Re: [ossec-list] OSSEC and Nagios integration
Yes, I did get this set up although not via NRPE: - Log OSSEC alerts for a certain level to Elasticsearch/Logstash and Kibana - Nagios runs a query on Kibana for this alert level and displays the alerts in a nagios dashboard. (the alert stays there for 24 hours and is then auto removed after 24 hour). This setup is far from ideal as it is a passive check and stays there for only 24 hours. I also don’t know the fine technical details how to set this up (since someone else’s set it up with Nagios). But this is the general idea how it works at our company. Cheers, Michiel > On 28 Apr 2015, at 21:06, ri...@amcoonline.net wrote: > > @Michiel did you ever get this set up? If so do you have any tips you can > share? > > On Tuesday, February 18, 2014 at 2:30:34 AM UTC-8, Michiel van Es wrote: > I found something interesting at > http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html > <http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html> which uses > NRPE to swatch/grep the alerts.log logfile for specific alert levels and > display those in Nagios. > > Op donderdag 6 februari 2014 10:28:58 UTC+1 schreef Chris H: > could you do something with the syslog output? send the alerts you're > interested in to syslog on the nagios host and tail the logs from that? > Might allow you to be a bit more selective, too. > > On Wednesday, February 5, 2014 1:53:38 PM UTC, Michiel van Es wrote: > To be more precise: this is the most valuable link I found: > http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html > <http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html> > I am still interested in other peoples' implementations. > > Op woensdag 5 februari 2014 14:45:26 UTC+1 schreef Michiel van Es: > Yes, First 3 hits about mail scripts (nagios exchange) and 'swatch alike > scripts' but not a lot of specific setup information. > That is why I ask it here what people use nowadays and how their setup looks > like. > > Michiel > > Op woensdag 5 februari 2014 14:32:47 UTC+1 schreef Darin Perusich: > Have you asked Google? > -- > Later, > Darin > > > On Wed, Feb 5, 2014 at 6:47 AM, Michiel van Es > > wrote: > > Hello, > > > > I was wondering if someone already used the OSSEC and Nagios to generate > > alerts ? > > I have the following idea in my head: alert of level 11+ will be seen by a > > monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log logfile > > and generates an alert/trigger and sends it to Nagios. > > Nagios generates an alert, shows in on a dashboard. > > Engineer fixes the issue or filters the alert (in case of a false positive) > > and OK/ACK the alert in Nagios. > > > > Or has someone else a better idea how to integrate these 2 together? > > > > All tips are more then welcome! > > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+...@googlegroups.com <>. > > For more options, visit https://groups.google.com/groups/opt_out > > <https://groups.google.com/groups/opt_out>. > > -- > > --- > You received this message because you are subscribed to a topic in the Google > Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Fa8Pi4LFsAE/unsubscribe > <https://groups.google.com/d/topic/ossec-list/Fa8Pi4LFsAE/unsubscribe>. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] CIS checks via OSSEC
Hello, We see that OSSEC does some CIS checks for Red Hat 5 and older. Is it possible to update the CIS checks in OSSEC to do CIS checks for RHEL 6 etc? (http://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.120) This helps with PCI-DSS v3 compliance (2.2). Or is it easy to add these checks yourself or are they on the planning to be included in a new release? Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Trend Micro end Commercial Support?
Op donderdag 6 maart 2014 04:06:03 UTC+1 schreef mad...@gmail.com: > > Hi guys, > > My company has recently made a commitment to using OSSEC as our HIDS > solution, under the assumption that Trend Micro still provide their limited > commercial support contracts - I even emailed > *os...@trendmicro.com*and they replied with quotes and > everything. > > 2 weeks later, they've mentioned that Trend Micro has canned this support > since the start of the year? > > Is there anyone using this current support that has alternative solutions > lined up to cover support for this? Are there any other vendors who provide > support? > > I'm sure we aren't the only company which this will affect whether we use > OSSEC or not for a HIDS solution... > > Cheers, > > Dean > This would be very bad for people who have commercial support and not getting this any more. I hope it not true. We use OSSEC a lot and are happy with the Google list responses but we also choose OSSEC because of its commercial support option. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Kerberos KDC krb5kdc.log and OSSEC
Hi, Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if so is willing to share its decoder and local_rules.xml config? (i am not trying to reinvent the wheel here and google has nothing on it expect Vic Hargrave's blog but I can not post on it because of technical issues at this blog). Regards, Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Localfile only frequency option?
Hello We want to schedule our netstat checks via localfile at certain times. We see that only the frequency option is available and not something like start_time. How can we schedule to run the netstat command at 04:00 am via the agent.conf on the agents? Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] question about email alerting
Op woensdag 19 februari 2014 13:50:47 UTC+1 schreef dan (ddpbsd): > > On Wed, Feb 19, 2014 at 7:21 AM, Michiel van Es > > > wrote: > > Hello, > > > > I am looking at the email alerting option. > > I've looked at the thread at > > https://groups.google.com/forum/#!topic/ossec-list/Q55ZGg6tfj0 but I am > not > > sure how to fix the following: > > > > - send all alerts from level =>15 > > - send to us...@domain.com > > > > All other alerts should not be mailed. > > As I understand above threat you need to have 2 email adresses? > > - 1 global email adres that received all OSSEC alerts > > - 1 specific configuration for another email adress that receives alerts > => > > 15 > > > > Is that correct? > > > > No, that is not correct. > > > Would my config be: > > > > > > yes > > us...@domain.com > > localhost > > os...@domain.com > > > > > > > > 1 > > > > > > > > us...@domain.com > > 15 > > > > > > Thanks for the help. > > > > You could do it that way if you want. You could also set > email_alert_level to 15 and keep just the email address. > > http://ossec.net/doc/syntax/head_ossec_config.alerts.html#element-email_alert_level > > Makes sense. Thanks! > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] question about email alerting
Hello, I am looking at the email alerting option. I've looked at the thread at https://groups.google.com/forum/#!topic/ossec-list/Q55ZGg6tfj0 but I am not sure how to fix the following: - send all alerts from level =>15 - send to u...@domain.com All other alerts should not be mailed. As I understand above threat you need to have 2 email adresses? - 1 global email adres that received all OSSEC alerts - 1 specific configuration for another email adress that receives alerts => 15 Is that correct? Would my config be: yes us...@domain.com localhost os...@domain.com 1 us...@domain.com 15 Thanks for the help. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC and Nagios integration
I found something interesting at http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html which uses NRPE to swatch/grep the alerts.log logfile for specific alert levels and display those in Nagios. Op donderdag 6 februari 2014 10:28:58 UTC+1 schreef Chris H: > > could you do something with the syslog output? send the alerts you're > interested in to syslog on the nagios host and tail the logs from that? > Might allow you to be a bit more selective, too. > > On Wednesday, February 5, 2014 1:53:38 PM UTC, Michiel van Es wrote: >> >> To be more precise: this is the most valuable link I found: >> http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html >> I am still interested in other peoples' implementations. >> >> Op woensdag 5 februari 2014 14:45:26 UTC+1 schreef Michiel van Es: >>> >>> Yes, First 3 hits about mail scripts (nagios exchange) and 'swatch alike >>> scripts' but not a lot of specific setup information. >>> That is why I ask it here what people use nowadays and how their setup >>> looks like. >>> >>> Michiel >>> >>> Op woensdag 5 februari 2014 14:32:47 UTC+1 schreef Darin Perusich: >>>> >>>> Have you asked Google? >>>> -- >>>> Later, >>>> Darin >>>> >>>> >>>> On Wed, Feb 5, 2014 at 6:47 AM, Michiel van Es >>>> wrote: >>>> > Hello, >>>> > >>>> > I was wondering if someone already used the OSSEC and Nagios to >>>> generate >>>> > alerts ? >>>> > I have the following idea in my head: alert of level 11+ will be seen >>>> by a >>>> > monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log >>>> logfile >>>> > and generates an alert/trigger and sends it to Nagios. >>>> > Nagios generates an alert, shows in on a dashboard. >>>> > Engineer fixes the issue or filters the alert (in case of a false >>>> positive) >>>> > and OK/ACK the alert in Nagios. >>>> > >>>> > Or has someone else a better idea how to integrate these 2 together? >>>> > >>>> > All tips are more then welcome! >>>> > >>>> > Michiel >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an >>>> > email to ossec-list+...@googlegroups.com. >>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC and Nagios integration
To be more precise: this is the most valuable link I found: http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html I am still interested in other peoples' implementations. Op woensdag 5 februari 2014 14:45:26 UTC+1 schreef Michiel van Es: > > Yes, First 3 hits about mail scripts (nagios exchange) and 'swatch alike > scripts' but not a lot of specific setup information. > That is why I ask it here what people use nowadays and how their setup > looks like. > > Michiel > > Op woensdag 5 februari 2014 14:32:47 UTC+1 schreef Darin Perusich: >> >> Have you asked Google? >> -- >> Later, >> Darin >> >> >> On Wed, Feb 5, 2014 at 6:47 AM, Michiel van Es >> wrote: >> > Hello, >> > >> > I was wondering if someone already used the OSSEC and Nagios to >> generate >> > alerts ? >> > I have the following idea in my head: alert of level 11+ will be seen >> by a >> > monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log >> logfile >> > and generates an alert/trigger and sends it to Nagios. >> > Nagios generates an alert, shows in on a dashboard. >> > Engineer fixes the issue or filters the alert (in case of a false >> positive) >> > and OK/ACK the alert in Nagios. >> > >> > Or has someone else a better idea how to integrate these 2 together? >> > >> > All tips are more then welcome! >> > >> > Michiel >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC and Nagios integration
Yes, First 3 hits about mail scripts (nagios exchange) and 'swatch alike scripts' but not a lot of specific setup information. That is why I ask it here what people use nowadays and how their setup looks like. Michiel Op woensdag 5 februari 2014 14:32:47 UTC+1 schreef Darin Perusich: > > Have you asked Google? > -- > Later, > Darin > > > On Wed, Feb 5, 2014 at 6:47 AM, Michiel van Es > > > wrote: > > Hello, > > > > I was wondering if someone already used the OSSEC and Nagios to generate > > alerts ? > > I have the following idea in my head: alert of level 11+ will be seen by > a > > monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log > logfile > > and generates an alert/trigger and sends it to Nagios. > > Nagios generates an alert, shows in on a dashboard. > > Engineer fixes the issue or filters the alert (in case of a false > positive) > > and OK/ACK the alert in Nagios. > > > > Or has someone else a better idea how to integrate these 2 together? > > > > All tips are more then welcome! > > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC and Nagios integration
Hello, I was wondering if someone already used the OSSEC and Nagios to generate alerts ? I have the following idea in my head: alert of level 11+ will be seen by a monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log logfile and generates an alert/trigger and sends it to Nagios. Nagios generates an alert, shows in on a dashboard. Engineer fixes the issue or filters the alert (in case of a false positive) and OK/ACK the alert in Nagios. Or has someone else a better idea how to integrate these 2 together? All tips are more then welcome! Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC and syslog messages
Hi, Is anyone using OSSEC => syslog => Logstash => Kibana for their setup? We found out that the netstat -tan diff ran by syscheck gives only the first line of the diff: <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533 - Listened ports status (netstat) changed (new port opened or closed).; Location: local-machine-001->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not show the diff output (the 2 netstat -tan outputs). Does anyone else has this issue and if so, how did you fix it with (r)syslog? OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and Logstash/Kibana run on 2 seperate machines. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] remove ossec registrations in client.keys via script
Op vrijdag 13 december 2013 14:33:20 UTC+1 schreef dan (ddpbsd): > > On Fri, Dec 13, 2013 at 8:12 AM, Michiel van Es > > > wrote: > > Hi, > > > > is it possible to remove entries in client.keys via an automated > script/way > > (for example a call from racktables). ? > > We reinstall machines from time to time (can be batches of 30+ machines) > if > > so, then it would be nice if we can remove the entry from the > client.keys > > entry and recreate the entry if the machine is reinstalled and ossec > > reconnects and creates a new entry. > > > > I do see some command line options for manage_agents but not removal > > options. > > > > Any advise would be more then welcome. > > > > You should be able to script it, but you might need to restart the > OSSEC processes after. > You mean removing with grep/sed the client.keys file and then restart ossec? (are db entries/queues also cleaned up after the restart?) If we recreate the same machine is it possible that the new machine gets the old ossec data as a result? Michiel > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] remove ossec registrations in client.keys via script
Hi, is it possible to remove entries in client.keys via an automated script/way (for example a call from racktables). ? We reinstall machines from time to time (can be batches of 30+ machines) if so, then it would be nice if we can remove the entry from the client.keys entry and recreate the entry if the machine is reinstalled and ossec reconnects and creates a new entry. I do see some command line options for manage_agents but not removal options. Any advise would be more then welcome. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Question about OSSEC 2.7 and agents configurations
2013/12/3 dan (ddp) > On Tue, Dec 3, 2013 at 10:37 AM, Michiel van Es > wrote: > > > > > > Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd): > >> > >> On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es > >> wrote: > >> > Hello, > >> > > >> > i have some basic questions about OSSEC server <-> agent model: > >> > > >> > - is it correct that the agents ossec.conf can be as small as: > >> > > >> > > >> > OSSEC-SERVERNAME > >> > > >> > > >> > > >> > - I push all checks on the server via /var/ossec/etc/shared/agent.conf > >> > (the > >> > file being synched) ? > >> > > >> > >> Most things work just fine in the agent.conf. > >> > >> > - If I want to run the netstat command on all nodes via the > >> > shared/agent.conf on the server that I have to do the following: > >> > > >> > 1) change the agent.conf to include: > >> > > >> > full_command > >> > netstat -tan |grep LISTEN |grep -v 127.0.0.1 | > >> > sort > >> > > >> > 2) change the /var/ossec/etc/internal_options.conf on all agents that > >> > include: > >> > logcollector.remote_commands=1 > >> > 3) restart the server and then all agents ossec ? > >> > > >> > >> Seems correct. > >> > >> > >> > Option 2) seems to cause an extra security risk (like Nagios NRPE): if > >> > the > >> > ossec server is compromised all servers can be reached or can be used > to > >> > execute command remotely via the ossec server, is that correct? > >> > > >> > >> Correct, and I believe this is why remote commands are disabled by > >> default. > > > > > > Do you know if there is another way of accomplishing the netstat -tan > diff > > on all agents without the need to enable the remote commands on all > agents? > > Specify it in the ossec.conf on all agents? > > > > Yes, that configuration belongs in the ossec.conf of the agent. > > > I only have: > > > > > > > > OSSEC-SERVERNAME > > > > > > > > What should I need to add the netstat command? > > Only add the following to the ossec.conf for the agents : > > > > > > full_command > > netstat -tan |grep LISTEN|grep -v 127.0.0.1 > > > > > > and can I specify how often this needs to run on the agents? (I want to > > randomise the time it should run). > > > > Yes, frequency. > Ok, would this be sufficient to make it work on the agents? OSSEC-SERVER 7200 full_command netstat -tan |grep LISTEN|grep -v 127.0.0.1 Or does the stanza need to be used with a or block? > > > Michiel > > > >> > >> > >> > Thanks for clearing things up :) > >> > > >> > Michiel > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/t1x6fL7lUV4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Question about OSSEC 2.7 and agents configurations
Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd): > > On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es > > > wrote: > > Hello, > > > > i have some basic questions about OSSEC server <-> agent model: > > > > - is it correct that the agents ossec.conf can be as small as: > > > > > > OSSEC-SERVERNAME > > > > > > > > - I push all checks on the server via /var/ossec/etc/shared/agent.conf > (the > > file being synched) ? > > > > Most things work just fine in the agent.conf. > > > - If I want to run the netstat command on all nodes via the > > shared/agent.conf on the server that I have to do the following: > > > > 1) change the agent.conf to include: > > > > full_command > > netstat -tan |grep LISTEN |grep -v 127.0.0.1 | > sort > > > > 2) change the /var/ossec/etc/internal_options.conf on all agents that > > include: > > logcollector.remote_commands=1 > > 3) restart the server and then all agents ossec ? > > > > Seems correct. > > Option 2) seems to cause an extra security risk (like Nagios NRPE): if > the > > ossec server is compromised all servers can be reached or can be used to > > execute command remotely via the ossec server, is that correct? > > > > Correct, and I believe this is why remote commands are disabled by > default. > Do you know if there is another way of accomplishing the netstat -tan diff on all agents without the need to enable the remote commands on all agents? Specify it in the ossec.conf on all agents? I only have: OSSEC-SERVERNAME What should I need to add the netstat command? Only add the following to the ossec.conf for the agents : full_command netstat -tan |grep LISTEN|grep -v 127.0.0.1 and can I specify how often this needs to run on the agents? (I want to randomise the time it should run). Michiel > > > Thanks for clearing things up :) > > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC 2.7 RPM with more then 256 agents enabled?
Does anyone have a rpm or src rpm for the OSSEC package that has the default 256 agents limit removed? Why is this limit in there? Will OSSEC perform bad when this limit in there and running with 25 servers? (loss of resources etc) We want to run it in on 500+ servers and are mainly using rpm's/puppet. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Multi server ossec cluster with shared NFS
Op woensdag 20 november 2013 02:14:39 UTC+1 schreef 89be...@gmail.com: > > Hi, > > I checked and the only thing I can find is that every second this messages > appear: > > 2013/11/19 21:12:05 ossec-authd: INFO: New connection from x.y.c.10 > 2013/11/19 21:12:06 ossec-authd: ERROR: SSL read error (-1) > 2013/11/19 21:12:07 ossec-authd: ERROR: SSL Accept error (0) > 2013/11/19 21:12:07 ossec-authd: INFO: New connection from x.y.c.11 > 2013/11/19 21:12:08 ossec-authd: ERROR: SSL read error (-1) > 2013/11/19 21:12:08 ossec-authd: ERROR: SSL Accept error (0) > 2013/11/19 21:12:08 ossec-authd: ERROR: SSL Accept error (0) > 2013/11/19 21:12:08 ossec-authd: INFO: New connection from x.y.c.11 > 2013/11/19 21:12:08 ossec-authd: INFO: New connection from x.y.c.10 > 2013/11/19 21:12:09 ossec-remoted(1213): WARN: Message from x.y.c.11 not > allowed. > > Could this be related? > This is strange as the agents connect 1 time to get a valid key (client.keys file) and don't have to authenticate anymore. Since /var/ossec (and thus /var/ossec/etc/client.keys) is stored on all machines, this should allow all the agents connect to every ossec server. I am also looking into the HA OSSEC setup and am not sure if OSSEC is HA load balancing ready. I am looking into heartbeat with a master/slave scenario and see if that works for HA. (clients always connect to 1 server and not several different servers). Michiel > > On Thursday, November 14, 2013 1:38:45 PM UTC-3, Michael Starks wrote: >> >> On 2013-11-14 9:55, 89be...@gmail.com wrote: >> > Hi, I have 5 servers sharing the same NFS folder for /var/ossec, and >> > it seems to be working. I've inherited this architecture. >> > >> > Right now, we have about 3000 clients that connect to an F5 vip, and >> > then each client reports to this VIP. In the vip are 5 servers sharing >> > the same /var/ossec nfs folder. >> > >> > My question is, does this architecture work? I mean, Im having issues >> > with some clients not connecting and I'm not sure that the correlation >> > would work properly, it depends if all the ossec correlation reads >> > always from disk and does not save information to memory. >> >> The only thing I can think of that might be a problem is the rids. Check >> ossec.log to see if anything is being denied. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Question about OSSEC 2.7 and agents configurations
Hello, i have some basic questions about OSSEC server <-> agent model: - is it correct that the agents ossec.conf can be as small as: OSSEC-SERVERNAME - I push all checks on the server via /var/ossec/etc/shared/agent.conf (the file being synched) ? - If I want to run the netstat command on all nodes via the shared/agent.conf on the server that I have to do the following: 1) change the agent.conf to include: full_command netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort 2) change the /var/ossec/etc/internal_options.conf on all agents that include: logcollector.remote_commands=1 3) restart the server and then all agents ossec ? Option 2) seems to cause an extra security risk (like Nagios NRPE): if the ossec server is compromised all servers can be reached or can be used to execute command remotely via the ossec server, is that correct? Thanks for clearing things up :) Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: OSSEC manager redundancy
Hi Juan, I am affraid not completely. You can distribute the /var/ossec/etc dir from NFS or such but load balancing UDP with SSL traffic is not working 100% for me right now. It has to do with my load balancer setup (LVS/Pen) but I think the most important things are: - make sure that 1 of the 2 OSSEC managers is the master and the other the slave by setting weights/priorities in your load balancer config - make sure the return traffic works flawless Hope this helps a bit. Michiel 2013/11/14 Juan Berner > Hi Michel, > > Were you able to implement ossec as a cluster service? > > Im looking for a similar solution. > > Thanks, > > Juan > > On Friday, November 1, 2013 11:35:45 AM UTC-3, Michiel van Es wrote: >> >> Hi Chris, >> >> I am not worried about the loadbalancer with a virtual ip, we'll use F5's >> for that matter or heartbeat. >> Perhaps I should just test it first with a simple PoC but was hoping I am >> not the only one running the manager in a redundant form ;) >> >> Michiel >> >> >> 2013/11/1 Chris H >> >>> Hi Michiel. Do you have any current load-balancers that you could set >>> up a Virtual IP on, and point the agents to the VIP? Or use something like >>> heartbeat <http://linux-ha.org/wiki/Heartbeat>? >>> >>> I'm not sure how you'd sync the config, maybe store them on a mount from >>> a SAN or even something like rsync to keep the secondary server up to date? >>> >>> Chris >>> >>> >>> On Thursday, October 31, 2013 2:19:40 PM UTC, Michiel van Es wrote: >>>> >>>> Hello, >>>> >>>> I am planning to setup OSSEC 2.7 for my company for about 500+ servers >>>> and some appliances. >>>> It will be running on Red Hat 5 + 6 agents mainly. >>>> >>>> There is a company policy that one server is the same a no server at >>>> all (redundancy is a must in my company). >>>> >>>> Is it possible to create a redundant setup of 2 OSSEC managers, having >>>> the port 1514 UDP load balanced and both servers store their entries and >>>> databases/keys on a NAS or single (redundant) storage platform? >>>> >>>> Has aynone else created such a setup? >>>> I want to use rsync/bash scripting as less as possible to make the >>>> setup easy to maintain :) >>>> >>>> Michiel >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/ >>> topic/ossec-list/Te19hMcUCYo/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Te19hMcUCYo/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: OSSEC manager redundancy
Hi Chris, I am not worried about the loadbalancer with a virtual ip, we'll use F5's for that matter or heartbeat. Perhaps I should just test it first with a simple PoC but was hoping I am not the only one running the manager in a redundant form ;) Michiel 2013/11/1 Chris H > Hi Michiel. Do you have any current load-balancers that you could set up > a Virtual IP on, and point the agents to the VIP? Or use something like > heartbeat <http://linux-ha.org/wiki/Heartbeat>? > > I'm not sure how you'd sync the config, maybe store them on a mount from a > SAN or even something like rsync to keep the secondary server up to date? > > Chris > > > On Thursday, October 31, 2013 2:19:40 PM UTC, Michiel van Es wrote: >> >> Hello, >> >> I am planning to setup OSSEC 2.7 for my company for about 500+ servers >> and some appliances. >> It will be running on Red Hat 5 + 6 agents mainly. >> >> There is a company policy that one server is the same a no server at all >> (redundancy is a must in my company). >> >> Is it possible to create a redundant setup of 2 OSSEC managers, having >> the port 1514 UDP load balanced and both servers store their entries and >> databases/keys on a NAS or single (redundant) storage platform? >> >> Has aynone else created such a setup? >> I want to use rsync/bash scripting as less as possible to make the setup >> easy to maintain :) >> >> Michiel >> > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Te19hMcUCYo/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC and Kibana
Hello, I was wondering what people use for their management of the alerts in OSSEC? I used Splunk with the OSSEC app a lot but seeing that Splunk is costing money (a lot for a lot of data) we are looking at other options like Kibana/Logsearch. Does anyone have expierence with this setup or with an alternative dashboard setup? Or do people use Analogi/OSSEC WUI? I am very interested in the setups people use. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: OSSEC manager redundancy
The probems I see with a load balanced setup: - agents must understand a roundrobin/sticky load balancer setup with 2 OSSEC managers - OSSEC managers must share their client keys - Both OSSEC managers must supply their logfiles to 1 dashboard (Splunk or Kibana). I hope these things are easy to overcome? Any pointers or help would be usefull. Michiel Op donderdag 31 oktober 2013 15:19:40 UTC+1 schreef Michiel van Es: > > Hello, > > I am planning to setup OSSEC 2.7 for my company for about 500+ servers and > some appliances. > It will be running on Red Hat 5 + 6 agents mainly. > > There is a company policy that one server is the same a no server at all > (redundancy is a must in my company). > > Is it possible to create a redundant setup of 2 OSSEC managers, having the > port 1514 UDP load balanced and both servers store their entries and > databases/keys on a NAS or single (redundant) storage platform? > > Has aynone else created such a setup? > I want to use rsync/bash scripting as less as possible to make the setup > easy to maintain :) > > Michiel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC manager redundancy
Hello, I am planning to setup OSSEC 2.7 for my company for about 500+ servers and some appliances. It will be running on Red Hat 5 + 6 agents mainly. There is a company policy that one server is the same a no server at all (redundancy is a must in my company). Is it possible to create a redundant setup of 2 OSSEC managers, having the port 1514 UDP load balanced and both servers store their entries and databases/keys on a NAS or single (redundant) storage platform? Has aynone else created such a setup? I want to use rsync/bash scripting as less as possible to make the setup easy to maintain :) Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Re: Question about Realtime monitoring on agents
Op donderdag 3 oktober 2013 15:44:49 UTC+2 schreef dan (ddpbsd): > > On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es > > > wrote: > > > > > > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): > >> > >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es > >> wrote: > >> > Is my ossec.conf on the agents correct? > >> > tested again today after some days: > >> > > >> > >> As far as I can tell it seems ok. > >> > >> > added an entry to /etc/hosts, nothing is detected and alerted > directly.. > >> > > >> > >> >>What do you mean by "alerted directly?" > > > > > > The realtime=yes should trigger an alert for OSSEC directly when I alter > the > > file right? (I open the file with vim, add a new line with bogus , > > write+quit) > > It does nothing after that, only after the first syscheck run that is > > scheduled to run every X hour/minutes. > > > > It should trigger an alert very quickly, yes. > I don't really have a way to troubleshoot this. Everytime I test > realtime it works just fine. > > Did you tested it on multiple files in /etc/ for example? I tried /etc/resolv.conf which is instant, /etc/passwd where we change a users last name did not have any impact. The strange thing is that it is not consistent. I am also not sure if it is related to: - Red Hat - Atomic OSSEC-HIDS package - VMware image - kernel > >> > >> > >> > > >> > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > >> >> > >> >> Hello, I have the following setup : > >> >> > >> >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > >> >> 2 agents - OSSEC 2.7 64 bit Atomic repo install > >> >> > >> >> I have changes de in /var/ossec/etc/ossec.conf to the > >> >> following > >> >> on the manager: > >> >> > >> >> > >> >> > >> >> 7200 > >> >> > >> >> > >> >> >> >> check_all="yes">/etc,/usr/bin,/usr/sbin > >> >> /bin,/sbin > >> >> > >> >> > >> >> /etc/mtab > >> >> /etc/mnttab > >> >> /etc/hosts.deny > >> >> /etc/mail/statistics > >> >> /etc/random-seed > >> >> /etc/adjtime > >> >> /etc/httpd/logs > >> >> /etc/utmpx > >> >> /etc/wtmpx > >> >> /etc/cups/certs > >> >> /etc/dumpdates > >> >> /etc/svc/volatile > >> >> > >> >> > >> >> C:\WINDOWS/System32/LogFiles > >> >> C:\WINDOWS/Debug > >> >> C:\WINDOWS/WindowsUpdate.log > >> >> C:\WINDOWS/iis6.log > >> >> C:\WINDOWS/system32/wbem/Logs > >> >> C:\WINDOWS/system32/wbem/Repository > >> >> C:\WINDOWS/Prefetch > >> >> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > >> >> C:\WINDOWS/SoftwareDistribution > >> >> C:\WINDOWS/Temp > >> >> C:\WINDOWS/system32/config > >> >> C:\WINDOWS/system32/spool > >> >> C:\WINDOWS/system32/CatRoot > >> >> > >> >> > >> >> I want realtime monitoring of the /etc/ directories on the agents. > >> >> I tested the active restarts and link with the agents via the > >> >> agent_control -lc > >> >> > >> >> The agents have the following ossec.conf: > >> >> > >> >> > >> >> > >> >> 10.10.138.69 > >> >> > >> >> > >> >> > >> >> Nothing happens when I alter /etc/hosts on 1 of the agents. > >> >> > >> >> When I change the /etc/hosts on the manager it is instant (exactly > what > >> >> I > >> >> want). > >> >> > >> >> I changed the ossec.conf on the agents with the following; > >> >> > >> >> > >> >> > >> >> 10.10.138.69 > >> >> > >> >> > >> >> > >> >>
Re: [ossec-list] Re: Question about Realtime monitoring on agents
Ok, clear for me. I want this to be on the agents so I have to create a template for all agents with this settings. Thanks! 2013/10/3 dan (ddp) > On Thu, Oct 3, 2013 at 9:50 AM, Michiel van Es > wrote: > > But it is correct that I add the syscheck and realtime options to the > agent > > own ossec.conf and NOT on the server right? > > > > That depends on where you want that setting to be applied. If you want > the agent to attempt these detections in real time, then you have to > define it on the agent. If you want the server to do realtime > detection, you must define it on the server. I will try to make the > documentation more clear on this. > > > > > 2013/10/3 dan (ddp) > >> > >> On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es > >> wrote: > >> > > >> > > >> > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): > >> >> > >> >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es > >> >> wrote: > >> >> > Is my ossec.conf on the agents correct? > >> >> > tested again today after some days: > >> >> > > >> >> > >> >> As far as I can tell it seems ok. > >> >> > >> >> > added an entry to /etc/hosts, nothing is detected and alerted > >> >> > directly.. > >> >> > > >> >> > >> >> >>What do you mean by "alerted directly?" > >> > > >> > > >> > The realtime=yes should trigger an alert for OSSEC directly when I > alter > >> > the > >> > file right? (I open the file with vim, add a new line with bogus , > >> > write+quit) > >> > It does nothing after that, only after the first syscheck run that is > >> > scheduled to run every X hour/minutes. > >> > > >> > >> It should trigger an alert very quickly, yes. > >> I don't really have a way to troubleshoot this. Everytime I test > >> realtime it works just fine. > >> > >> >> > >> >> > >> >> > > >> >> > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > >> >> >> > >> >> >> Hello, I have the following setup : > >> >> >> > >> >> >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > >> >> >> 2 agents - OSSEC 2.7 64 bit Atomic repo install > >> >> >> > >> >> >> I have changes de in /var/ossec/etc/ossec.conf to the > >> >> >> following > >> >> >> on the manager: > >> >> >> > >> >> >> > >> >> >> > >> >> >> 7200 > >> >> >> > >> >> >> > >> >> >> >> >> >> check_all="yes">/etc,/usr/bin,/usr/sbin > >> >> >> /bin,/sbin > >> >> >> > >> >> >> > >> >> >> /etc/mtab > >> >> >> /etc/mnttab > >> >> >> /etc/hosts.deny > >> >> >> /etc/mail/statistics > >> >> >> /etc/random-seed > >> >> >> /etc/adjtime > >> >> >> /etc/httpd/logs > >> >> >> /etc/utmpx > >> >> >> /etc/wtmpx > >> >> >> /etc/cups/certs > >> >> >> /etc/dumpdates > >> >> >> /etc/svc/volatile > >> >> >> > >> >> >> > >> >> >> C:\WINDOWS/System32/LogFiles > >> >> >> C:\WINDOWS/Debug > >> >> >> C:\WINDOWS/WindowsUpdate.log > >> >> >> C:\WINDOWS/iis6.log > >> >> >> C:\WINDOWS/system32/wbem/Logs > >> >> >> C:\WINDOWS/system32/wbem/Repository > >> >> >> C:\WINDOWS/Prefetch > >> >> >> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > >> >> >> C:\WINDOWS/SoftwareDistribution > >> >> >> C:\WINDOWS/Temp > >> >> >> C:\WINDOWS/system32/config > >> >> >> C:\WINDOWS/system32/spool > >> >> >> C:\WINDOWS/system32/CatRoot > >> >> >> > >> >> >> > >> >>
Re: [ossec-list] Re: Question about Realtime monitoring on agents
But it is correct that I add the syscheck and realtime options to the agent own ossec.conf and NOT on the server right? 2013/10/3 dan (ddp) > On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es > wrote: > > > > > > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): > >> > >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es > >> wrote: > >> > Is my ossec.conf on the agents correct? > >> > tested again today after some days: > >> > > >> > >> As far as I can tell it seems ok. > >> > >> > added an entry to /etc/hosts, nothing is detected and alerted > directly.. > >> > > >> > >> >>What do you mean by "alerted directly?" > > > > > > The realtime=yes should trigger an alert for OSSEC directly when I alter > the > > file right? (I open the file with vim, add a new line with bogus , > > write+quit) > > It does nothing after that, only after the first syscheck run that is > > scheduled to run every X hour/minutes. > > > > It should trigger an alert very quickly, yes. > I don't really have a way to troubleshoot this. Everytime I test > realtime it works just fine. > > >> > >> > >> > > >> > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > >> >> > >> >> Hello, I have the following setup : > >> >> > >> >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > >> >> 2 agents - OSSEC 2.7 64 bit Atomic repo install > >> >> > >> >> I have changes de in /var/ossec/etc/ossec.conf to the > >> >> following > >> >> on the manager: > >> >> > >> >> > >> >> > >> >> 7200 > >> >> > >> >> > >> >> >> >> check_all="yes">/etc,/usr/bin,/usr/sbin > >> >> /bin,/sbin > >> >> > >> >> > >> >> /etc/mtab > >> >> /etc/mnttab > >> >> /etc/hosts.deny > >> >> /etc/mail/statistics > >> >> /etc/random-seed > >> >> /etc/adjtime > >> >> /etc/httpd/logs > >> >> /etc/utmpx > >> >> /etc/wtmpx > >> >> /etc/cups/certs > >> >> /etc/dumpdates > >> >> /etc/svc/volatile > >> >> > >> >> > >> >> C:\WINDOWS/System32/LogFiles > >> >> C:\WINDOWS/Debug > >> >> C:\WINDOWS/WindowsUpdate.log > >> >> C:\WINDOWS/iis6.log > >> >> C:\WINDOWS/system32/wbem/Logs > >> >> C:\WINDOWS/system32/wbem/Repository > >> >> C:\WINDOWS/Prefetch > >> >> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > >> >> C:\WINDOWS/SoftwareDistribution > >> >> C:\WINDOWS/Temp > >> >> C:\WINDOWS/system32/config > >> >> C:\WINDOWS/system32/spool > >> >> C:\WINDOWS/system32/CatRoot > >> >> > >> >> > >> >> I want realtime monitoring of the /etc/ directories on the agents. > >> >> I tested the active restarts and link with the agents via the > >> >> agent_control -lc > >> >> > >> >> The agents have the following ossec.conf: > >> >> > >> >> > >> >> > >> >> 10.10.138.69 > >> >> > >> >> > >> >> > >> >> Nothing happens when I alter /etc/hosts on 1 of the agents. > >> >> > >> >> When I change the /etc/hosts on the manager it is instant (exactly > what > >> >> I > >> >> want). > >> >> > >> >> I changed the ossec.conf on the agents with the following; > >> >> > >> >> > >> >> > >> >> 10.10.138.69 > >> >> > >> >> > >> >> > >> >> > >> >> 7200 > >> >> > >> >> > >> >> >> >> check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin > >> >> /bin,/sbin > >> >> > >> >> > >> >> /etc/mtab > >> >> /etc/mnttab > >>
Re: [ossec-list] Re: Question about Realtime monitoring on agents
Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): > > On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es > > > wrote: > > Is my ossec.conf on the agents correct? > > tested again today after some days: > > > > As far as I can tell it seems ok. > > > added an entry to /etc/hosts, nothing is detected and alerted directly.. > > > > >>What do you mean by "alerted directly?" > The realtime=yes should trigger an alert for OSSEC directly when I alter the file right? (I open the file with vim, add a new line with bogus , write+quit) It does nothing after that, only after the first syscheck run that is scheduled to run every X hour/minutes. > > > > > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > >> > >> Hello, I have the following setup : > >> > >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > >> 2 agents - OSSEC 2.7 64 bit Atomic repo install > >> > >> I have changes de in /var/ossec/etc/ossec.conf to the > following > >> on the manager: > >> > >> > >> > >> 7200 > >> > >> > >> >> check_all="yes">/etc,/usr/bin,/usr/sbin > >> /bin,/sbin > >> > >> > >> /etc/mtab > >> /etc/mnttab > >> /etc/hosts.deny > >> /etc/mail/statistics > >> /etc/random-seed > >> /etc/adjtime > >> /etc/httpd/logs > >> /etc/utmpx > >> /etc/wtmpx > >> /etc/cups/certs > >> /etc/dumpdates > >> /etc/svc/volatile > >> > >> > >> C:\WINDOWS/System32/LogFiles > >> C:\WINDOWS/Debug > >> C:\WINDOWS/WindowsUpdate.log > >> C:\WINDOWS/iis6.log > >> C:\WINDOWS/system32/wbem/Logs > >> C:\WINDOWS/system32/wbem/Repository > >> C:\WINDOWS/Prefetch > >> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > >> C:\WINDOWS/SoftwareDistribution > >> C:\WINDOWS/Temp > >> C:\WINDOWS/system32/config > >> C:\WINDOWS/system32/spool > >> C:\WINDOWS/system32/CatRoot > >> > >> > >> I want realtime monitoring of the /etc/ directories on the agents. > >> I tested the active restarts and link with the agents via the > >> agent_control -lc > >> > >> The agents have the following ossec.conf: > >> > >> > >> > >> 10.10.138.69 > >> > >> > >> > >> Nothing happens when I alter /etc/hosts on 1 of the agents. > >> > >> When I change the /etc/hosts on the manager it is instant (exactly what > I > >> want). > >> > >> I changed the ossec.conf on the agents with the following; > >> > >> > >> > >> 10.10.138.69 > >> > >> > >> > >> > >> 7200 > >> > >> > >> >> check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin > >> /bin,/sbin > >> > >> > >> /etc/mtab > >> /etc/mnttab > >> /etc/hosts.deny > >> /etc/mail/statistics > >> /etc/random-seed > >> /etc/adjtime > >> /etc/httpd/logs > >> /etc/utmpx > >> /etc/wtmpx > >> /etc/cups/certs > >> /etc/dumpdates > >> /etc/svc/volatile > >> > >> > >> C:\WINDOWS/System32/LogFiles > >> C:\WINDOWS/Debug > >> C:\WINDOWS/WindowsUpdate.log > >> C:\WINDOWS/iis6.log > >> C:\WINDOWS/system32/wbem/Logs > >> C:\WINDOWS/system32/wbem/Repository > >> C:\WINDOWS/Prefetch > >> C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > >> C:\WINDOWS/SoftwareDistribution > >> C:\WINDOWS/Temp > >> C:\WINDOWS/system32/config > >> C:\WINDOWS/system32/spool > >> C:\WINDOWS/system32/CatRoot > >> > >> > >> > >> > >> and restarted the ossec service on the agents, let sysstem-check > rebuild > >> its database on both agents: > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/etc'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monito
[ossec-list] Re: Question about Realtime monitoring on agents
Is my ossec.conf on the agents correct? tested again today after some days: added an entry to /etc/hosts, nothing is detected and alerted directly.. Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > > Hello, I have the following setup : > > 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > 2 agents - OSSEC 2.7 64 bit Atomic repo install > > I have changes de in /var/ossec/etc/ossec.conf to the following > on the manager: > > > > 7200 > > > check_all="yes">/etc,/usr/bin,/usr/sbin > /bin,/sbin > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > > > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > I want realtime monitoring of the /etc/ directories on the agents. > I tested the active restarts and link with the agents via the > agent_control -lc > > The agents have the following ossec.conf: > > > > 10.10.138.69 > > > > Nothing happens when I alter /etc/hosts on 1 of the agents. > > When I change the /etc/hosts on the manager it is instant (exactly what I > want). > > I changed the ossec.conf on the agents with the following; > > > > 10.10.138.69 > > > > > 7200 > > > check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin > /bin,/sbin > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > > > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > > > and restarted the ossec service on the agents, let sysstem-check rebuild > its database on both agents: > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/ossec/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/sbin'. > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring > started. > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database) > > I change the /etc/hosts file again and multiple new lines to make sure it > wont match the MD5 sum. > Still nothing happening on the agents, no alert triggered (as on the > manager it was instant) > > Am I correct that the realtime configuration should be in the ossec.conf > on the agents? > I have seen one error on 1 of the servers alerting: > > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' > File '/etc/hosts' was deleted. Unable to retrieve checksum. > > > How can I recreate the database? > > Regards and sorry if I ask the obvious questions here. > > Michiel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Question about Realtime monitoring on agents
I got it semi working but I am noticing that after I changed /etc/hosts (for example) , the alert is available on the manager but when I change /etc/resolv.conf directly after that it is not notified directly (some delay). Is this normal behaviour? Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > > Hello, I have the following setup : > > 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > 2 agents - OSSEC 2.7 64 bit Atomic repo install > > I have changes de in /var/ossec/etc/ossec.conf to the following > on the manager: > > > > 7200 > > > check_all="yes">/etc,/usr/bin,/usr/sbin > /bin,/sbin > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > > > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > I want realtime monitoring of the /etc/ directories on the agents. > I tested the active restarts and link with the agents via the > agent_control -lc > > The agents have the following ossec.conf: > > > > 10.10.138.69 > > > > Nothing happens when I alter /etc/hosts on 1 of the agents. > > When I change the /etc/hosts on the manager it is instant (exactly what I > want). > > I changed the ossec.conf on the agents with the following; > > > > 10.10.138.69 > > > > > 7200 > > > check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin > /bin,/sbin > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > > > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > > > and restarted the ossec service on the agents, let sysstem-check rebuild > its database on both agents: > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/ossec/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/sbin'. > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring > started. > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database) > > I change the /etc/hosts file again and multiple new lines to make sure it > wont match the MD5 sum. > Still nothing happening on the agents, no alert triggered (as on the > manager it was instant) > > Am I correct that the realtime configuration should be in the ossec.conf > on the agents?
[ossec-list] Re: Question about Realtime monitoring on agents
Sorry forgot to mention: Servers running RHEL6 64 bit Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > > Hello, I have the following setup : > > 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > 2 agents - OSSEC 2.7 64 bit Atomic repo install > > I have changes de in /var/ossec/etc/ossec.conf to the following > on the manager: > > > > 7200 > > > check_all="yes">/etc,/usr/bin,/usr/sbin > /bin,/sbin > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > > > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > I want realtime monitoring of the /etc/ directories on the agents. > I tested the active restarts and link with the agents via the > agent_control -lc > > The agents have the following ossec.conf: > > > > 10.10.138.69 > > > > Nothing happens when I alter /etc/hosts on 1 of the agents. > > When I change the /etc/hosts on the manager it is instant (exactly what I > want). > > I changed the ossec.conf on the agents with the following; > > > > 10.10.138.69 > > > > > 7200 > > > check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin > /bin,/sbin > > > /etc/mtab > /etc/mnttab > /etc/hosts.deny > /etc/mail/statistics > /etc/random-seed > /etc/adjtime > /etc/httpd/logs > /etc/utmpx > /etc/wtmpx > /etc/cups/certs > /etc/dumpdates > /etc/svc/volatile > > > C:\WINDOWS/System32/LogFiles > C:\WINDOWS/Debug > C:\WINDOWS/WindowsUpdate.log > C:\WINDOWS/iis6.log > C:\WINDOWS/system32/wbem/Logs > C:\WINDOWS/system32/wbem/Repository > C:\WINDOWS/Prefetch > C:\WINDOWS/PCHEALTH/HELPCTR/DataColl > C:\WINDOWS/SoftwareDistribution > C:\WINDOWS/Temp > C:\WINDOWS/system32/config > C:\WINDOWS/system32/spool > C:\WINDOWS/system32/CatRoot > > > > > and restarted the ossec service on the agents, let sysstem-check rebuild > its database on both agents: > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/ossec/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/sbin'. > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring > started. > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database) > > I change the /etc/hosts file again and multiple new lines to make sure it > wont match the MD5 sum. > Still nothing happening on the agents, no alert triggered (as on the > manager it was instant) > > Am I correct that the realtime configuration should be in the ossec.conf > on the agents? > I have seen one error on 1 of the servers alerting: > > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' > File '/etc/hosts' was deleted. Unable to retrieve checksum. > > > How can I recreate the database? > > Regards and sorry if I ask the obvious questions here. > > Michiel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Question about Realtime monitoring on agents
Hello, I have the following setup : 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script 2 agents - OSSEC 2.7 64 bit Atomic repo install I have changes de in /var/ossec/etc/ossec.conf to the following on the manager: 7200 /etc,/usr/bin,/usr/sbin /bin,/sbin /etc/mtab /etc/mnttab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile C:\WINDOWS/System32/LogFiles C:\WINDOWS/Debug C:\WINDOWS/WindowsUpdate.log C:\WINDOWS/iis6.log C:\WINDOWS/system32/wbem/Logs C:\WINDOWS/system32/wbem/Repository C:\WINDOWS/Prefetch C:\WINDOWS/PCHEALTH/HELPCTR/DataColl C:\WINDOWS/SoftwareDistribution C:\WINDOWS/Temp C:\WINDOWS/system32/config C:\WINDOWS/system32/spool C:\WINDOWS/system32/CatRoot I want realtime monitoring of the /etc/ directories on the agents. I tested the active restarts and link with the agents via the agent_control -lc The agents have the following ossec.conf: 10.10.138.69 Nothing happens when I alter /etc/hosts on 1 of the agents. When I change the /etc/hosts on the manager it is instant (exactly what I want). I changed the ossec.conf on the agents with the following; 10.10.138.69 7200 /var/ossec/etc,/etc,/usr/bin,/usr/sbin /bin,/sbin /etc/mtab /etc/mnttab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile C:\WINDOWS/System32/LogFiles C:\WINDOWS/Debug C:\WINDOWS/WindowsUpdate.log C:\WINDOWS/iis6.log C:\WINDOWS/system32/wbem/Logs C:\WINDOWS/system32/wbem/Repository C:\WINDOWS/Prefetch C:\WINDOWS/PCHEALTH/HELPCTR/DataColl C:\WINDOWS/SoftwareDistribution C:\WINDOWS/Temp C:\WINDOWS/system32/config C:\WINDOWS/system32/spool C:\WINDOWS/system32/CatRoot and restarted the ossec service on the agents, let sysstem-check rebuild its database on both agents: 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/var/ossec/etc'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/etc'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/bin'. 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time monitoring: '/usr/sbin'. 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file monitoring (not started). 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring started. 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database) I change the /etc/hosts file again and multiple new lines to make sure it wont match the MD5 sum. Still nothing happening on the agents, no alert triggered (as on the manager it was instant) Am I correct that the realtime configuration should be in the ossec.conf on the agents? I have seen one error on 1 of the servers alerting: Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' File '/etc/hosts' was deleted. Unable to retrieve checksum. How can I recreate the database? Regards and sorry if I ask the obvious questions here. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Apache MaxClients reached error message discarded
Hello, We have found out that we had an Apache webserver showing its has reached the MaxClients settings. We could not find the message back in our Splunk interface so I copy/paste the message into /var/ossec/bin/ossec-logtest and found out that it is being silenced by the apache_rules.xml rule. See pastebin: http://pastebin.com/58J8FitT We are now not seeing this message. Is there a reason why these kind of messages (since it is a grouped message) are set to level 0 by default? Is there an easy way to overrule this setting in local_rules.xml to make sure these messages are logged? Thanks for any help. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op vrijdag 19 april 2013 17:01:53 UTC+2 schreef dan (ddpbsd) het volgende: > > On Fri, Apr 19, 2013 at 10:49 AM, Michiel van Es > > > wrote: > > > > > > Op vrijdag 19 april 2013 16:47:34 UTC+2 schreef dan (ddpbsd) het > volgende: > >> > >> On Thu, Apr 18, 2013 at 7:27 AM, Michiel van Es > >> wrote: > >> > > >> > > >> > Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het > >> > volgende: > >> >> Is the file recreated? What is in that file? > >> > > >> > > >> > yes it is recreated with the following contents: > >> > > >> > server001 > >> > - > >> > 1371 > >> > (null) > >> > > >> > The ID and servername matches > >> > >> What are the permissions for this file? This is where the problem is. > >> You'll have to find out why this file isn't getting populated. > > > > > > Well its even more bizarre after some tests: most of the windows machine > are > > doing fine except for this one specific server/agent. > > All other 2003/2008 servers are doing fine and are connected. > > So we suspect something with this server that is blocking it or that > breaks > > it. > > > > How many agents do you have connecting to this OSSEC server? > approx 400-500 agents (we changed the agent limit from 256 to something higher) > > I'm guessing that tracing the appropriate server process might be one > of the easier ways to find the answer. > We will do that. Thanks for the help. > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op vrijdag 19 april 2013 16:47:34 UTC+2 schreef dan (ddpbsd) het volgende: > > On Thu, Apr 18, 2013 at 7:27 AM, Michiel van Es > > > wrote: > > > > > > Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het > volgende: > >> Is the file recreated? What is in that file? > > > > > > yes it is recreated with the following contents: > > > > server001 > > - > > 1371 > > (null) > > > > The ID and servername matches > > What are the permissions for this file? This is where the problem is. > You'll have to find out why this file isn't getting populated. > Well its even more bizarre after some tests: most of the windows machine are doing fine except for this one specific server/agent. All other 2003/2008 servers are doing fine and are connected. So we suspect something with this server that is blocking it or that breaks it. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op donderdag 18 april 2013 15:59:42 UTC+2 schreef Michiel van Es het volgende: > > > > Op donderdag 18 april 2013 14:45:58 UTC+2 schreef Dmitry het volgende: >> >> Try make the following on ossec server: >> agent_control -r -u >> agent_control -i >> >> I had 2 Windows XP hosts that was in Never connected state after i >> changed agent keys on it. >> I've tcpdumped communication between server-agent and saw that agent send >> packets and server replies during all night, but server had been reporting >> Never connected >> In my case, only after applying these commands server starts to see >> agents. >> >> Hi Dmitry, > > That does not seem to help: > > ID: 1371, Name: server001, IP: any, Never connected > > [root@secsever01 ~]# /var/ossec/bin/agent_control -r -u 1371 > > OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 1371 > [root@secserver01 ~]# /var/ossec/bin/agent_control -i 1371 > > OSSEC HIDS agent_control. Agent information: >Agent ID: 1371 >Agent Name: server001 >IP address: any/any >Status: Never connected > >Operating system:Unknown >Client version: Unknown >Last keep alive: Unknown > >Syscheck last started at: Wed Apr 17 17:46:04 2013 >Rootcheck last started at: Thu Apr 18 13:50:45 2013 > > 2013/04/17 15:03:13 ossec-remoted: INFO: No previous counter available for > 'server001'. > 2013/04/17 15:03:13 ossec-remoted: INFO: Assigning counter for agent > server001: '0:0'. > 2013/04/17 15:03:13 ossec-remoted: INFO: Assigning sender counter: 16:6754 > 2013/04/17 18:16:46 ossec-remoted: INFO: Event count after '2': > 1754474->1604504 (91%) > 2013/04/18 02:46:40 ossec-remoted: INFO: Event count after '2': > 1328538->1445448 (108%) > 2013/04/18 04:04:44 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/04/18 04:11:55 ossec-rootcheck: INFO: Ending rootcheck scan. > 2013/04/18 07:56:55 ossec-syscheckd: INFO: Starting syscheck scan. > 2013/04/18 08:03:39 ossec-syscheckd: INFO: Ending syscheck scan. > 2013/04/18 11:18:55 ossec-remoted: INFO: Event count after '20000': > 1324382->1442808 (108%) > > Still never connected state. > > >> >> >> >> >> 2013/4/18 Michiel van Es >> >>> >>> >>> Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het >>> volgende: >>>> >>>> On Wed, Apr 17, 2013 at 11:46 AM, Michiel van Es >>>> wrote: >>>> > >>>> > >>>> > Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het >>>> volgende: >>>> >> >>>> >> On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es < >>>> vanesm...@gmail.com> >>>> >> wrote: >>>> >> > >>>> >> > >>>> >> > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es >>>> het >>>> >> > volgende: >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het >>>> >> >> volgende: >>>> >> >>> >>>> >> >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es < >>>> vanesm...@gmail.com> >>>> >> >>> wrote: >>>> >> >>> > Hello, >>>> >> >>> > >>>> >> >>> > We have installed OSSEC 2.7 on a CentOS machine which is >>>> working >>>> >> >>> > fine >>>> >> >>> > with >>>> >> >>> > several Windows and Linux agents. >>>> >> >>> > We are trying to install the OSSEC 2.7 agent package on a >>>> Windows >>>> >> >>> > 2008 >>>> >> >>> > server which goes well but at end, after the manual agent >>>> config (ip >>>> >> >>> > and >>>> >> >>> > secret) and restarting of the service, we still see that the >>>> agent >>>> >> >>> > is >>>> >> >>> > never >>>> >> >>> > connected: >>>> >> >>> > >>>> >> >>> > On the OSSEC server: >>>> >
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op donderdag 18 april 2013 14:45:58 UTC+2 schreef Dmitry het volgende: > > Try make the following on ossec server: > agent_control -r -u > agent_control -i > > I had 2 Windows XP hosts that was in Never connected state after i changed > agent keys on it. > I've tcpdumped communication between server-agent and saw that agent send > packets and server replies during all night, but server had been reporting > Never connected > In my case, only after applying these commands server starts to see agents. > > Hi Dmitry, That does not seem to help: ID: 1371, Name: server001, IP: any, Never connected [root@secsever01 ~]# /var/ossec/bin/agent_control -r -u 1371 OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 1371 [root@secserver01 ~]# /var/ossec/bin/agent_control -i 1371 OSSEC HIDS agent_control. Agent information: Agent ID: 1371 Agent Name: server001 IP address: any/any Status: Never connected Operating system:Unknown Client version: Unknown Last keep alive: Unknown Syscheck last started at: Wed Apr 17 17:46:04 2013 Rootcheck last started at: Thu Apr 18 13:50:45 2013 2013/04/17 15:03:13 ossec-remoted: INFO: No previous counter available for 'server001'. 2013/04/17 15:03:13 ossec-remoted: INFO: Assigning counter for agent server001: '0:0'. 2013/04/17 15:03:13 ossec-remoted: INFO: Assigning sender counter: 16:6754 2013/04/17 18:16:46 ossec-remoted: INFO: Event count after '2': 1754474->1604504 (91%) 2013/04/18 02:46:40 ossec-remoted: INFO: Event count after '2': 1328538->1445448 (108%) 2013/04/18 04:04:44 ossec-rootcheck: INFO: Starting rootcheck scan. 2013/04/18 04:11:55 ossec-rootcheck: INFO: Ending rootcheck scan. 2013/04/18 07:56:55 ossec-syscheckd: INFO: Starting syscheck scan. 2013/04/18 08:03:39 ossec-syscheckd: INFO: Ending syscheck scan. 2013/04/18 11:18:55 ossec-remoted: INFO: Event count after '20000': 1324382->1442808 (108%) Still never connected state. > > > > > 2013/4/18 Michiel van Es > > >> >> >> Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het >> volgende: >>> >>> On Wed, Apr 17, 2013 at 11:46 AM, Michiel van Es >>> wrote: >>> > >>> > >>> > Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het >>> volgende: >>> >> >>> >> On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es >>> >>> >> wrote: >>> >> > >>> >> > >>> >> > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het >>> >> > volgende: >>> >> >> >>> >> >> >>> >> >> >>> >> >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het >>> >> >> volgende: >>> >> >>> >>> >> >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es < >>> vanesm...@gmail.com> >>> >> >>> wrote: >>> >> >>> > Hello, >>> >> >>> > >>> >> >>> > We have installed OSSEC 2.7 on a CentOS machine which is >>> working >>> >> >>> > fine >>> >> >>> > with >>> >> >>> > several Windows and Linux agents. >>> >> >>> > We are trying to install the OSSEC 2.7 agent package on a >>> Windows >>> >> >>> > 2008 >>> >> >>> > server which goes well but at end, after the manual agent >>> config (ip >>> >> >>> > and >>> >> >>> > secret) and restarting of the service, we still see that the >>> agent >>> >> >>> > is >>> >> >>> > never >>> >> >>> > connected: >>> >> >>> > >>> >> >>> > On the OSSEC server: >>> >> >>> > >>> >> >>> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected >>> >> >>> > >>> >> >>> >>> >> >>> Is there any useful information in the ossec server's ossec.log >>> (if I >>> >> >>> missed it I'm sorry)? >>> >> >>> If you start the ossec processes on the server in debug mode, do >>> you >>> >> >>> receive log messages then? >>> >> >>> Is the syscheck d
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het volgende: > > On Wed, Apr 17, 2013 at 11:46 AM, Michiel van Es > > > wrote: > > > > > > Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het > volgende: > >> > >> On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es > >> wrote: > >> > > >> > > >> > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het > >> > volgende: > >> >> > >> >> > >> >> > >> >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het > >> >> volgende: > >> >>> > >> >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es < > vanesm...@gmail.com> > >> >>> wrote: > >> >>> > Hello, > >> >>> > > >> >>> > We have installed OSSEC 2.7 on a CentOS machine which is working > >> >>> > fine > >> >>> > with > >> >>> > several Windows and Linux agents. > >> >>> > We are trying to install the OSSEC 2.7 agent package on a Windows > >> >>> > 2008 > >> >>> > server which goes well but at end, after the manual agent config > (ip > >> >>> > and > >> >>> > secret) and restarting of the service, we still see that the > agent > >> >>> > is > >> >>> > never > >> >>> > connected: > >> >>> > > >> >>> > On the OSSEC server: > >> >>> > > >> >>> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected > >> >>> > > >> >>> > >> >>> Is there any useful information in the ossec server's ossec.log (if > I > >> >>> missed it I'm sorry)? > >> >>> If you start the ossec processes on the server in debug mode, do > you > >> >>> receive log messages then? > >> >>> Is the syscheck db for the agent populated > >> >>> (/var/ossec/queue/syscheck/STUFF)? > >> >>> Any alerts based on log messages from the agent? > >> >> > >> >> > >> >> We see nothing in the server's ossec.log (we do see the ossec-authd > >> >> connection). > >> > >> The agent shouldn't be making multiple authd connections... > >> > >> >> We see UDP traffic on the server between server <==> agent > >> >> We don't have this issue with Windows 2003 and finally > >> >> we tried 2.6 and 2.7 and both dont work (are logging on the agent > that > >> >> everything is working fine but nothing on the server). > >> > > >> > > >> > Extra information with debugging logging on: > >> > > >> > (too much to paste here:) > >> > http://pastebin.com/hEyc9VLA > >> > > >> > >> Any luck on getting the debug info from the server? How about checking > >> the syscheck db? Alerts? > > > > > > no entry/file in /var/ossec/queue/syscheck. > > I was a little hesitant to turn on debugging on the server since more > then > > 300 agents are connected..will do that in a controlled matter. > > I am seeing entries in /var/ossec/log/alerts/* so the connection is > working > > the only problem is that the agent_control -l says it has never > connected. > > This makes it difficult for us to see which nodes are down or not. > > > >> > >> > >> Does the agent have a file in /var/ossec/queue/agent-info? If so, try > >> stopping the ossec processes on the server, moving that file, and > >> starting the processes back up. > > > > > > Yes file is existent. > > Moved and restarted but agent is still never connected. > > Is the file recreated? What is in that file? > yes it is recreated with the following contents: server001 - 1371 (null) The ID and servername matches > > >> > >> > >> Try turning on the log all option on the server, and check for the > >> agent's logs in the archive.log file. > > > > > > Before I turn all kinds of logging can we pinpoint it to the > agent_control > > check? Alerts are coming in and thus network connection and such are > working > &g
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het volgende: > > On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es > > > wrote: > > > > > > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het > > volgende: > >> > >> > >> > >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het > >> volgende: > >>> > >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es > >>> wrote: > >>> > Hello, > >>> > > >>> > We have installed OSSEC 2.7 on a CentOS machine which is working > fine > >>> > with > >>> > several Windows and Linux agents. > >>> > We are trying to install the OSSEC 2.7 agent package on a Windows > 2008 > >>> > server which goes well but at end, after the manual agent config (ip > >>> > and > >>> > secret) and restarting of the service, we still see that the agent > is > >>> > never > >>> > connected: > >>> > > >>> > On the OSSEC server: > >>> > > >>> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected > >>> > > >>> > >>> Is there any useful information in the ossec server's ossec.log (if I > >>> missed it I'm sorry)? > >>> If you start the ossec processes on the server in debug mode, do you > >>> receive log messages then? > >>> Is the syscheck db for the agent populated > >>> (/var/ossec/queue/syscheck/STUFF)? > >>> Any alerts based on log messages from the agent? > >> > >> > >> We see nothing in the server's ossec.log (we do see the ossec-authd > >> connection). > > The agent shouldn't be making multiple authd connections... > > >> We see UDP traffic on the server between server <==> agent > >> We don't have this issue with Windows 2003 and finally > >> we tried 2.6 and 2.7 and both dont work (are logging on the agent that > >> everything is working fine but nothing on the server). > > > > > > Extra information with debugging logging on: > > > > (too much to paste here:) > > http://pastebin.com/hEyc9VLA > > > > Any luck on getting the debug info from the server? How about checking > the syscheck db? Alerts? > no entry/file in /var/ossec/queue/syscheck. I was a little hesitant to turn on debugging on the server since more then 300 agents are connected..will do that in a controlled matter. I am seeing entries in /var/ossec/log/alerts/* so the connection is working the only problem is that the agent_control -l says it has never connected. This makes it difficult for us to see which nodes are down or not. > > Does the agent have a file in /var/ossec/queue/agent-info? If so, try > stopping the ossec processes on the server, moving that file, and > starting the processes back up. > Yes file is existent. Moved and restarted but agent is still never connected. > > Try turning on the log all option on the server, and check for the > agent's logs in the archive.log file. > Before I turn all kinds of logging can we pinpoint it to the agent_control check? Alerts are coming in and thus network connection and such are working fine. > > >> > >> I will try the debug mode and if the syscheck db is populated. > >>> > >>> > >>> > >>> > On the agent in c:\program files(x86)\ossec-agent\ossec.log we see: > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the server > >>> > (*server ip*:1514). > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows > >>> > Server > >>> > 2008. > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > >>> > 'Application'. > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > >>> > 'Security'. > >>> > > >>> > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: > >>> > 'System'. > >>> > > >>> > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). > >>> > > >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan > >>> > (forwarding > >>
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het volgende: > > > > Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het volgende: >> >> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es >> wrote: >> > Hello, >> > >> > We have installed OSSEC 2.7 on a CentOS machine which is working fine >> with >> > several Windows and Linux agents. >> > We are trying to install the OSSEC 2.7 agent package on a Windows 2008 >> > server which goes well but at end, after the manual agent config (ip >> and >> > secret) and restarting of the service, we still see that the agent is >> never >> > connected: >> > >> > On the OSSEC server: >> > >> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected >> > >> >> Is there any useful information in the ossec server's ossec.log (if I >> missed it I'm sorry)? >> If you start the ossec processes on the server in debug mode, do you >> receive log messages then? >> Is the syscheck db for the agent populated >> (/var/ossec/queue/syscheck/STUFF)? >> Any alerts based on log messages from the agent? >> > > We see nothing in the server's ossec.log (we do see the ossec-authd > connection). > We see UDP traffic on the server between server <==> agent > We don't have this issue with Windows 2003 and finally > we tried 2.6 and 2.7 and both dont work (are logging on the agent that > everything is working fine but nothing on the server). > Extra information with debugging logging on: (too much to paste here:) http://pastebin.com/hEyc9VLA > I will try the debug mode and if the syscheck db is populated. > >> >> >> > On the agent in c:\program files(x86)\ossec-agent\ossec.log we see: >> > >> > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the server >> > (*server ip*:1514). >> > >> > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows >> Server >> > 2008. >> > >> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: >> > 'Application'. >> > >> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: >> > 'Security'. >> > >> > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: >> 'System'. >> > >> > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). >> > >> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan >> (forwarding >> > database). >> > >> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database >> > (pre-scan). >> > >> > This is strange, we checked the connection (connection can be made to >> server >> > udp 1514) but we don't see anything in the servers logfile in >> > /var/ossec/log/ossec.log >> > >> > Is there anything we can do to further investigate? >> > Service seems to be running fine and the OSSEC agent logfile shows that >> > nothing is broken but the server never sees the succesful connection. >> > >> > Michiel >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het volgende: > > On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es > > > wrote: > > Hello, > > > > We have installed OSSEC 2.7 on a CentOS machine which is working fine > with > > several Windows and Linux agents. > > We are trying to install the OSSEC 2.7 agent package on a Windows 2008 > > server which goes well but at end, after the manual agent config (ip and > > secret) and restarting of the service, we still see that the agent is > never > > connected: > > > > On the OSSEC server: > > > > ID: 1368, Name: server001, IP: x.x.x.x, Never connected > > > > Is there any useful information in the ossec server's ossec.log (if I > missed it I'm sorry)? > If you start the ossec processes on the server in debug mode, do you > receive log messages then? > Is the syscheck db for the agent populated > (/var/ossec/queue/syscheck/STUFF)? > Any alerts based on log messages from the agent? > We see nothing in the server's ossec.log (we do see the ossec-authd connection). We see UDP traffic on the server between server <==> agent We don't have this issue with Windows 2003 and finally we tried 2.6 and 2.7 and both dont work (are logging on the agent that everything is working fine but nothing on the server). I will try the debug mode and if the syscheck db is populated. > > > > On the agent in c:\program files(x86)\ossec-agent\ossec.log we see: > > > > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the server > > (*server ip*:1514). > > > > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows Server > > 2008. > > > > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > > 'Application'. > > > > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > > 'Security'. > > > > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: > 'System'. > > > > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). > > > > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan > (forwarding > > database). > > > > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database > > (pre-scan). > > > > This is strange, we checked the connection (connection can be made to > server > > udp 1514) but we don't see anything in the servers logfile in > > /var/ossec/log/ossec.log > > > > Is there anything we can do to further investigate? > > Service seems to be running fine and the OSSEC agent logfile shows that > > nothing is broken but the server never sees the succesful connection. > > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
I will test that but besides the fact if it is really connecting or not, why would the agent report that it is connected to the server then? Op woensdag 17 april 2013 12:50:47 UTC+2 schreef Nathaniel Bentzinger het volgende: > > From the server have you verified that the windows agent is actually > connecting to the server via tcpdump? Tcpdump –i eth0 ‘host and > udp’ > > > > You can also verify the same thing from the windows agent using wireshark > using ‘ip.addr == ’ > > > > If you don’t see anything check to see what firewall is blocking the udp > port 1514. > > > > *From:* ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] *On Behalf Of *Michiel van Es > *Sent:* Wednesday, April 17, 2013 6:28 AM > *To:* ossec...@googlegroups.com > *Subject:* [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected > > > > Hello, > > > > We have installed OSSEC 2.7 on a CentOS machine which is working fine with > several Windows and Linux agents. > > We are trying to install the OSSEC 2.7 agent package on a Windows 2008 > server which goes well but at end, after the manual agent config (ip and > secret) and restarting of the service, we still see that the agent is never > connected: > > > > *On the OSSEC server:* > > > > ID: 1368, Name: server001, IP: x.x.x.x, *Never connected* > > > > *On the agent *in c:\program files(x86)\ossec-agent\ossec.log we see: > > > > 2013/04/17 11:17:16 ossec-agent(4102): INFO: *Connected to the server > (*server ip*:1514)*. > > > > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows Server > 2008. > > > > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > > > > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > > > > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: 'System'. > > > > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). > > > > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan (forwarding > database). > > > > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database > (pre-scan). > > > > This is strange, we checked the connection (connection can be made to > server udp 1514) but we don't see anything in the servers logfile in > /var/ossec/log/ossec.log > > > > Is there anything we can do to further investigate? > > Service seems to be running fine and the OSSEC agent logfile shows that > nothing is broken but the server never sees the succesful connection. > > > > Michiel > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Hello, We have installed OSSEC 2.7 on a CentOS machine which is working fine with several Windows and Linux agents. We are trying to install the OSSEC 2.7 agent package on a Windows 2008 server which goes well but at end, after the manual agent config (ip and secret) and restarting of the service, we still see that the agent is never connected: *On the OSSEC server:* ID: 1368, Name: server001, IP: x.x.x.x, *Never connected* *On the agent *in c:\program files(x86)\ossec-agent\ossec.log we see: 2013/04/17 11:17:16 ossec-agent(4102): INFO: *Connected to the server (*server ip*:1514)*. 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows Server 2008. 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan (forwarding database). 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database (pre-scan). This is strange, we checked the connection (connection can be made to server udp 1514) but we don't see anything in the servers logfile in /var/ossec/log/ossec.log Is there anything we can do to further investigate? Service seems to be running fine and the OSSEC agent logfile shows that nothing is broken but the server never sees the succesful connection. Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] disable netstat check OSSEC 2.6
Hi Dan, I am sorry, we tracked it down to a local issue. I meant this issue; https://www.google.nl/search?q=ossec+netstat+high+load&aq=f&oq=ossec+netstat&aqs=chrome.0.59j57j60l2j62l2.1843&sourceid=chrome&ie=UTF-8 Seemed to be a common issue in the past where people were advised to disable this check. Michiel Op woensdag 27 februari 2013 15:14:11 UTC+1 schreef dan (ddpbsd) het volgende: > > On Wed, Feb 27, 2013 at 9:02 AM, Michiel van Es > > > wrote: > > Hello, > > > > I've read a lot of theads about 'the netstat issue' and OSSECs' rootkit > > check. > > How can I disable the netstat check on a running 2.6 server (RHEL 6, > install > > from source) without recompiling? > > Or do I have to disable rootkit checks completely? > > > > Is this issue fixed in 2.7? > > > > What 'the netstat issue' are you talking about? > > > Kind regards, > > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] disable netstat check OSSEC 2.6
Hello, I've read a lot of theads about 'the netstat issue' and OSSECs' rootkit check. How can I disable the netstat check on a running 2.6 server (RHEL 6, install from source) without recompiling? Or do I have to disable rootkit checks completely? Is this issue fixed in 2.7? Kind regards, Michiel -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] active response not working for frequency and SSH
2013/1/14 dan (ddp) > On Mon, Jan 14, 2013 at 10:28 AM, dan (ddp) wrote: > > On Mon, Jan 14, 2013 at 10:23 AM, Michiel van Es > wrote: > >> > >> > >> Op maandag 14 januari 2013 15:36:05 UTC+1 schreef dan (ddpbsd) het > volgende: > >>> > >>> On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es > >>> wrote: > >>> > Hello, > >>> > > >>> > We want to firewall-drop failed logins with SSH after 3 failed > >>> > passwords. > >>> > We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) > >>> > for > >>> > the commands and active responses: > >>> > > >>> > > >>> > > >>> > host-deny > >>> > host-deny.sh > >>> > srcip > >>> > yes > >>> > > >>> > > >>> > > >>> > firewall-drop > >>> > firewall-drop.sh > >>> > srcip > >>> > yes > >>> > > >>> > > >>> > > >>> > disable-account > >>> > disable-account.sh > >>> > user > >>> > yes > >>> > > >>> > > >>> > > >>> > restart-ossec > >>> > restart-ossec.sh > >>> > > >>> > > >>> > > >>> > > >>> > restart-ossec > >>> > local > >>> > 510010 > >>> > > >>> > > >>> > > >>> > no > >>> > host-deny > >>> > local > >>> > 2502,5720 > >>> > 1800 > >>> > > >>> > > >>> > > >>> > no > >>> > firewall-drop > >>> > local > >>> > 2502,5720 > >>> > 1800 > >>> > > >>> > > >>> > 5720 is using 5716 in sshd_rules.xml for multiple failed logins > >>> > (frequency > >>> > is 6). > >>> > I restarted the ossec-hids on the manager and tried logging in with a > >>> > known > >>> > and unknown account and with both scenario's the srcip is not being > >>> > blocked > >>> > after 6 times within 30 seconds. > >>> > > >>> > Am I missing something? > >>> > >>> >>frequency=6 means 8 attempts. > >>> > >> Even after 100 tries it still does not do anything with only 5720. > >> The 5716 rule is working correctly and blocking after 1 failed attempt, > the > >> frequency set for 5720 does nothing. > >> Does anyone have a sample SSH active response config for ossec 2.6 > which I > >> can test and try? > >> > >> Michiel > > > > Can you give a log sample that should be triggering 5720? > > Never mind, I found one. > > Are you sure 5720 is being triggered? > Is AR enabled on the agent? > Have you tried it on a system other than the OSSEC server? > Here is some more information, it seems that it works after 6 tries on some accounts/machines but on another machine it does nothing, I can test with testuser2 unlimited times (testuser2 is an account that does exist on the server). Also a /etc/init.d/ossec-hids shows that ossec is running on the agent: sshd_rules.xml: 5716 Multiple SSHD authentication failures. authentication_failures, /var/ossec/alerts/alert.log: ** Alert 1358177805.5539998: mail - syslog,sshd,authentication_failures, 2013 Jan 14 16:36:45 (host) any->/var/log/secure Rule: 5720 (level 10) -> 'Multiple SSHD authentication failures.' Src IP: 4.4.4.4 User: testuser Jan 14 16:36:44 host sshd[28376]: Failed password for testuser from 4.4.4.4 port 39978 ssh2 Jan 14 16:36:37 host sshd[28371]: Failed password for testuser from 4.4.4.4 port 39977 ssh2 Jan 14 16:36:34 host sshd[28371]: Failed password for testuser from 4.4.4.4 port 39977 ssh2 Jan 14 16:36:31 host sshd[28371]: Failed password for testuser from 4.4.4.4 port 39977 ssh2 ** Alert 1358177807.5540637: - syslog,sshd,authentication_failed, 2013 Jan 14 16:36:47 (host) any->/var/log/secure Rule: 5716 (level 5) -> 'SSHD authentication failed.' Src IP: 4.4.4.4 User: testuser Jan 14 16:36:47 host sshd[28376]: Failed password for testuser from 4.4.4.4 port 39978 ssh2 ** Alert 1358177807.5540950: - ossec,active_response,
Re: [ossec-list] active response not working for frequency and SSH
Op maandag 14 januari 2013 15:36:05 UTC+1 schreef dan (ddpbsd) het volgende: > > On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es > > > wrote: > > Hello, > > > > We want to firewall-drop failed logins with SSH after 3 failed > passwords. > > We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) > for > > the commands and active responses: > > > > > > > > host-deny > > host-deny.sh > > srcip > > yes > > > > > > > > firewall-drop > > firewall-drop.sh > > srcip > > yes > > > > > > > > disable-account > > disable-account.sh > > user > > yes > > > > > > > > restart-ossec > > restart-ossec.sh > > > > > > > > > > restart-ossec > > local > > 510010 > > > > > > > > no > > host-deny > > local > > 2502,5720 > > 1800 > > > > > > > > no > > firewall-drop > > local > > 2502,5720 > > 1800 > > > > > > 5720 is using 5716 in sshd_rules.xml for multiple failed logins > (frequency > > is 6). > > I restarted the ossec-hids on the manager and tried logging in with a > known > > and unknown account and with both scenario's the srcip is not being > blocked > > after 6 times within 30 seconds. > > > > Am I missing something? > > >>frequency=6 means 8 attempts. > > Even after 100 tries it still does not do anything with only 5720. The 5716 rule is working correctly and blocking after 1 failed attempt, the frequency set for 5720 does nothing. Does anyone have a sample SSH active response config for ossec 2.6 which I can test and try? Michiel
[ossec-list] active response not working for frequency and SSH
Hello, We want to firewall-drop failed logins with SSH after 3 failed passwords. We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) for the commands and active responses: host-deny host-deny.sh srcip yes firewall-drop firewall-drop.sh srcip yes disable-account disable-account.sh user yes restart-ossec restart-ossec.sh restart-ossec local 510010 no host-deny local 2502,5720 1800 no firewall-drop local 2502,5720 1800 5720 is using 5716 in sshd_rules.xml for multiple failed logins (frequency is 6). I restarted the ossec-hids on the manager and tried logging in with a known and unknown account and with both scenario's the srcip is not being blocked after 6 times within 30 seconds. Am I missing something? We did see that active response is working with 5716 added to the rules list but that means that after one failed login people are being blocked (think about typo scenario's). What am I missing to get active response working for SSH after 6 failed logins per 5 minutes? Michiel
Re: [ossec-list] OSSEC windows ; check for Administrator account enabled
Hmm the code is from 2010 and there are 2 beta versions..doesn't look there is a lot of progress on the development of this product. I might try OpenVAS but it would be great if there was a check, since we do check files for Linux with OSSEC, I would imagine you could do something similar with OSSEC, Windows Accounts are stored (at least on older version) in the SAM database. Op dinsdag 27 november 2012 18:20:47 UTC+1 schreef sklauminzer het volgende: > > Something like this might be a better tool for your needs: > SSA - Security System Analyzer 2.0 > http://code.google.com/p/ssa/ > > You could tie it into OSSEC with the full_command option. > > If all you need to t o determine the Admin account status, then use a > PowerShell command in full_command. > > Scott > > On Nov 27, 2012, at 4:02 AM, Michiel van Es > > > wrote: > > > Hi, > > > > We want to check for hardening and one of our Windows hardening rules is > to rename the Administrator account and create a decoy Administrator > account, not part of any group and disabled. > > One of the things we want to check is to see if the Administrator > account is enabled on Windows machines. > > > > Is there a check of simple script how I can establish this on the > Windows machines? > > > > Regards, > > > > Michiel > >
[ossec-list] OSSEC windows ; check for Administrator account enabled
Hi, We want to check for hardening and one of our Windows hardening rules is to rename the Administrator account and create a decoy Administrator account, not part of any group and disabled. One of the things we want to check is to see if the Administrator account is enabled on Windows machines. Is there a check of simple script how I can establish this on the Windows machines? Regards, Michiel
Re: [ossec-list] Re: help with writing decoder rules for clavister firewall
To respond to my own question: It is fixed! I had to restart ossec-hids on the client/agent and voila: it works! Thanks again for all the help! Michiel 2012/11/20 Michiel van Es > > > 2012/11/19 dan (ddp) > >> >> >> The decoder is clavister, not clavister-alert. >> >> Before changing the decoder name: >> **Phase 1: Completed pre-decoding. >>full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] >> EFW: RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet >> action=drop rule=d_all_any_to_external recvif=cpub1003 >> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 >> srcport=80 destport=49511 ack=1 fin=1' >>hostname: '10.170.80.3' >>program_name: '(null)' >>log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 >> event=ruleset_drop_packet action=drop rule=d_all_any_to_external >> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP >> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' >> >> **Phase 2: Completed decoding. >>decoder: 'clavister' >>action: 'drop' >>srcip: '10.170.83.14' >>dstip: '81.83.145.188' >>srcport: '80' >>dstport: '49511' >>extra_data: 'ack=1 fin=1' >> >> >> After changing the decoder name: >> **Phase 1: Completed pre-decoding. >>full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] >> EFW: RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet >> action=drop rule=d_all_any_to_external recvif=cpub1003 >> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 >> srcport=80 destport=49511 ack=1 fin=1' >>hostname: '10.170.80.3' >>program_name: '(null)' >>log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 >> event=ruleset_drop_packet action=drop rule=d_all_any_to_external >> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP >> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' >> >> **Phase 2: Completed decoding. >>decoder: 'clavister' >>action: 'drop' >>srcip: '10.170.83.14' >>dstip: '81.83.145.188' >>srcport: '80' >>dstport: '49511' >>extra_data: 'ack=1 fin=1' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '76' >>Level: '12' >>Description: 'Clavister drop firewall!' >> **Alert to be generated. >> >> >> >> > > Ok, thanks, I can see now via logtest that it will alert. I don't see > anything appearing in the alert.log logfile on the manager. > Could the syntax be wrong of the agent.conf and location : > > > syslog > /data/logs/host/fw-10.170.80.*.log > > > Notice I use fw-10.170.80.*.log, will the wildcard work? > (the firewall logfiles are named fw-10.170.80.2.log, fw-10.170.80.3.log, > fw-10.170.80.4.log, etc. > > Michiel >
Re: [ossec-list] Re: help with writing decoder rules for clavister firewall
2012/11/19 dan (ddp) > > > The decoder is clavister, not clavister-alert. > > Before changing the decoder name: > **Phase 1: Completed pre-decoding. >full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] > EFW: RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet > action=drop rule=d_all_any_to_external recvif=cpub1003 > srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 > srcport=80 destport=49511 ack=1 fin=1' >hostname: '10.170.80.3' >program_name: '(null)' >log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > **Phase 2: Completed decoding. >decoder: 'clavister' >action: 'drop' >srcip: '10.170.83.14' >dstip: '81.83.145.188' >srcport: '80' >dstport: '49511' >extra_data: 'ack=1 fin=1' > > > After changing the decoder name: > **Phase 1: Completed pre-decoding. >full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] > EFW: RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet > action=drop rule=d_all_any_to_external recvif=cpub1003 > srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 > srcport=80 destport=49511 ack=1 fin=1' >hostname: '10.170.80.3' >program_name: '(null)' >log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > **Phase 2: Completed decoding. >decoder: 'clavister' >action: 'drop' >srcip: '10.170.83.14' >dstip: '81.83.145.188' >srcport: '80' >dstport: '49511' >extra_data: 'ack=1 fin=1' > > **Phase 3: Completed filtering (rules). >Rule id: '76' >Level: '12' >Description: 'Clavister drop firewall!' > **Alert to be generated. > > > > Ok, thanks, I can see now via logtest that it will alert. I don't see anything appearing in the alert.log logfile on the manager. Could the syntax be wrong of the agent.conf and location : syslog /data/logs/host/fw-10.170.80.*.log Notice I use fw-10.170.80.*.log, will the wildcard work? (the firewall logfiles are named fw-10.170.80.2.log, fw-10.170.80.3.log, fw- 10.170.80.4.log, etc. Michiel
Re: [ossec-list] help with writing decoder rules for clavister firewall
Op woensdag 14 november 2012 17:02:47 UTC+1 schreef dan (ddpbsd) het volgende: > > On Wed, Nov 14, 2012 at 9:49 AM, Michiel van Es > > > wrote: > > Hello, > > > > I am trying to set up a local_decoder.xml entry to decode our Clavister > log > > entries. > > The clavister logfiles show only outgoing dropped traffic, for example: > > > > Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 > > id=0651 rev=1 event=ruleset_drop_packet action=drop > > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > > ack=1 fin=1 > > > > I could not find an existing clavister decoder so I am trying to write > my > > own. > > I tried something as follows : > > > > > > ^\w+ \d+ \S+ > > > > > > If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = > day of > > month, \S+=time , but its not working as expected, running logtest > shows: > > > > **Phase 1: Completed pre-decoding. > >full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] > EFW: > > RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet action=drop > > rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 > > destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 > > ack=1 fin=1' > >hostname: '10.170.80.3' > >program_name: '(null)' > >log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 > > event=ruleset_drop_packet action=drop rule=d_all_any_to_external > > recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP > > ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' > > > > >>I think you want the prematch to look at the log line above, not the > full log. > > >> This is untested, and I don't know how much of the log message stays > the same. > >> > >> ^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: > >> > > Thanks, I am now trying to get the srcip,dstip,srcport and dstport from a 2nd local_decoder: ^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d] EFW: RULE: clavister srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) (\.*) srcip,dstip,srcport,dstport,action,extra_data But I can not get the srcport and dstport decoded. I tried: srcip=(\d+.\d+.\d+.\d+) destip=(\d+.\d+.\d+.\d+) scrport=(\d+) destport(\d+) (\.*) but I get no src/dstport decoded. I also noticed that the clavisters are using the destport term and ossec dstport, I am not sure if that is an issue? I should mention I am not a guru at regex ;) Any help is welcome.
[ossec-list] help with writing decoder rules for clavister firewall
Hello, I am trying to set up a local_decoder.xml entry to decode our Clavister log entries. The clavister logfiles show only outgoing dropped traffic, for example: Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet action=drop rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1 I could not find an existing clavister decoder so I am trying to write my own. I tried something as follows : ^\w+ \d+ \S+ If I get it correct the ^ is beginning of the line,\w+ = Month, \d+ = day of month, \S+=time , but its not working as expected, running logtest shows: **Phase 1: Completed pre-decoding. full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet action=drop rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' hostname: '10.170.80.3' program_name: '(null)' log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=0651 rev=1 event=ruleset_drop_packet action=drop rule=d_all_any_to_external recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' **Phase 2: Completed decoding. No decoder matched. It does not show the clavister field at Phase 2 which I would expect. Can anyone point out what I am doing wrong even with this simpel example? Thanks in advance. Regards, Michiel
[ossec-list] Filter on RFC-1918 ip-adress and successful logins
Hello, I was wondering if it is possible to filter on non RFC-1918 ip-adresses which login successful and unsuccessful ? We want to monitor extra on SSH and RDP logins from public ip-adresses (aka over the internet). Does anyone know if you can easily create a local_rule.xml entry for this? Regards, Michiel
[ossec-list] Re: Reporting ossec alerts
Op vrijdag 5 oktober 2012 15:00:16 UTC+2 schreef (onbekend) het volgende: > > Hi everybody > happy user for some years with ossec, i need to make report by month > of activity, top source ip and some data from ossec alerts. > Reportd is interessesting but i need something more professional for a > customer. > I test some solutions like arcsight logger, and splunk (that the ossec app > for splunk is likely abandoned) > do some people could tell me a nice solution they use for reporting ? easy > to deploy and that just works. > thanks > we are pretty happy with the ossec app for splunk , splunk is flexible enough to create whatever you want.
[ossec-list] local_rule for SSH successful connections from public ip-adresses/non-private adress range
We want to create a rule to see who is successful logged in our systems (SSH,RDP) but are coming from the outside (aka not the private range addresses ). Is there an easy way to set this up with 1 rule defined in local_rules.xml ? Is it possible to use something with a rfc1918 exclude rule and log everything else? Michiel
Re: [ossec-list] syscheck checking for non existing configuration lines
Hmm I rather use the existing syscheck if it is possible, it checks for certain patterns , if I could find out a way it would alert for missing patterns.. Op woensdag 3 oktober 2012 16:23:38 UTC+2 schreef sklauminzer het volgende: > > I would use the command option on the agent, which allows you to run any > local command on a scheduled basis. Grep for the specific config in > question, if you place this within an IF, you can pass whatever you want on > failure. > > Scott Klauminzer > Director of Information Technology & Security > > Sent from my iPad > > On Oct 3, 2012, at 12:52 AM, Michiel van Es > > > wrote: > > > Hello, > > > > I am using OSSEC 2.6, we are using syscheck to check for our hardening > policy. > > Like: > > # Apache checks > > [SDN Security Policy Linux - HTTPD - ServerSignature is enabled] [any] > [] > > f:$httpd.conf -> r:^ServerSignature On; > > > > [SDN Security Policy Linux - HTTPD - ServerTokens is fully enabled] > [any] [] > > f:$httpd.conf -> r:^ServerTokens Full; > > > > [SDN Security Policy Linux - HTTPD - Trace is enabled] [any] [] > > f:$httpd.conf -> r:^TraceEnable On; > > > > Only, default TraceEnable is not defined in httpd.conf and is default > enabled. > > How can I check for missing configuration options in a config file? > > (in this case check if TraceEnable Off is available otherwise alert - I > know this can also be solved by mod-rewrite) > > > > Thanks. > > > > Michiel >
Re: [ossec-list] OSSEC filtering questions
Thx for the feedback, we used the default rules, and added our filtering to the local_rules.xml - also added some extra alerts :) Op maandag 1 oktober 2012 11:17:09 UTC+2 schreef techs...@ecsc.co.uk het volgende: > > I would agree with this, get all clients installed and reporting at the > beginning otherwise you are tailoring rules to a 'half system'. > > If you are concerned about the job of identifying which alerts need tuning > I would recommend using AnaLogi (shameless plug), it's graphical and based > on graphs, with it you can instantly see which alerts/logs/hosts are the > loudest and need tuning first. > > When you get all the rules in place and things quieten down, you can > always just wipe the logs/database and consider that a baseline/test period. > > Andy > > On Friday, September 28, 2012 3:43:01 PM UTC+1, ash kumar wrote: >> >> It is almost always better to collect everything and start eliminating >> events that are not interesting or noisy rather than the other way around. >> It does not take as long as you think it would and helps you learn to >> navigate OSSEC and understand your traffic patterns better. >> >> Just looking at successful / unsuccessful logons is rather droll and >> voluminous in reasonably busy network. You are creating a lot of alert data >> and missing out on potentially more interesting activity. In my opinion >> logons should be reported on daily for trending statistics or correlated >> with other events to be meaningful. >> >> The File Integrity information is limited as it cannot return a lot of >> useful information such what the change was or who changed the file and at >> what time. >> >> In a nutshell, these goals for the POC virtually ensure disappointment. >> >> Ash >> >> On Monday, September 24, 2012 9:43:33 AM UTC-4, dan (ddpbsd) wrote: >> >>> On Mon, Sep 24, 2012 at 9:40 AM, Michiel van Es >>> wrote: >>> > >>> > >>> > 2012/9/24 dan (ddp) >>> >> >>> >> On Mon, Sep 24, 2012 at 9:27 AM, Michiel van Es >>> >>> >> wrote: >>> >> > >>> >> > >>> >> > 2012/9/24 dan (ddp) >>> >> >> >>> >> >> On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es >>> >> >> >>> >> >> wrote: >>> >> >> > >>> >> >> > >>> >> >> > 2012/9/24 dan (ddp) >>> >> >> > >>> >> >> >> On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es >>> >> >> >> >>> >> >> >> wrote: >>> >> >> >> > Hello, >>> >> >> >> > >>> >> >> >> > We are using OSSEC for a PoC and we want to show only some >>> alerts >>> >> >> >> > initially >>> >> >> >> > and expand the alert list. >>> >> >> >> > We are using OSSEC 2.6 mixed Windows and Linux agents. >>> >> >> >> > 1 Manager and several agents and Splunk on the manager server >>> to >>> >> >> >> > show >>> >> >> >> > the >>> >> >> >> > alerts. >>> >> >> >> > >>> >> >> >> > For now we want to achieve to show only failed and successful >>> >> >> >> > logins >>> >> >> >> > and >>> >> >> >> > file integrity alerts. >>> >> >> >> > How can we achieve this? => manually going through all >>> rules/xml >>> >> >> >> > files >>> >> >> >> > and >>> >> >> >> > set accordingly all xml entries to 0 or anything else? (0 >>> meaning >>> >> >> >> > disabled >>> >> >> >> > and dont show) or is there an easier way of achieving this? >>> >> >> >> > >>> >> >> >> > Kind regards, >>> >> >> >> > >>> >> >> >> > Michiel >>> >> >> >> >>> >> >> >> >>You can remove entire rules files if you don't want to use >>> them. >>> >> >> >> >> Just >>> >> >> >> >>test your changes (/var/ossec/bin/ossec-logtest -t) after you >>> do >>> >> >> >> >> this >>> >> >> >> >>to make sure you didn't get rid of something necessary. >>> >> >> > >>> >> >> > >>> >> >> > Would you suggest creating specific rules in xml files with the >>> >> >> > correct >>> >> >> > alerts and move/disable all others and start from there? >>> >> >> >>> >> >> >>You should do it however you think is best. I don't like this >>> >> >> >> approach >>> >> >> >>and don't have an opinion on it. >>> >> >> >>> >> > What would you suggest? >>> >> > >>> >> >>> >> >>I think you should do what works for you. If starting small and >>> adding >>> >> >>more later is better for your organization, do it. If I was going >>> to >>> >> >>do it that way I'd probably remove the entries for the rule files >>> in >>> >> >>/var/ossec/etc/ossec.conf. >>> > >>> > >>> > Clear. >>> > Thx will work something out! >>> > >>> > Michiel >>> >>> Good luck. Hopefully someone who has done something along the lines of >>> what you're trying to do can post some tips & tricks. >>> >>
[ossec-list] syscheck checking for non existing configuration lines
Hello, I am using OSSEC 2.6, we are using syscheck to check for our hardening policy. Like: # Apache checks [SDN Security Policy Linux - HTTPD - ServerSignature is enabled] [any] [] f:$httpd.conf -> r:^ServerSignature On; [SDN Security Policy Linux - HTTPD - ServerTokens is fully enabled] [any] [] f:$httpd.conf -> r:^ServerTokens Full; [SDN Security Policy Linux - HTTPD - Trace is enabled] [any] [] f:$httpd.conf -> r:^TraceEnable On; Only, default TraceEnable is not defined in httpd.conf and is default enabled. How can I check for missing configuration options in a config file? (in this case check if TraceEnable Off is available otherwise alert - I know this can also be solved by mod-rewrite) Thanks. Michiel
Re: [ossec-list] Question about rootcheck for 'local' install
2012/9/27 Michiel van Es > > > 2012/9/27 dan (ddp) > > On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es >> wrote: >> > >> > >> > Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het >> > volgende: >> >> >> >> On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es >> >> wrote: >> >> > Hello, >> >> > >> >> > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the >> tar.gz + >> >> > ./install.sh >> >> > I choose the local install since it has to run on 1 server ( a VPS). >> >> > I have noticed after 3 days that >> >> > >> /var/ossec/etc/shared/system_audit_rcl.txt >> >> > has >> >> > never run when syscheck and rootcheck has run. >> >> > I see a lot of : >> >> > # >> >> > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... >> >> > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... >> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan >> >> > (forwarding database). >> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database >> >> > (pre-scan). >> >> > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck >> >> > database (pre-scan completed). >> >> > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan >> >> > (forwarding >> >> > database). >> >> > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> > # >> >> > >> >> > and never received one alert for the PHP checks (expose_php = On). >> >> > Also via the ossec-wui I can not find anything about this. >> >> > It seems it does not check the policies. >> >> > >> >> > How can I trigger the syscheck/rootcheck to check the system for >> >> > policies? >> >> > >> >> > Michiel >> >> >> >> >>I think if you run everything in debug mode it provides more >> >> >>information on what is being checked. >> > >> > >> > Ok will check, can I force a root/syscheck so I can check the >> > /var/ossec/log/ossec.log log file ? >> >> >>Restart OSSEC? Restart ossec-syscheckd? >> > >>Ok, I do see some entries when I run /var/ossec/bin/rootcheck_control -i > local, but it is never emailed to me. > >>I will see if I can let it alert when it runs. > > >>Thx. > Stupid question but /var/ossec/bin/rootcheck_control -i local shows System Audit entries but these entries are never in alert.log and are never emailed. On a setup with a manager and agents this works perfectly and emails just fine but on a local (1 box) install I never receive alerts. Am I overlooking things?
Re: [ossec-list] Question about rootcheck for 'local' install
2012/9/27 dan (ddp) > On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es > wrote: > > > > > > Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het > > volgende: > >> > >> On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es > >> wrote: > >> > Hello, > >> > > >> > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the > tar.gz + > >> > ./install.sh > >> > I choose the local install since it has to run on 1 server ( a VPS). > >> > I have noticed after 3 days that > >> > > /var/ossec/etc/shared/system_audit_rcl.txt > >> > has > >> > never run when syscheck and rootcheck has run. > >> > I see a lot of : > >> > # > >> > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... > >> > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... > >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan > >> > (forwarding database). > >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database > >> > (pre-scan). > >> > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck > >> > database (pre-scan completed). > >> > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan > >> > (forwarding > >> > database). > >> > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. > >> > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. > >> > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. > >> > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. > >> > # > >> > > >> > and never received one alert for the PHP checks (expose_php = On). > >> > Also via the ossec-wui I can not find anything about this. > >> > It seems it does not check the policies. > >> > > >> > How can I trigger the syscheck/rootcheck to check the system for > >> > policies? > >> > > >> > Michiel > >> > >> >>I think if you run everything in debug mode it provides more > >> >>information on what is being checked. > > > > > > Ok will check, can I force a root/syscheck so I can check the > > /var/ossec/log/ossec.log log file ? > > >>Restart OSSEC? Restart ossec-syscheckd? > Ok, I do see some entries when I run /var/ossec/bin/rootcheck_control -i local, but it is never emailed to me. I will see if I can let it alert when it runs. Thx.
Re: [ossec-list] Question about rootcheck for 'local' install
Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het volgende: > > On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es > > > wrote: > > Hello, > > > > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the tar.gz + > > ./install.sh > > I choose the local install since it has to run on 1 server ( a VPS). > > I have noticed after 3 days that > > /var/ossec/etc/shared/system_audit_rcl.txt > has > > never run when syscheck and rootcheck has run. > > I see a lot of : > > # > > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... > > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... > > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck > > database (pre-scan completed). > > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding > > database). > > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. > > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. > > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. > > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. > > # > > > > and never received one alert for the PHP checks (expose_php = On). > > Also via the ossec-wui I can not find anything about this. > > It seems it does not check the policies. > > > > How can I trigger the syscheck/rootcheck to check the system for > policies? > > > > Michiel > > >>I think if you run everything in debug mode it provides more > >>information on what is being checked. Ok will check, can I force a root/syscheck so I can check the /var/ossec/log/ossec.log log file ?
[ossec-list] Question about rootcheck for 'local' install
Hello, I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the tar.gz + ./install.sh I choose the local install since it has to run on 1 server ( a VPS). I have noticed after 3 days that /var/ossec/etc/shared/system_audit_rcl.txt has never run when syscheck and rootcheck has run. I see a lot of : # 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. # and never received one alert for the PHP checks (expose_php = On). Also via the ossec-wui I can not find anything about this. It seems it does not check the policies. How can I trigger the syscheck/rootcheck to check the system for policies? Michiel
Re: [ossec-list] OSSEC filtering questions
2012/9/24 dan (ddp) > On Mon, Sep 24, 2012 at 9:27 AM, Michiel van Es > wrote: > > > > > > 2012/9/24 dan (ddp) > >> > >> On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es > > >> wrote: > >> > > >> > > >> > 2012/9/24 dan (ddp) > >> > > >> >> On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es > >> >> > >> >> wrote: > >> >> > Hello, > >> >> > > >> >> > We are using OSSEC for a PoC and we want to show only some alerts > >> >> > initially > >> >> > and expand the alert list. > >> >> > We are using OSSEC 2.6 mixed Windows and Linux agents. > >> >> > 1 Manager and several agents and Splunk on the manager server to > show > >> >> > the > >> >> > alerts. > >> >> > > >> >> > For now we want to achieve to show only failed and successful > logins > >> >> > and > >> >> > file integrity alerts. > >> >> > How can we achieve this? => manually going through all rules/xml > >> >> > files > >> >> > and > >> >> > set accordingly all xml entries to 0 or anything else? (0 meaning > >> >> > disabled > >> >> > and dont show) or is there an easier way of achieving this? > >> >> > > >> >> > Kind regards, > >> >> > > >> >> > Michiel > >> >> > >> >> >>You can remove entire rules files if you don't want to use them. > Just > >> >> >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do > this > >> >> >>to make sure you didn't get rid of something necessary. > >> > > >> > > >> > Would you suggest creating specific rules in xml files with the > correct > >> > alerts and move/disable all others and start from there? > >> > >> >>You should do it however you think is best. I don't like this approach > >> >>and don't have an opinion on it. > >> > > What would you suggest? > > > > >>I think you should do what works for you. If starting small and adding > >>more later is better for your organization, do it. If I was going to > >>do it that way I'd probably remove the entries for the rule files in > >>/var/ossec/etc/ossec.conf. > Clear. Thx will work something out! Michiel
Re: [ossec-list] OSSEC filtering questions
2012/9/24 dan (ddp) > On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es > wrote: > > > > > > 2012/9/24 dan (ddp) > > > >> On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es > > >> wrote: > >> > Hello, > >> > > >> > We are using OSSEC for a PoC and we want to show only some alerts > >> > initially > >> > and expand the alert list. > >> > We are using OSSEC 2.6 mixed Windows and Linux agents. > >> > 1 Manager and several agents and Splunk on the manager server to show > >> > the > >> > alerts. > >> > > >> > For now we want to achieve to show only failed and successful logins > and > >> > file integrity alerts. > >> > How can we achieve this? => manually going through all rules/xml files > >> > and > >> > set accordingly all xml entries to 0 or anything else? (0 meaning > >> > disabled > >> > and dont show) or is there an easier way of achieving this? > >> > > >> > Kind regards, > >> > > >> > Michiel > >> > >> >>You can remove entire rules files if you don't want to use them. Just > >> >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do this > >> >>to make sure you didn't get rid of something necessary. > > > > > > Would you suggest creating specific rules in xml files with the correct > > alerts and move/disable all others and start from there? > > >>You should do it however you think is best. I don't like this approach > >>and don't have an opinion on it. > > What would you suggest? > > This has to be done on the manager /var/ossec/rules and use these rules > in > > /var/ossec/etc/ossec-server.conf , correct? > > >>I don't know what ossec-server.conf is. It doesn't exist on any of my > systems. > Its the server.conf made by the Atomic RPM. > > > After that a restart of ossec-hids ? > > > > Thanks for the help > > > > Michiel >
Re: [ossec-list] OSSEC filtering questions
2012/9/24 Michiel van Es > > > 2012/9/24 dan (ddp) > >> On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es >> wrote: >> > >> > >> > 2012/9/24 dan (ddp) >> > >> >> On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es < >> vanesmich...@gmail.com> >> >> wrote: >> >> > Hello, >> >> > >> >> > We are using OSSEC for a PoC and we want to show only some alerts >> >> > initially >> >> > and expand the alert list. >> >> > We are using OSSEC 2.6 mixed Windows and Linux agents. >> >> > 1 Manager and several agents and Splunk on the manager server to show >> >> > the >> >> > alerts. >> >> > >> >> > For now we want to achieve to show only failed and successful logins >> and >> >> > file integrity alerts. >> >> > How can we achieve this? => manually going through all rules/xml >> files >> >> > and >> >> > set accordingly all xml entries to 0 or anything else? (0 meaning >> >> > disabled >> >> > and dont show) or is there an easier way of achieving this? >> >> > >> >> > Kind regards, >> >> > >> >> > Michiel >> >> >> >> >>You can remove entire rules files if you don't want to use them. Just >> >> >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do this >> >> >>to make sure you didn't get rid of something necessary. >> > >> > >> > Would you suggest creating specific rules in xml files with the correct >> > alerts and move/disable all others and start from there? >> >> >>You should do it however you think is best. I don't like this approach >> >>and don't have an opinion on it. >> >> What would you suggest? > > >> > This has to be done on the manager /var/ossec/rules and use these rules >> in >> > /var/ossec/etc/ossec-server.conf , correct? >> >> >>I don't know what ossec-server.conf is. It doesn't exist on any of my >> systems. >> > >>>Its the server.conf made by the Atomic RPM. > Sorry I mean ossec.conf symlinked to ossec-server.conf made by the Atomic RPM . > >> > After that a restart of ossec-hids ? >> > >> > Thanks for the help >> > >> > Michiel >> > >
Re: [ossec-list] OSSEC filtering questions
2012/9/24 dan (ddp) > On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es > wrote: > > Hello, > > > > We are using OSSEC for a PoC and we want to show only some alerts > initially > > and expand the alert list. > > We are using OSSEC 2.6 mixed Windows and Linux agents. > > 1 Manager and several agents and Splunk on the manager server to show the > > alerts. > > > > For now we want to achieve to show only failed and successful logins and > > file integrity alerts. > > How can we achieve this? => manually going through all rules/xml files > and > > set accordingly all xml entries to 0 or anything else? (0 meaning > disabled > > and dont show) or is there an easier way of achieving this? > > > > Kind regards, > > > > Michiel > > >>You can remove entire rules files if you don't want to use them. Just > >>test your changes (/var/ossec/bin/ossec-logtest -t) after you do this > >>to make sure you didn't get rid of something necessary. > Would you suggest creating specific rules in xml files with the correct alerts and move/disable all others and start from there? This has to be done on the manager /var/ossec/rules and use these rules in /var/ossec/etc/ossec-server.conf , correct? After that a restart of ossec-hids ? Thanks for the help Michiel
[ossec-list] OSSEC filtering questions
Hello, We are using OSSEC for a PoC and we want to show only some alerts initially and expand the alert list. We are using OSSEC 2.6 mixed Windows and Linux agents. 1 Manager and several agents and Splunk on the manager server to show the alerts. For now we want to achieve to show only failed and successful logins and file integrity alerts. How can we achieve this? => manually going through all rules/xml files and set accordingly all xml entries to 0 or anything else? (0 meaning disabled and dont show) or is there an easier way of achieving this? Kind regards, Michiel
