[ossec-list] reindexing logs

[Maxim Surdu]

Hi dear community,

i had a problem with logstash, after i resolve it i saw what in kibana are 
missing logs, how can i resolve the problem and reindexing all my logs to 
kibana
I will be thankful if someone will help me step by step


i appreciate your help, and a lot of respect for developers and community!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: List of logged in users AND List of the last logged in users

[Maxim Surdu]

ok, who can tell me how about the rest of linux machines?
why is working just for one? 

miercuri, 6 aprilie 2016, 23:57:16 UTC+3, Kat a scris:
>
> The windows systems do not have the same commands for looking at users. 
> Your commands for looking at both logged in and last, will only work on 
> *nix  platforms.
>
> Kat
>
> On Wednesday, April 6, 2016 at 2:38:26 AM UTC-5, Maxim Surdu wrote:
>>
>> Hi dear community,
>>
>> i install and configure about 10 agents, and of course i have a lot of 
>> users, i need to monitoring when they are working or drink coffee 
>>
>> in ossec_rules.xml
>>  
>> i have next rules
>>
>>  
>> 530
>> ossec: output: 'w'
>> 
>> alert_by_email
>> List of logged in users. It will not be alerted by 
>> default.
>>   
>>
>>   
>> 530
>> ossec: output: 'last -n 
>> 
>> alert_by_email
>> List of the last logged in users.
>>   
>>
>> i have linux and windows machines but mail is coming just from one 
>> machine(linux) how about the rest
>> what i did wrong?
>>
>> i appreciate your help, and a lot of respect for developers and community!
>>
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] List of logged in users AND List of the last logged in users

[Maxim Surdu]

Hi dear community,

i install and configure about 10 agents, and of course i have a lot of 
users, i need to monitoring when they are working or drink coffee 

in ossec_rules.xml
 
i have next rules

 
530
ossec: output: 'w'

alert_by_email
List of logged in users. It will not be alerted by 
default.
  

  
530
ossec: output: 'last -n 

alert_by_email
List of the last logged in users.
  

i have linux and windows machines but mail is coming just from one 
machine(linux) how about the rest
what i did wrong?

i appreciate your help, and a lot of respect for developers and community!



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

[Maxim Surdu]

is it a solution but can i create a list and a rule to read all my 
list from the file, or something like this because now i have 300 clinets 
but it can be more and it will not working more.

thanks for your responsiveness

joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
>
>
> On Mar 3, 2016 4:18 AM, "Maxim Surdu" <maxs...@gmail.com > 
> wrote:
> >
> > Hi dear community,
> >
> > i install and configure about 10 agents, and of course i have a lot of 
> users,a part of this users are ftp Clients
> >
> > in policy-rules.xml 
> >
> > i have next rules
> >
> > 
> >   
> > authentication_success
> > 4 pm -  7 am
> > Successful login during non-business 
> hours.
> > login_time,
> >   
> >
> >   
> > authentication_success
> > weekends
> > Successful login during weekend.
> > login_day,
> >   
> >
> >
> >
> > OSSEC HIDS Notification.
> >
> > 2016 Mar 02 19:05:41
> >
> >  
> >
> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
> >
> > Rule: 17101 fired (level 9) -> "Successful login during non-business 
> hours."
> >
> > Portion of the log(s):
> >
> >  
> >
> > Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is 
> now logged in
> >
> >  
> >
> >  
> >
> >  
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> >
> > transpor is username of my client
> >
> > and i add a rule to ignore alerts of  this users because they are clients
> > in local_rules i create next rule to ignore "Successful login during 
> non-business hours" and "Successful login during weekend" for FTP clinets
> >
> > 
> > 
> > authentication_success
> > 4 pm - 7 am
> > Successful login during non-business 
> hours.
> > login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> > 
> >
> > 
> > authentication_success
> > weekends
> > Successful login during weekend.
> > login_day,pci_dss_10.2.5,pci_dss_10.6.1,
> >   
> >
> >
> > 
> >   17101
> >transpor | client1 | client2 | client3 | ... | client 
> 50 
> >   Sesion open by  Client
> > 
> >
> > 
> >   17102
> > transpor | client1 | client2 | client3 | ... | client 
> 50 
> >   Sesion open by Client
> > 
> >
> >
> > because i have a lot of clients ossec give me error and not started, how 
> can manage or edit this rule ?
> >
>
> Have you tried to create multiple rules, each with only a portion of the 
> client list?
>
> > i appreciate your help, and a lot of respect for developers and 
> community!
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

[Maxim Surdu]

Hi dear community,

i install and configure about 10 agents, and of course i have a lot of 
users,a part of this users are ftp Clients

in policy-rules.xml 

i have next rules


  
authentication_success
4 pm -  7 am
Successful login during non-business hours.
login_time,
  

  
authentication_success
weekends
Successful login during weekend.
login_day,
  



OSSEC HIDS Notification.

2016 Mar 02 19:05:41

 

Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages

Rule: 17101 fired (level 9) -> "Successful login during non-business hours."

Portion of the log(s):

 

Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now 
logged in

 

 

 

 --END OF NOTIFICATION



transpor is username of my client

and i add a rule to ignore alerts of  this users because they are clients
in local_rules i create next rule to ignore "Successful login during 
non-business hours" and "Successful login during weekend" for FTP clinets



authentication_success
4 pm - 7 am
Successful login during non-business 
hours.
login_time,pci_dss_10.2.5,pci_dss_10.6.1,



authentication_success
weekends
Successful login during weekend.
login_day,pci_dss_10.2.5,pci_dss_10.6.1,
  



  17101
   transpor | client1 | client2 | client3 | ... | client 50 

  Sesion open by  Client



  17102
transpor | client1 | client2 | client3 | ... | client 50 

  Sesion open by Client



because i have a lot of clients ossec give me error and not started, how 
can manage or edit this rule ?

i appreciate your help, and a lot of respect for developers and community!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: exclude service-users

[Maxim Surdu]

Jesus Linares many thanks, it working great  for rest of community who want 
the same rule with more users  

user USER_NAME1 | user USER_NAME2 | user USER_NAME3

With cpanel_users i resolve with next code 

user www-data | __cpanel__service__auth__ftpd__

Regards.
Surdu Maxim


joi, 18 februarie 2016, 13:59:14 UTC+2, Jesus Linares a scris:
>
> Regarding cpanel users... I don't know cpanel, but it seems is part 
> of chkservd service (info 
> <https://forums.cpanel.net/threads/pure-ftpd-127-0-0-1-info-__cpanel__service__auth__ftpd.103069/>).
>  
> Anyway, you can ignore them using rules.
>
> Regards.
> Jesus Linares
>
> On Thursday, February 18, 2016 at 12:35:56 PM UTC+1, Jesus Linares wrote:
>>
>> Hi Maxim,
>>
>> First, you have to activate policy_rules: ossec.conf: 
>> policy_rules.xml
>>
>> I guess the problem with your rule is that the decoder is not extracting 
>> the field *user*.
>>
>> For example, if I switch between user root to homer: "root@LinMV:~# su 
>> homer" it is generated this log: "Feb 18 11:23:17 LinMV su[1202]: 
>> pam_unix(su:session): session opened for user homer by root(uid=0)". If you 
>> use /var/ossec/bin/logtest you will see that the decoder doesn't extract 
>> any field:
>> Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for 
>> user homer by root(uid=0)
>> **Phase 2: Completed decoding.
>>decoder: 'pam'
>>
>> So, you have 2 options, change the decoder to extract the user field, or 
>> change your rules. Here an example:
>>
>> local_rules.xml:
>> 
>> 
>> authentication_success
>> 00:00 am - 11:59 pm
>> Successful login during non-business hours. TEST
>> 
>> login_time,pci_dss_10.2.5,pci_dss_10.6.1,
>> 
>> 
>> 
>>   17101
>>   user homer
>>   Ignore USERNAME
>> 
>> 
>>
>> In rule 12, I match with "user homer": "Feb 18 11:23:17 LinMV 
>> su[1202]: pam_unix(su:session): session opened for user homer by 
>> root(uid=0)". You could use regex tag for regular expressions.
>> *Remember to change the . This is an example.
>>
>> Output:
>> Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for 
>> user homer by root(uid=0)
>>
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>>full event: 'Feb 18 11:23:17 LinMV su[1202]: 
>> pam_unix(su:session): session opened for user homer by root(uid=0)'
>>hostname: 'LinMV'
>>program_name: 'su'
>>log: 'pam_unix(su:session): session opened for user homer by 
>> root(uid=0)'
>>
>>
>> **Phase 2: Completed decoding.
>>decoder: 'pam'
>>
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '12'
>>Level: '0'
>>Description: 'Ignore USERNAME'
>>
>> Regards.
>>
>>
>> On Thursday, February 18, 2016 at 10:29:27 AM UTC+1, Maxim Surdu wrote:
>>>
>>> Hi dear community,
>>>
>>> i install and configure about 10 agents, and of course i have a lot of 
>>> users,a part of this users are service-users 
>>>
>>> in policy-rules.xml 
>>>
>>> i have next rules
>>>
>>> 
>>>   
>>> authentication_success
>>> 4 pm -  7 am
>>> Successful login during non-business 
>>> hours.
>>> login_time,
>>>   
>>>
>>>   
>>> authentication_success
>>> weekends
>>> Successful login during weekend.
>>> login_day,
>>>   
>>>
>>>
>>> and ii add a rule to ignore user www-data
>>>
>>> 
>>>   17101
>>>   www-data
>>>   Ignore USERNAME
>>> 
>>>
>>> but is not working 
>>>
>>> also i have a lot of users what begin with 
>>> __cpanel__service__auth__ftpd**
>>>
>>> some exaples:
>>>
>>> __cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY
>>>
>>> __cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn
>>>  
>>>
>>> __cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE
>>>  
>>>
>>> and ossec mail me for this service-users that they successful login 
>>> during non-business hours, i know that but i don't  need that data in 
>>> mail box
>>>
>>> how can i exclude all this service users for policy rules?
>>>
>>> i appreciate your help, and a lot of respect for developers and 
>>> community!
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: the length of time the user logged in

[Maxim Surdu]

Hi Jesus Linares  

i have Linux like centos, ubuntu, and Windows Server

if it is possible to alert me with all types of login

joi, 18 februarie 2016, 13:04:15 UTC+2, Jesus Linares a scris:
>
> Hi Maxim,
>
> what is the OS of your agents?.
>
> What kind of login you want to alert?. ssh, ftp, normal login?
>
> Regards.
>
> On Thursday, February 18, 2016 at 10:14:32 AM UTC+1, Maxim Surdu wrote:
>>
>> Hi dear community,
>>
>> i install and configure about 10 agents, and of course i have a lot of 
>> users, i have logs when they are login and logout can i create a rule to 
>> show me the length of time the user logged in and when they logout rule 
>> send me mail.
>>
>> i appreciate your help and a lot of respect for developers and community!
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] exclude service-users

[Maxim Surdu]

Hi dear community,

i install and configure about 10 agents, and of course i have a lot of 
users,a part of this users are service-users 

in policy-rules.xml 

i have next rules


  
authentication_success
4 pm -  7 am
Successful login during non-business hours.
login_time,
  

  
authentication_success
weekends
Successful login during weekend.
login_day,
  


and ii add a rule to ignore user www-data


  17101
  www-data
  Ignore USERNAME


but is not working 

also i have a lot of users what begin with 
__cpanel__service__auth__ftpd**

some exaples:
__cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY
__cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn
 
__cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE
 

and ossec mail me for this service-users that they successful login during 
non-business hours, i know that but i don't  need that data in mail box

how can i exclude all this service users for policy rules?

i appreciate your help, and a lot of respect for developers and community!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not sending error.log

[Maxim Surdu]

I will remind logall is acctive



  
yes
yes
DC2.*.***
msurdu@*.**
ossec@*.**

  

 
1
6
 


joi, 11 februarie 2016, 09:41:06 UTC+2, Maxim Surdu a scris:
>
> Yes, my agent is showed as active but just a part of access log are coming 
> the rest of logs are going in archive, and i do not know why, i check all 
> agents and find one more agent who have same problem 
>
> miercuri, 10 februarie 2016, 20:29:58 UTC+2, Santiago Bassett a scris:
>>
>> Hi Maxim,
>>
>> when you enable logall (this goes in the manager configuration file) 
>> every event will be logged in archives.log. That is everything every agent 
>> is sending to the manager (which also runs a local agent). That is why you 
>> can see manager logs in archives.log, and that is fine.
>>
>> My question is, do you see anything from the agent in that same file? 
>> Does the agent appear as active? 
>>
>> Best
>>
>> On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu <maxs...@gmail.com> wrote:
>>
>>> i check my logs are in  /var/ossec/logs/ossec.log on the agent
>>>
>>> but for manager logs are going in /var/ossec/logs/archives/archives.log
>>>
>>> how to resolve it? and why my logs are going in archives?
>>>
>>> marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:
>>>>
>>>> ossec-logcollector seems to be reading the file on the agent side. 
>>>>
>>>> Does the agent appear as connected? Please check 
>>>> /var/ossec/logs/ossec.log on the agent and manager to see if there are 
>>>> errors there. 
>>>>
>>>> Also, are you sure events are not being written to 
>>>> /var/ossec/logs/archives/archives.log?
>>>>
>>>>
>>>> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <maxs...@gmail.com> wrote:
>>>>
>>>>> Hi Santiago,
>>>>>
>>>>> This my output
>>>>>
>>>>> root@my:/home/msurdu# lsof /var/log/apache2/error.log
>>>>> COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
>>>>> apache24254 root2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache24259 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache24260 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache24261 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache24262 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache24263 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache24395 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache27539 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> tail  20004 root   14r   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> apache2   25483 www-data2w   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>> ossec-log 28986 root   13r   REG8,1  1299856 527904 
>>>>> /var/log/apache2/error.log
>>>>>
>>>>>
>>>>>
>>>>> this is begining of my ossec.conf of server
>>>>> 
>>>>>   
>>>>> yes
>>>>> yes
>>>>> DC2.*.***
>>>>> msurdu@*.**
>>>>> ossec@*.**
>>>>> 
>>>>>   
>>>>>
>>>>>  
>>>>> 1
>>>>> 6
>>>>>  
>>>>>  
>>>>>
>>>>> the results are the same :( more suggestions?
>>>>>
>>>>>
>>>>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>>>>>>
>>>>>> Hi Maxim,
>>>>>>
>>>>>> please check that ossec-logcollector process is running and reading 
>>>>>> that file. You can do 
>>>>>>
>>>>>> lsof /var/log/apache2/error.log
>>>>>>
>>>>>> If that is not the case there might be something wrong with the 
>

Re: [ossec-list] OSSEC not sending error.log

[Maxim Surdu]

Yes, my agent is showed as active but just a part of access log are coming 
the rest of logs are going in archive, and i do not know why, i check all 
agents and find one more agent who have same problem 

miercuri, 10 februarie 2016, 20:29:58 UTC+2, Santiago Bassett a scris:
>
> Hi Maxim,
>
> when you enable logall (this goes in the manager configuration file) every 
> event will be logged in archives.log. That is everything every agent is 
> sending to the manager (which also runs a local agent). That is why you can 
> see manager logs in archives.log, and that is fine.
>
> My question is, do you see anything from the agent in that same file? Does 
> the agent appear as active? 
>
> Best
>
> On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu <maxs...@gmail.com 
> > wrote:
>
>> i check my logs are in  /var/ossec/logs/ossec.log on the agent
>>
>> but for manager logs are going in /var/ossec/logs/archives/archives.log
>>
>> how to resolve it? and why my logs are going in archives?
>>
>> marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:
>>>
>>> ossec-logcollector seems to be reading the file on the agent side. 
>>>
>>> Does the agent appear as connected? Please check 
>>> /var/ossec/logs/ossec.log on the agent and manager to see if there are 
>>> errors there. 
>>>
>>> Also, are you sure events are not being written to 
>>> /var/ossec/logs/archives/archives.log?
>>>
>>>
>>> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <maxs...@gmail.com> wrote:
>>>
>>>> Hi Santiago,
>>>>
>>>> This my output
>>>>
>>>> root@my:/home/msurdu# lsof /var/log/apache2/error.log
>>>> COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
>>>> apache24254 root2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache24259 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache24260 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache24261 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache24262 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache24263 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache24395 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache27539 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> tail  20004 root   14r   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> apache2   25483 www-data2w   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>> ossec-log 28986 root   13r   REG8,1  1299856 527904 
>>>> /var/log/apache2/error.log
>>>>
>>>>
>>>>
>>>> this is begining of my ossec.conf of server
>>>> 
>>>>   
>>>> yes
>>>> yes
>>>> DC2.*.***
>>>> msurdu@*.**
>>>> ossec@*.**
>>>> 
>>>>   
>>>>
>>>>  
>>>> 1
>>>> 6
>>>>  
>>>>  
>>>>
>>>> the results are the same :( more suggestions?
>>>>
>>>>
>>>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>>>>>
>>>>> Hi Maxim,
>>>>>
>>>>> please check that ossec-logcollector process is running and reading 
>>>>> that file. You can do 
>>>>>
>>>>> lsof /var/log/apache2/error.log
>>>>>
>>>>> If that is not the case there might be something wrong with the 
>>>>> configuration (maybe a typo).  
>>>>>
>>>>> If it is reading the logs, try enabling logall option on the OSSEC 
>>>>> manager, to see if those get actually there.
>>>>>
>>>>> I hope that helps,
>>>>>
>>>>> Santiago.
>>>>>
>>>>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <maxs...@gmail.com> wrote:
>>>>>
>>>>>> Dear community,
>>>>>> I am having a problem in OSSEC. I have configured

[ossec-list] Agent did not start

[Maxim Surdu]

Hi dear community,

i install and configure about 10 agents

but one of then after install client key did not start


[root@mx2 bin]# ./ossec-control start
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
Started ossec-execd...
2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and max time 
to reconnect: 1800
Started ossec-agentd...
2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
Started ossec-logcollector...
2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
2016/02/10 14:27:25 syscheckd: Reading Configuration 
[/var/ossec/etc/ossec.conf]
2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
[/var/ossec/etc/ossec.conf]
2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start


please any suggestions because this servers are very important for 
monitoring logs.

Many thanks,
Maxim Surdu

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent did not start

[Maxim Surdu]

[root@mx2 bin]# tail -f /var/ossec/logs/ossec.log 
2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:34 ossec-logcollector(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:34 ossec-logcollector(1211): ERROR: Unable to access 
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..



the same


miercuri, 10 februarie 2016, 14:36:42 UTC+2, dan (ddpbsd) a scris:
>
>
> On Feb 10, 2016 7:32 AM, "Maxim Surdu" <maxs...@gmail.com > 
> wrote:
> >
> > Hi dear community,
> >
> > i install and configure about 10 agents
> >
> > but one of then after install client key did not start
> >
> >
> > [root@mx2 bin]# ./ossec-control start
> > Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
> > Started ossec-execd...
> > 2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and max 
> time to reconnect: 1800
> > Started ossec-agentd...
> > 2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
> > Started ossec-logcollector...
> > 2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
> > 2016/02/10 14:27:25 syscheckd: Reading Configuration 
> [/var/ossec/etc/ossec.conf]
> > 2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
> [/var/ossec/etc/ossec.conf]
> > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
> > 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
> > 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> > ossec-syscheckd did not start
> >
> >
> > please any suggestions because this servers are very important for 
> monitoring logs.
> >
>
> Check the ossec.log for more detailed log messages.
>
> > Many thanks,
> > Maxim Surdu
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Agent did not start

[Maxim Surdu]

2016/02/10 14:27:25 ossec-execd: INFO: Started (pid: 24817).
2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and max time 
to reconnect: 1800
2016/02/10 14:27:25 ossec-agentd(1410): INFO: Reading authentication keys 
file.
2016/02/10 14:27:25 ossec-agentd(1103): ERROR: Unable to open file 
'/etc/client.keys'.
2016/02/10 14:27:25 ossec-agentd(1750): ERROR: No remote connection 
configured. Exiting.
2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
2016/02/10 14:27:25 ossec-logcollector: DEBUG: Waiting main daemons to 
settle.
2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
2016/02/10 14:27:25 syscheckd: Reading Configuration 
[/var/ossec/etc/ossec.conf]
2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
[/var/ossec/etc/ossec.conf]
2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:34 ossec-logcollector(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:34 ossec-logcollector(1211): ERROR: Unable to access 
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..
[root@mx2 bin]# 


miercuri, 10 februarie 2016, 14:37:58 UTC+2, Maxim Surdu a scris:
>
> [root@mx2 bin]# tail -f /var/ossec/logs/ossec.log 
> 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
> 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
> 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:34 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:34 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
>
>
>
> the same
>
>
> miercuri, 10 februarie 2016, 14:36:42 UTC+2, dan (ddpbsd) a scris:
>>
>>
>> On Feb 10, 2016 7:32 AM, "Maxim Surdu" <maxs...@gmail.com> wrote:
>> >
>> > Hi dear community,
>> >
>> > i install and configure about 10 agents
>> >
>> > but one of then after install client key did not start
>> >
>> >
>> > [root@mx2 bin]# ./ossec-control start
>> > Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
>> > Started ossec-execd...
>> > 2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and max 
>> time to reconnect: 1800
>> > Started ossec-agentd...
>> > 2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
>> > Started ossec-logcollector...
>> > 2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
>> > 2016/02/10 14:27:25 syscheckd: Reading Configuration 
>> [/var/ossec/etc/ossec.conf]
>> > 2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
>> [/var/ossec/etc/ossec.conf]
>> > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
>> > 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
>> > 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'

Re: [ossec-list] Agent did not start

[Maxim Surdu]

I check client.keys all is ok

miercuri, 10 februarie 2016, 14:40:24 UTC+2, Maxim Surdu a scris:
>
> 2016/02/10 14:27:25 ossec-execd: INFO: Started (pid: 24817).
> 2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and max 
> time to reconnect: 1800
> 2016/02/10 14:27:25 ossec-agentd(1410): INFO: Reading authentication keys 
> file.
> 2016/02/10 14:27:25 ossec-agentd(1103): ERROR: Unable to open file 
> '/etc/client.keys'.
> 2016/02/10 14:27:25 ossec-agentd(1750): ERROR: No remote connection 
> configured. Exiting.
> 2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
> 2016/02/10 14:27:25 ossec-logcollector: DEBUG: Waiting main daemons to 
> settle.
> 2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
> 2016/02/10 14:27:25 syscheckd: Reading Configuration 
> [/var/ossec/etc/ossec.conf]
> 2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
> [/var/ossec/etc/ossec.conf]
> 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
> 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
> 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:34 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:34 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> 2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access queue: 
> '/var/ossec/queue/ossec/queue'. Giving up..
> [root@mx2 bin]# 
>
>
> miercuri, 10 februarie 2016, 14:37:58 UTC+2, Maxim Surdu a scris:
>>
>> [root@mx2 bin]# tail -f /var/ossec/logs/ossec.log 
>> 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
>> 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
>> 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/02/10 14:27:34 ossec-logcollector(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/02/10 14:27:34 ossec-logcollector(1211): ERROR: Unable to access 
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> 2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access queue: 
>> '/var/ossec/queue/ossec/queue'. Giving up..
>>
>>
>>
>> the same
>>
>>
>> miercuri, 10 februarie 2016, 14:36:42 UTC+2, dan (ddpbsd) a scris:
>>>
>>>
>>> On Feb 10, 2016 7:32 AM, "Maxim Surdu" <maxs...@gmail.com> wrote:
>>> >
>>> > Hi dear community,
>>> >
>>> > i install and configure about 10 agents
>>> >
>>> > but one of then after install client key did not start
>>> >
>>> >
>>> > [root@mx2 bin]# ./ossec-control start
>>> > Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
>>> > Started ossec-execd...
>>> > 2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and max 
>>> time to reconnect: 1800
>>> > Started ossec-agentd...
>>> > 2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
>>> > Started ossec-logcollector...
>>> > 2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
>>> > 2016/02/10 14:27:25 syscheckd: Reading Configuration 
>>> [/var/ossec/etc/ossec.conf]
>>> > 2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
>>> [/var/ossec/etc/ossec.conf]
>>> > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
&g

Re: [ossec-list] Agent did not start

[Maxim Surdu]

[root@mx2 bin]# ll
total 2.4M
4.0K dr-xr-x---  2 root ossec 4.0K Dec 30 09:32 ./
4.0K dr-xr-x--- 11 root ossec 4.0K Dec 30 09:32 ../
192K -r-xr-x---  1 root ossec 189K Dec 30 09:32 agent-auth*
268K -r-xr-x---  1 root ossec 267K Dec 30 09:32 manage_agents*
540K -r-xr-x---  1 root ossec 540K Dec 30 09:32 ossec-agentd*
8.0K -r-xr-x---  1 root ossec 4.8K Oct 13 00:21 ossec-control*
116K -r-xr-x---  1 root ossec 115K Dec 30 09:31 ossec-execd*
412K -r-xr-x---  1 root ossec 411K Dec 30 09:32 ossec-logcollector*
216K -r-xr-x---  1 root ossec 213K Dec 30 09:31 ossec-lua*
148K -r-xr-x---  1 root ossec 145K Dec 30 09:31 ossec-luac*
536K -r-xr-x---  1 root ossec 535K Dec 30 09:32 ossec-syscheckd*
8.0K -r-xr-x---  1 root ossec 4.3K Oct 13 00:21 util.sh*


miercuri, 10 februarie 2016, 14:48:06 UTC+2, dan (ddpbsd) a scris:
>
>
> On Feb 10, 2016 7:38 AM, "Maxim Surdu" <maxs...@gmail.com > 
> wrote:
> >
> > [root@mx2 bin]# tail -f /var/ossec/logs/ossec.log 
> > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
> > 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
> > 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:34 ossec-logcollector(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:34 ossec-logcollector(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> > 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> > 2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> >
> >
>
> Check the permissions of the queue directory and files.
> Check any selinux or similar logs.
> Reinstall?
>
> >
> > the same
> >
> >
> > miercuri, 10 februarie 2016, 14:36:42 UTC+2, dan (ddpbsd) a scris:
> >>
> >>
> >> On Feb 10, 2016 7:32 AM, "Maxim Surdu" <maxs...@gmail.com> wrote:
> >> >
> >> > Hi dear community,
> >> >
> >> > i install and configure about 10 agents
> >> >
> >> > but one of then after install client key did not start
> >> >
> >> >
> >> > [root@mx2 bin]# ./ossec-control start
> >> > Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
> >> > Started ossec-execd...
> >> > 2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and 
> max time to reconnect: 1800
> >> > Started ossec-agentd...
> >> > 2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
> >> > Started ossec-logcollector...
> >> > 2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
> >> > 2016/02/10 14:27:25 syscheckd: Reading Configuration 
> [/var/ossec/etc/ossec.conf]
> >> > 2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
> [/var/ossec/etc/ossec.conf]
> >> > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
> >> > 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
> >> > 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> >> > 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> >> > 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> >> > 2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> >> > 2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
> >> > 2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access 
> queue: '/var/ossec/queue/ossec/queue'. Giving up..
> >> > ossec-syscheckd did not start
> >> >
> >> >
> >> > please any suggestions because this servers are very important for 
> monitoring logs.
> >> >
> >>
> >> Check the ossec.log for more detailed 

Re: [ossec-list] Agent did not start

[Maxim Surdu]

[root@mx2 ossec]# ll
total 16K
4.0K drwxrwxrwx 2 ossec ossec 4.0K Feb 10 14:27 ./
4.0K dr-xr-x--- 7 root  ossec 4.0K Dec 30 09:32 ../
4.0K -rwxrwxrwx 1 ossec ossec   23 Feb 10 12:50 .agent_info*
   0 srw-rw 1 ossec ossec0 Feb 10 14:27 queue=
   0 srwxrwxrwx 1 ossec ossec0 Feb 10 12:18 queue_=
4.0K -rwxrwxrwx 1 ossec ossec1 Feb 10 12:03 .wait*


miercuri, 10 februarie 2016, 14:49:58 UTC+2, Maxim Surdu a scris:
>
> [root@mx2 bin]# ll
> total 2.4M
> 4.0K dr-xr-x---  2 root ossec 4.0K Dec 30 09:32 ./
> 4.0K dr-xr-x--- 11 root ossec 4.0K Dec 30 09:32 ../
> 192K -r-xr-x---  1 root ossec 189K Dec 30 09:32 agent-auth*
> 268K -r-xr-x---  1 root ossec 267K Dec 30 09:32 manage_agents*
> 540K -r-xr-x---  1 root ossec 540K Dec 30 09:32 ossec-agentd*
> 8.0K -r-xr-x---  1 root ossec 4.8K Oct 13 00:21 ossec-control*
> 116K -r-xr-x---  1 root ossec 115K Dec 30 09:31 ossec-execd*
> 412K -r-xr-x---  1 root ossec 411K Dec 30 09:32 ossec-logcollector*
> 216K -r-xr-x---  1 root ossec 213K Dec 30 09:31 ossec-lua*
> 148K -r-xr-x---  1 root ossec 145K Dec 30 09:31 ossec-luac*
> 536K -r-xr-x---  1 root ossec 535K Dec 30 09:32 ossec-syscheckd*
> 8.0K -r-xr-x---  1 root ossec 4.3K Oct 13 00:21 util.sh*
>
>
> miercuri, 10 februarie 2016, 14:48:06 UTC+2, dan (ddpbsd) a scris:
>>
>>
>> On Feb 10, 2016 7:38 AM, "Maxim Surdu" <maxs...@gmail.com> wrote:
>> >
>> > [root@mx2 bin]# tail -f /var/ossec/logs/ossec.log 
>> > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
>> > 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
>> > 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:34 ossec-logcollector(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:34 ossec-logcollector(1211): ERROR: Unable to access 
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> > 2016/02/10 14:27:36 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:36 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:49 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> > 2016/02/10 14:27:49 ossec-rootcheck(1211): ERROR: Unable to access 
>> queue: '/var/ossec/queue/ossec/queue'. Giving up..
>> >
>> >
>>
>> Check the permissions of the queue directory and files.
>> Check any selinux or similar logs.
>> Reinstall?
>>
>> >
>> > the same
>> >
>> >
>> > miercuri, 10 februarie 2016, 14:36:42 UTC+2, dan (ddpbsd) a scris:
>> >>
>> >>
>> >> On Feb 10, 2016 7:32 AM, "Maxim Surdu" <maxs...@gmail.com> wrote:
>> >> >
>> >> > Hi dear community,
>> >> >
>> >> > i install and configure about 10 agents
>> >> >
>> >> > but one of then after install client key did not start
>> >> >
>> >> >
>> >> > [root@mx2 bin]# ./ossec-control start
>> >> > Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
>> >> > Started ossec-execd...
>> >> > 2016/02/10 14:27:25 ossec-agentd: INFO: Using notify time: 600 and 
>> max time to reconnect: 1800
>> >> > Started ossec-agentd...
>> >> > 2016/02/10 14:27:25 ossec-logcollector: DEBUG: Starting ...
>> >> > Started ossec-logcollector...
>> >> > 2016/02/10 14:27:25 ossec-syscheckd: DEBUG: Starting ...
>> >> > 2016/02/10 14:27:25 syscheckd: Reading Configuration 
>> [/var/ossec/etc/ossec.conf]
>> >> > 2016/02/10 14:27:25 syscheckd: Reading Client Configuration 
>> [/var/ossec/etc/ossec.conf]
>> >> > 2016/02/10 14:27:25 ossec-rootcheck: DEBUG: Starting ...
>> >> > 2016/02/10 14:27:25 ossec-rootcheck: Starting queue ...
>> >> > 2016/02/10 14:27:28 ossec-syscheckd(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> >> > 2016/02/10 14:27:28 ossec-rootcheck(1210): ERROR: Queue 
>> '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
>> >> > 2016/02/10 14:27:36 ossec-syscheckd(1

Re: [ossec-list] OSSEC not sending error.log

[Maxim Surdu]

i check my logs are in  /var/ossec/logs/ossec.log on the agent

but for manager logs are going in /var/ossec/logs/archives/archives.log

how to resolve it? and why my logs are going in archives?

marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:
>
> ossec-logcollector seems to be reading the file on the agent side. 
>
> Does the agent appear as connected? Please check /var/ossec/logs/ossec.log 
> on the agent and manager to see if there are errors there. 
>
> Also, are you sure events are not being written to 
> /var/ossec/logs/archives/archives.log?
>
>
> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <maxs...@gmail.com 
> > wrote:
>
>> Hi Santiago,
>>
>> This my output
>>
>> root@my:/home/msurdu# lsof /var/log/apache2/error.log
>> COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
>> apache24254 root2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24259 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24260 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24261 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24262 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24263 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24395 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache27539 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> tail  20004 root   14r   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache2   25483 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> ossec-log 28986 root   13r   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>>
>>
>>
>> this is begining of my ossec.conf of server
>> 
>>   
>> yes
>> yes
>> DC2.*.***
>> msurdu@*.**
>> ossec@*.**
>> 
>>   
>>
>>  
>> 1
>> 6
>>  
>>  
>>
>> the results are the same :( more suggestions?
>>
>>
>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>>>
>>> Hi Maxim,
>>>
>>> please check that ossec-logcollector process is running and reading that 
>>> file. You can do 
>>>
>>> lsof /var/log/apache2/error.log
>>>
>>> If that is not the case there might be something wrong with the 
>>> configuration (maybe a typo).  
>>>
>>> If it is reading the logs, try enabling logall option on the OSSEC 
>>> manager, to see if those get actually there.
>>>
>>> I hope that helps,
>>>
>>> Santiago.
>>>
>>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <maxs...@gmail.com> wrote:
>>>
>>>> Dear community,
>>>> I am having a problem in OSSEC. I have configured the OSSEC client to 
>>>> monitor the Apache and Nginx error.log
>>>>
>>>> 
>>>> apache
>>>> /var/log/nginx/access.log
>>>>   
>>>>
>>>>   
>>>> apache
>>>> /var/log/nginx/error.log
>>>>   
>>>>
>>>>  
>>>> apache
>>>> /var/log/apache2/error.log
>>>>
>>>>
>>>> 
>>>> apache
>>>> /var/log/apache2/access.log
>>>>
>>>>
>>>> in /var/log/apache2/error.log
>>>> logs are showed but not sended to server? any help/solutions?
>>>>
>>>> -- 
>>>>
>>>> --- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not sending error.log

[Maxim Surdu]

Hi Santiago,

This my output

root@my:/home/msurdu# lsof /var/log/apache2/error.log
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
apache24254 root2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24259 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24260 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24261 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24262 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24263 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24395 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache27539 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
tail  20004 root   14r   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache2   25483 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
ossec-log 28986 root   13r   REG8,1  1299856 527904 
/var/log/apache2/error.log



this is begining of my ossec.conf of server

  
yes
yes
DC2.*.***
msurdu@*.**
ossec@*.**

  

 
1
6
 
 

the results are the same :( more suggestions?


marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>
> Hi Maxim,
>
> please check that ossec-logcollector process is running and reading that 
> file. You can do 
>
> lsof /var/log/apache2/error.log
>
> If that is not the case there might be something wrong with the 
> configuration (maybe a typo).  
>
> If it is reading the logs, try enabling logall option on the OSSEC 
> manager, to see if those get actually there.
>
> I hope that helps,
>
> Santiago.
>
> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <maxs...@gmail.com 
> > wrote:
>
>> Dear community,
>> I am having a problem in OSSEC. I have configured the OSSEC client to 
>> monitor the Apache and Nginx error.log
>>
>> 
>> apache
>> /var/log/nginx/access.log
>>   
>>
>>   
>> apache
>> /var/log/nginx/error.log
>>   
>>
>>  
>> apache
>> /var/log/apache2/error.log
>>
>>
>> 
>> apache
>> /var/log/apache2/access.log
>>
>>
>> in /var/log/apache2/error.log
>> logs are showed but not sended to server? any help/solutions?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC not sending error.log

[Maxim Surdu]

Dear community,
I am having a problem in OSSEC. I have configured the OSSEC client to 
monitor the Apache and Nginx error.log


apache
/var/log/nginx/access.log
  

  
apache
/var/log/nginx/error.log
  

 
apache
/var/log/apache2/error.log
   


apache
/var/log/apache2/access.log
   

in /var/log/apache2/error.log
logs are showed but not sended to server? any help/solutions?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] for what time ossec save logs?

[Maxim Surdu]

Hi everyone,

Who can tell me how much time ossec saves my logs? i need to configure or 
how it is work?, i need ossec to save my logs for minimum 2 years.

Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

[Maxim Surdu]

i recevie mail with alert level 2, and higher but not recieve mail from 
this rule, i simulate/test the alert is working is showing in kibana and 
ossec wui but not reciev mail :( 

miercuri, 23 decembrie 2015, 17:10:37 UTC+2, Maxim Surdu a scris:
>
> yes, i change and all rules are loaded when ossec is started
>
> miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>>
>> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com> wrote: 
>> > This rule is locate in /var/ossec/rules/policy_rules.xml 
>> > 
>>
>> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
>> commented out in a default installation. 
>>
>> > 
>> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
>> >> 
>> >> yes i want for a specific mail, but i not recieve mail form this alert 
>> >> 
>> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
>> >>> 
>> >>> Hi everyone, 
>> >>> 
>> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
>> working 
>> >>> fine, can i do to ossec mail me for specific rule? 
>> >>> for example for this rule 
>> >>> 
>> >>> 
>> >>>  
>> >>>
>> >>> authentication_success 
>> >>> 06:00 pm - 09:00 am 
>> >>> Successful login during non-business 
>> >>> hours. 
>> >>> login_time, 
>> >>>
>> >>> 
>> >>> 
>> >>> 
>> >>> Any help would be greatly appreciated 
>> >>> 
>> >>> Thanks, 
>> >>> Maxim 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

[Maxim Surdu]

ossec show me logs and rule is working for /var/log/maillog
and var/log/secure

but ossec send me mail just from /var/log/maillog


miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris:
>
> yes the rule is work
>
>
> Alert 1450884351.34521849: mail  - policy_violation,login_time,
> 2015 Dec 23 15:25:51 localhost->/var/log/secure
> Rule: 17101 (level 9) -> 'Successful login during non-business hours.'
> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session 
> opened for user msurdu by (uid=0)
>
>
> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris:
>>
>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <maxs...@gmail.com> wrote: 
>> > yes, i change and all rules are loaded when ossec is started 
>> > 
>>
>> Is the rule firing (can you see entries for it in the 
>> /var/ossec/logs/alerts/alerts.log)? 
>>
>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: 
>> >> 
>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com> 
>> wrote: 
>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml 
>> >> > 
>> >> 
>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
>> >> commented out in a default installation. 
>> >> 
>> >> > 
>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
>> >> >> 
>> >> >> yes i want for a specific mail, but i not recieve mail form this 
>> alert 
>> >> >> 
>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
>> >> >>> 
>> >> >>> Hi everyone, 
>> >> >>> 
>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
>> >> >>> working 
>> >> >>> fine, can i do to ossec mail me for specific rule? 
>> >> >>> for example for this rule 
>> >> >>> 
>> >> >>> 
>> >> >>>  
>> >> >>>
>> >> >>> authentication_success 
>> >> >>> 06:00 pm - 09:00 am 
>> >> >>> Successful login during non-business 
>> >> >>> hours. 
>> >> >>> login_time, 
>> >> >>>
>> >> >>> 
>> >> >>> 
>> >> >>> 
>> >> >>> Any help would be greatly appreciated 
>> >> >>> 
>> >> >>> Thanks, 
>> >> >>> Maxim 
>> >> > 
>> >> > -- 
>> >> > 
>> >> > --- 
>> >> > You received this message because you are subscribed to the Google 
>> >> > Groups 
>> >> > "ossec-list" group. 
>> >> > To unsubscribe from this group and stop receiving emails from it, 
>> send 
>> >> > an 
>> >> > email to ossec-list+...@googlegroups.com. 
>> >> > For more options, visit https://groups.google.com/d/optout. 
>> > 
>> > -- 
>> > 
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups 
>> > "ossec-list" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an 
>> > email to ossec-list+...@googlegroups.com. 
>> > For more options, visit https://groups.google.com/d/optout. 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] mail for a specific rule

[Maxim Surdu]

Hi everyone,

I am new in Ossec, i installed Virtual Appliance of ossec, all is working 
fine, can i do to ossec mail me for specific rule?
for example for this rule



  
authentication_success
06:00 pm - 09:00 am
Successful login during non-business hours.
login_time,
  



Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: mail for a specific rule

[Maxim Surdu]

This rule is locate in /var/ossec/rules/policy_rules.xml

miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris:
>
> yes i want for a specific mail, but i not recieve mail form this alert
>
> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>>
>> Hi everyone,
>>
>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
>> working fine, can i do to ossec mail me for specific rule?
>> for example for this rule
>>
>>
>> 
>>   
>> authentication_success
>> 06:00 pm - 09:00 am
>> Successful login during non-business hours.
>> login_time,
>>   
>>
>>
>>
>> Any help would be greatly appreciated
>>  
>> Thanks,
>> Maxim
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: mail for a specific rule

[Maxim Surdu]

yes i want for a specific mail, but i not recieve mail form this alert

miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris:
>
> Hi everyone,
>
> I am new in Ossec, i installed Virtual Appliance of ossec, all is working 
> fine, can i do to ossec mail me for specific rule?
> for example for this rule
>
>
> 
>   
> authentication_success
> 06:00 pm - 09:00 am
> Successful login during non-business hours.
> login_time,
>   
>
>
>
> Any help would be greatly appreciated
>  
> Thanks,
> Maxim
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

[Maxim Surdu]

yes, i change and all rules are loaded when ossec is started

miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris:
>
> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com 
> > wrote: 
> > This rule is locate in /var/ossec/rules/policy_rules.xml 
> > 
>
> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
> commented out in a default installation. 
>
> > 
> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
> >> 
> >> yes i want for a specific mail, but i not recieve mail form this alert 
> >> 
> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
> >>> 
> >>> Hi everyone, 
> >>> 
> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
> working 
> >>> fine, can i do to ossec mail me for specific rule? 
> >>> for example for this rule 
> >>> 
> >>> 
> >>>  
> >>>
> >>> authentication_success 
> >>> 06:00 pm - 09:00 am 
> >>> Successful login during non-business 
> >>> hours. 
> >>> login_time, 
> >>>
> >>> 
> >>> 
> >>> 
> >>> Any help would be greatly appreciated 
> >>> 
> >>> Thanks, 
> >>> Maxim 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

[Maxim Surdu]

yes the rule is work


Alert 1450884351.34521849: mail  - policy_violation,login_time,
2015 Dec 23 15:25:51 localhost->/var/log/secure
Rule: 17101 (level 9) -> 'Successful login during non-business hours.'
Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session 
opened for user msurdu by (uid=0)


miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris:
>
> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <maxs...@gmail.com 
> > wrote: 
> > yes, i change and all rules are loaded when ossec is started 
> > 
>
> Is the rule firing (can you see entries for it in the 
> /var/ossec/logs/alerts/alerts.log)? 
>
> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: 
> >> 
> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com> 
> wrote: 
> >> > This rule is locate in /var/ossec/rules/policy_rules.xml 
> >> > 
> >> 
> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry is 
> >> commented out in a default installation. 
> >> 
> >> > 
> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
> >> >> 
> >> >> yes i want for a specific mail, but i not recieve mail form this 
> alert 
> >> >> 
> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a scris: 
> >> >>> 
> >> >>> Hi everyone, 
> >> >>> 
> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all is 
> >> >>> working 
> >> >>> fine, can i do to ossec mail me for specific rule? 
> >> >>> for example for this rule 
> >> >>> 
> >> >>> 
> >> >>>  
> >> >>>
> >> >>> authentication_success 
> >> >>> 06:00 pm - 09:00 am 
> >> >>> Successful login during non-business 
> >> >>> hours. 
> >> >>> login_time, 
> >> >>>
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Any help would be greatly appreciated 
> >> >>> 
> >> >>> Thanks, 
> >> >>> Maxim 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: mail for a specific rule

[Maxim Surdu]

yes, sorry for my bad english

miercuri, 23 decembrie 2015, 17:44:37 UTC+2, dan (ddpbsd) a scris:
>
> On Wed, Dec 23, 2015 at 10:43 AM, Maxim Surdu <maxs...@gmail.com 
> > wrote: 
> > ossec show me logs and rule is working for /var/log/maillog 
> > and var/log/secure 
> > 
> > but ossec send me mail just from /var/log/maillog 
> > 
>
> I don't understand what you mean. The only emails you get are related 
> to entries in /var/log/maillog? 
>
> > 
> > miercuri, 23 decembrie 2015, 17:26:51 UTC+2, Maxim Surdu a scris: 
> >> 
> >> yes the rule is work 
> >> 
> >> 
> >> Alert 1450884351.34521849: mail  - policy_violation,login_time, 
> >> 2015 Dec 23 15:25:51 localhost->/var/log/secure 
> >> Rule: 17101 (level 9) -> 'Successful login during non-business hours.' 
> >> Dec 23 17:25:50 localhost sshd[9212]: pam_unix(sshd:session): session 
> >> opened for user msurdu by (uid=0) 
> >> 
> >> 
> >> miercuri, 23 decembrie 2015, 17:14:34 UTC+2, dan (ddpbsd) a scris: 
> >>> 
> >>> On Wed, Dec 23, 2015 at 10:10 AM, Maxim Surdu <maxs...@gmail.com> 
> wrote: 
> >>> > yes, i change and all rules are loaded when ossec is started 
> >>> > 
> >>> 
> >>> Is the rule firing (can you see entries for it in the 
> >>> /var/ossec/logs/alerts/alerts.log)? 
> >>> 
> >>> > miercuri, 23 decembrie 2015, 16:58:18 UTC+2, dan (ddpbsd) a scris: 
> >>> >> 
> >>> >> On Wed, Dec 23, 2015 at 9:49 AM, Maxim Surdu <maxs...@gmail.com> 
> >>> >> wrote: 
> >>> >> > This rule is locate in /var/ossec/rules/policy_rules.xml 
> >>> >> > 
> >>> >> 
> >>> >> Is policy_rules.xml loaded in your ossec.conf? Generally that entry 
> is 
> >>> >> commented out in a default installation. 
> >>> >> 
> >>> >> > 
> >>> >> > miercuri, 23 decembrie 2015, 16:39:18 UTC+2, Maxim Surdu a scris: 
> >>> >> >> 
> >>> >> >> yes i want for a specific mail, but i not recieve mail form this 
> >>> >> >> alert 
> >>> >> >> 
> >>> >> >> miercuri, 23 decembrie 2015, 15:39:52 UTC+2, Maxim Surdu a 
> scris: 
> >>> >> >>> 
> >>> >> >>> Hi everyone, 
> >>> >> >>> 
> >>> >> >>> I am new in Ossec, i installed Virtual Appliance of ossec, all 
> is 
> >>> >> >>> working 
> >>> >> >>> fine, can i do to ossec mail me for specific rule? 
> >>> >> >>> for example for this rule 
> >>> >> >>> 
> >>> >> >>> 
> >>> >> >>>  
> >>> >> >>>
> >>> >> >>> authentication_success 
> >>> >> >>> 06:00 pm - 09:00 am 
> >>> >> >>> Successful login during non-business 
> >>> >> >>> hours. 
> >>> >> >>> login_time, 
> >>> >> >>>
> >>> >> >>> 
> >>> >> >>> 
> >>> >> >>> 
> >>> >> >>> Any help would be greatly appreciated 
> >>> >> >>> 
> >>> >> >>> Thanks, 
> >>> >> >>> Maxim 
> >>> >> > 
> >>> >> > -- 
> >>> >> > 
> >>> >> > --- 
> >>> >> > You received this message because you are subscribed to the 
> Google 
> >>> >> > Groups 
> >>> >> > "ossec-list" group. 
> >>> >> > To unsubscribe from this group and stop receiving emails from it, 
> >>> >> > send 
> >>> >> > an 
> >>> >> > email to ossec-list+...@googlegroups.com. 
> >>> >> > For more options, visit https://groups.google.com/d/optout. 
> >>> > 
> >>> > -- 
> >>> > 
> >>> > --- 
> >>> > You received this message because you are subscribed to the Google 
> >>> > Groups 
> >>> > "ossec-list" group. 
> >>> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >>> > an 
> >>> > email to ossec-list+...@googlegroups.com. 
> >>> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] User who change files

[Maxim Surdu]

Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
i can see logs when file is change but not who did it and what changed 
can  someone help me to set ossec to get more info?
















Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] how to add user to web UI?

[Maxim Surdu]

what web interface you recommend me to use, which i can create users for 
authentication to see logs because kibana have not :(

marți, 22 decembrie 2015, 15:04:55 UTC+2, dan (ddpbsd) a scris: 
>
> On Tue, Dec 22, 2015 at 7:25 AM, Maxim Surdu <maxs...@gmail.com 
> > wrote: 
> > Hi everyone, 
> > 
> > I am new in Ossec, i configure ossec-server and ossec agent, all is 
> working 
> > formidable! 
> > i change password for user in ossec-wui, can i add another user and can 
> i do 
> > it admin or simple user?if i can how can i do it? 
> > 
>
> I don't believe the users have any bearing on the application itself, 
> they just do basic auth to the web server. You should be able to add a 
> second user by following the same procedure you did when setting up 
> the wui, http-password maybe? 
>
> NOTE: I don't use the wui, especially since it's unmaintained. 
>
> > Any help would be greatly appreciated 
> > 
> > Thanks, 
> > Maxim 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] how to add user to web UI?

[Maxim Surdu]

Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
i change password for user in ossec-wui, can i add another user and can i 
do it admin or simple user?if i can how can i do it?

Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: logs level 0 and level 1

[Maxim Surdu]

no

luni, 21 decembrie 2015, 15:07:06 UTC+2, dan (ddpbsd) a scris:
>
> On Mon, Dec 21, 2015 at 8:03 AM, Maxim Surdu <maxs...@gmail.com 
> > wrote: 
> >> but in ossec-wui in stats is showing me what i have alert with level 0 
> and 
> >> 1 
> > 
>
> Are level 0 and level 1 alerts showing up in the alerts.log file? 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: logs level 0 and level 1

[Maxim Surdu]

>
> i check ossec.conf and i have 
>
 
 
1
  
 but in ossec-wui or kibana is showing just alerts with minum 2, but i know 
what i have alerts with level 0 and 1 and i need them to be showed 
ossec-wui or kibana

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: logs level 0 and level 1

[Maxim Surdu]

> but in ossec-wui in stats is showing me what i have alert with level 0 and 
> 1 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] logs level 0 and level 1

[Maxim Surdu]

Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
but i want ossec or kibana show me all logs include logs level 0 and level 
1 i change my ossec.conf and i add code yes,
in the ossec stats i see what i have logs with levels 0 and 1 but do not 
show me kibana or ossec this events.

















Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: logs level 0 and level 1

[Maxim Surdu]

my alerts with level 0 and 1 are not in alerts.log

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Location of OSSEC-WUI

[Maxim Surdu]

I find it 

/opt/lampp/htdocs/ossec-wui

but where is locate Kibana? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Location of OSSEC-WUI

[Maxim Surdu]

I find it 

/opt/lampp/htdocs/ossec-wui 

/usr/share/kibana

who can help me with this topic?
https://groups.google.com/forum/#!topic/ossec-list/-IbGTSrBwIQ

i already did it for ossec-wui
but how to do for kibana??



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Location of OSSEC-WUI

[Maxim Surdu]

I find it 

/opt/lampp/htdocs/ossec-wui 

/usr/share/kibana


who can help me with this topic?
i already did it for ossec-wui
but how to do for kibana??

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] level alerts in colors

[Maxim Surdu]

Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
but how can i configure the ossec to show me the level alerts in colors, 
like if level of alert is 15 to show in OSSEC WEBUI or KIBANA with red color
if it level of alert is for example 7 to show me alert/log with yellow 
background or something like that.

Any help would be greatly appreciated
 
Thanks,
Maxim




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: alert for logging outside working hours

[Maxim Surdu]

my software and hardware clock are synchronized 
but one of them is with AM and PM second is with 24 hours


[root@ossec ~]# hwclock
Wed 09 Dec 2015 11:18:53 AM EET  -0.610627 seconds
[root@ossec ~]# date
Wed Dec  9 11:18:54 EET 2015


luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris:
>
> Hi everyone,
>
> I am new in Ossec, i configure ossec-server and ossec agent, all is 
> working formidable!
> but i need to create an alert to show me people who are logging outside 
> working hours in my system server or agent 
> for example my company working hours are Monday-Friday from 09.00 until 
> 18.00 and i need to know who from my employers working after work-hours!
>
> Any help would be greatly appreciated
>  
> Thanks,
> Maxim
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: alert for logging outside working hours

[Maxim Surdu]

Allert is working fine!
In kibana the log is coming with* 2015 Dec 08 17:45:20*
in mail alert is coming with *2015 Dec 08 *07*:45:20*
not 17:45 or 05:45 but 07:45 and this can be problematic


luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris:
>
> Hi everyone,
>
> I am new in Ossec, i configure ossec-server and ossec agent, all is 
> working formidable!
> but i need to create an alert to show me people who are logging outside 
> working hours in my system server or agent 
> for example my company working hours are Monday-Friday from 09.00 until 
> 18.00 and i need to know who from my employers working after work-hours!
>
> Any help would be greatly appreciated
>  
> Thanks,
> Maxim
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: alert for logging outside working hours

[Maxim Surdu]

The correct time is showed in kibana

luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris:
>
> Hi everyone,
>
> I am new in Ossec, i configure ossec-server and ossec agent, all is 
> working formidable!
> but i need to create an alert to show me people who are logging outside 
> working hours in my system server or agent 
> for example my company working hours are Monday-Friday from 09.00 until 
> 18.00 and i need to know who from my employers working after work-hours!
>
> Any help would be greatly appreciated
>  
> Thanks,
> Maxim
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] alert for logging outside working hours

[Maxim Surdu]

Hi everyone,

I am new in Ossec, i configure ossec-server and ossec agent, all is working 
formidable!
but i need to create an alert to show me people who are logging outside 
working hours in my system server or agent 
for example my company working hours are Monday-Friday from 09.00 until 
18.00 and i need to know who from my employers working after work-hours!

Any help would be greatly appreciated
 
Thanks,
Maxim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.