different, but do you know the broken packages are, which version of ubuntu are you on? The above is used for a manager on 16.04. I use the repo: deb https://updates.atomicorp.com/channels/atomic/ubuntu xenial main On Wed, Aug 22, 2018 at 6:36 AM Dzenis Aslani wrote: > Hello everyone i got problem when i try to install OSSEC from > https://www.ossec.net/downloads.html through APT. I tried both manually > and automatically,and none of them works, when i tried i got this message > "unable to correct problems you have held broken packages " > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] agents not connected to server, IP@ correct, udp connects, what gives
Is the client that won't connect on the same VPC? if not you're going to have to open access, but i suspect it is, so then is the client that won't connect on the same subnet? Are your security groups to restrictive for this client to manager communications. If you can't connect with nc, i'd look at your firewall/security group settings on the manager. Jeff On Tue, Sep 26, 2017 at 12:41 PM, James Stallard wrote: > Help anyone: > OK, I'm at a loss > Running version: > # ./ossec-analysisd -V > OSSEC HIDS v2.8 - Trend Micro Inc. > CentOS release 6.7 (Final) > On AWS > > I've distributed the keys by hand via manage_agents > and confirmed there is UDP connectivity from agent to server & back: > > Connection to aaa.zz.yy.xx 1514 port [udp/fujitsu-dtcns] succeeded! > > Yet I am still getting:: WARN: Waiting for server reply (not started). > Tried: 'aaa.zz.yy.xx' > The IP@ and port # on the agent is correct (in ossec.conf *and* in > ossec.log) > > I do have one agent that connects - it's on the same VPC as the server, so > I suspect a connectivity issue, *but I can connect* (at least via nc)* so > I don't get it.* > > I also don't see anything in the logs that indicates a configuration > error- including with the debug flag set. > > Any suggestions on debugging this one? > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] image based windows systems
this is what i have been doing, but with ubuntu and a configuration manager(salt), the one bit i have not yet automated is the creation and acceptance of keys, as that seems to require manual input on both agent and server, but have not dug enough into it to see if it can be fully automated, since i is a one time issue and i don't spin up new boxes every day, its been a pretty low pain point. If you find something to automate the key exchange, even in windows, i'd love to hear it, and i will do the same. I do have the benefit of automating the install and other configuration, which is what i enjoy over image installs. Happy Hunting! On Mon, Sep 18, 2017 at 9:09 AM, wrote: > Maybe it helps to use a script while the start. Something like: start > "C:\Program Files (x86)\ossec-agent\manage_agents.exe" ? > Has anyone an idea? > > > Am Freitag, 15. September 2017 14:26:57 UTC+2 schrieb krauswe...@gmail.com > : >> >> Hi. Sorry for the bad explantation. >> It's a provisioning concept. I have an image on a storage, servers take >> this image. That's why all have the same installation - all have the same >> ossec keys. That's my problem. >> >> Best Regards >> >> >> >> Am Freitag, 15. September 2017 14:09:08 UTC+2 schrieb dan (ddpbsd): >>> >>> On Fri, Sep 15, 2017 at 3:03 AM, wrote: >>> > Hi, >>> > I have 5 windows server 2008 and they booting the same image. How can >>> I use >>> > OSSEC for them? Installing it one the image makes no sense in my view. >>> I >>> > know there is an option to use remote monitoring with ossec. Where can >>> I >>> > find the needed keys in the windows system? >>> > >>> >>> I don't know what you mean by "booting the same image." Were they >>> installed from the same image, or do they share a common "C:" drive >>> (which would be really neat)? >>> >>> Either way, each system would need to have the OSSEC agent installed >>> on it, and be given different OSSEC keys. The keys are obtained by >>> running manage_agents on the OSSEC server, and copying them to the >>> system (the windows agent has a gui for this). >>> >>> > Best Regards >>> > Werner >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ubuntu Xenial APT installation fails (wrong version requested)
i was getting this from some servers and not others, but i could wget it (which was likely using a different dns lookup). Of course the big downside of this is you need to install all of the packages manually b/c dpkg -i {package} will not install dependencies. FWIW, I only saw this start yesterday, i've been running and updating OSSEC for a few months on new/existing servers. Just another datapoint, hopefully useful. On Fri, Sep 8, 2017 at 11:55 AM, D. Scott Miller wrote: > I think the apt repository may be out of sync with the actual built > packages...when I try to install a clean version of ossec-hids-server, I > get the following error messages: > > Err:1 https://updates.atomicorp.com/channels/atomic/ubuntu xenial/main > amd64 ossec-hids-server amd64 2.9.2-2154xenial > 404 Not Found > E: Failed to fetch https://updates.atomicorp.com/ > channels/atomic/ubuntu/pool/main/o/ossec-hids-server/ > ossec-hids-server_2.9.2-2154xenial_amd64.deb 404 Not Found > > E: Unable to fetch some archives, maybe run apt-get update or try with > --fix-missing? > > The repository seems to tell APT to look for version 2.9.2.2154, when the > latest one I see on the site (for amd64 machines) is version 2.9.2.2067. > > I'll install it manually, but there's a problem to be addressed. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] accept license automatically
ok, i should have held off, if you install the key and apt source, run apt update and apt install ossec-hids-[agent|server], then there is no prompt. caveats: 1) Run debconf-set-selection first properly for the manage and agent 2) becareful of spacing, it does not seem like they are properly trimmed as there are spaces in the xml tags, i.e. 1.1.1.5. will occur if you have a `debconf-set-selections <<< "ossec-hids-agent ossec-hids-agent/server-ip string 1.1.1.5"` (note two spaces between string and IP) -- Client -- I still have to get this into a salt state, but i'm running the following: wget -q -O - https://www.atomicorp.com/RPM-GPG-KEY.art.txt | sudo apt-key add - source /etc/lsb-release echo "deb https://updates.atomicorp.com/channels/atomic/ubuntu $DISTRIB_CODENAME main" | sudo tee -a /etc/apt/sources.list.d/atomic.list sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys FFBD5D0A4520AFA9 sudo apt update sudo debconf-set-selections <<< "ossec-hids-agent ossec-hids-agent/server-ip string {{your server}}" sudo apt install -y ossec-hids-agent Hope this helps someone else On Wed, Sep 6, 2017 at 2:19 PM, Jeff Dyke wrote: > Hi, i asked a question earlier about the debconf-set-selections, which i > have all of them now both for client and manager/server. I have also > managed to extract the info i need from the gpg keys and other sources to > automatically add the repo. > > One of the bits i have remaining to install a client/server through a > config mgmt system, is to accept the license during the installation. This > does not seem to be set in debconf-get-selections, can it be set in a file > somewhere? I use https://saltstack.com for automation. > > It's not the end of the world if i can't do this, but bringing on new > machines would require no intervention if this step could be automated. > I'm using the latest ossec from the atomic ppa: http://ppa.launchpad.net/ > oisf/suricata-stable/ubuntu > > Thanks, > Jeff > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] accept license automatically
Hi, i asked a question earlier about the debconf-set-selections, which i have all of them now both for client and manager/server. I have also managed to extract the info i need from the gpg keys and other sources to automatically add the repo. One of the bits i have remaining to install a client/server through a config mgmt system, is to accept the license during the installation. This does not seem to be set in debconf-get-selections, can it be set in a file somewhere? I use https://saltstack.com for automation. It's not the end of the world if i can't do this, but bringing on new machines would require no intervention if this step could be automated. I'm using the latest ossec from the atomic ppa: http://ppa.launchpad.net/oisf/suricata-stable/ubuntu Thanks, Jeff -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: debconf-set-selections, ubuntu, format for variable for ossec-hids-agent
whoops, i should have run debconf-get-selections, the answer is: ossec-hids-agent ossec-hids-agent/server-ip string ${server-ip} I was close, hopefully this helps others auto install. Jeff On Friday, August 18, 2017 at 2:30:39 PM UTC-4, Jeff Dyke wrote: > > Hi, i've installed ossec-hids-server on one machine and ossec-hids-agent > on all of my other machines, but would like for the agent install to be > fully automated (i use salt for CM) and was wondering what the correct > syntax would be for a debconf-set-selections command before the install > runs. > > would it be > debconf-set-selections <<< "ossec-hids-client ossec/server string > ${server-ip}" > > for example, installing postfix, i use: > > debconf-set-selections <<< "postfix postfix/mailname string $(hostname)" > debconf-set-selections <<< "postfix postfix/main_mailer_type string > 'Internet Site'" > > I'm going to set this up in my staging environment, so i'll try variations > of the above there, but wanted to see if someone knew off hand. > > Thank you, > Jeff > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] debconf-set-selections, ubuntu, format for variable for ossec-hids-agent
Hi, i've installed ossec-hids-server on one machine and ossec-hids-agent on all of my other machines, but would like for the agent install to be fully automated (i use salt for CM) and was wondering what the correct syntax would be for a debconf-set-selections command before the install runs. would it be debconf-set-selections <<< "ossec-hids-client ossec/server string ${server-ip}" for example, installing postfix, i use: debconf-set-selections <<< "postfix postfix/mailname string $(hostname)" debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'" I'm going to set this up in my staging environment, so i'll try variations of the above there, but wanted to see if someone knew off hand. Thank you, Jeff -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.