Re: [ossec-list] Agent configuration management via central server
FYI - agent.conf extends the settings in ossec.conf. You should have a minimal set of instructions in ossec.conf, usually the server and those that will not function in agent.conf, i.e. full_command, etc. Scott On Nov 28, 2012, at 9:45 AM, funwithossec h...@donobi.net wrote: On Wednesday, November 28, 2012 8:45:04 AM UTC-8, Kat wrote: If I am reading your problem - you are saying ossec.conf on the AGENT is not being overwritten -- if this is correct - then yes, it is not - it won't. Only agent.conf gets pushed to the agents. ossec.conf is set manually on agents, so if you expect it to get changes - you need to use puppet or some other method. cheers K Kat, Ahh, thanks for the answer, after I read Dan's comment I was pretty sure it would take a 3rd party mechanism to get agent.conf into ossec.conf. -Thanks all :-) On Wednesday, November 28, 2012 5:25:31 AM UTC-8, dan (ddpbsd) wrote: On Tue, Nov 27, 2012 at 7:29 PM, funwithossec ho...@donobi.net wrote: All, Apologies if this has been covered, but I sure couldn't find it :-) In my lab I have a central ossec 2.6 server on Ubuntu and one client on Centos, set them up with active response and followed procedure here: http://www.ossec.net/doc/manual/agent/agent-configuration.html agent.conf is written to the client upon restart of server and client ossec.conf is not overwritten This feels like a permissions error, agent.conf is owned by ossec:ossec and ossec.conf is owned by root:root and is not writable by other than root, this is default as far as I can tell and I don't want to muck with it unless I have to. Any help would be...helpful :-) -Thanks What's the problem? You haven't identified it at all.
Re: [ossec-list] install osecc-agent
What do you manage these machine with currently? What is the client OS? Do you have a system management platform like Puppet or Group Policy in place? This question has been asked many times on this board, please search the archives for great solutions! Scott On Nov 27, 2012, at 3:16 AM, rezgui mohamed rezgui...@gmail.com wrote: Dear support, i need to install ossec-agent on 500 machine . have you an idea please about a cental solution to install the agent on all machines without acced ssh for each machine and install the agent, configure agent because it will take a lot of time Best regards
Re: [ossec-list] OSSEC windows ; check for Administrator account enabled
Something like this might be a better tool for your needs: SSA - Security System Analyzer 2.0 http://code.google.com/p/ssa/ You could tie it into OSSEC with the full_command option. If all you need to t o determine the Admin account status, then use a PowerShell command in full_command. Scott On Nov 27, 2012, at 4:02 AM, Michiel van Es vanesmich...@gmail.com wrote: Hi, We want to check for hardening and one of our Windows hardening rules is to rename the Administrator account and create a decoy Administrator account, not part of any group and disabled. One of the things we want to check is to see if the Administrator account is enabled on Windows machines. Is there a check of simple script how I can establish this on the Windows machines? Regards, Michiel
Re: [ossec-list] OSSEC windows ; check for Administrator account enabled
A newer resource fro SCAP scanning: http://www.open-scap.org/page/Download On Nov 27, 2012, at 6:18 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Nov 27, 2012 at 7:02 AM, Michiel van Es vanesmich...@gmail.com wrote: Hi, We want to check for hardening and one of our Windows hardening rules is to rename the Administrator account and create a decoy Administrator account, not part of any group and disabled. One of the things we want to check is to see if the Administrator account is enabled on Windows machines. Is there a check of simple script how I can establish this on the Windows machines? Regards, Michiel Does windows have command line tools to check for this? If so, it shouldn't be hard to write a .bat to do the check and output the results. This could be used in a command/full_command block on the agents.
Re: [ossec-list] Using ossec agent to search for files / checksums
You could craft a Powershell to find the file by name (is that consistent?) and calculate the MD5 of it. This can then be run as a command from the agent, defined in it's ossec.conf file: localfile log_formatfull_command/log_format commandpowershell.exe -command .../command frequency300/frequency aliasMD5_Checksum/alias /localfile MD5 in powershell command is: powershell.exe -command [BitConverter]::ToString((new-object Security.Cryptography.MD5CryptoServiceProvider).ComputeHash((new-object IO.FileInfo('path to found file')).OpenRead())).Replace('-','').ToLower() On Nov 21, 2012, at 12:18 PM, Molls, Stefan stefan.mo...@thyssenkrupp.com wrote: This will then alert to changes in the MD5, however it will be compared to the previous run for the Diff using a rule like this rule id=xx level=7 if_sid530/if_sid matchossec: output: 'MD5_Checksum'/match check_diff / descriptionFile Checksum change detected/description /rule Hope this helps. Hi everybody, I just started using OSSEC and distributed it on seven Windows Systems (Agents) + 1 Linux / Ubuntu (as the server). I am using Version 2.7 . My Google skills failed me, so I am going to ask my question here: Is there a way to search the whole drive of an agent system for a filename or a md5 hash? [Windows] So I do know the filename / hash, but the file is in a different Folder everytime. Until now I was unable to use the ossec-rootcheck-functionality. Maybe I just don't understand how it has to be configured :( . I would be very thankful for every hint / tip that'll lead me into the right direction. Thank you very much in advance. Best regards, Stefan
Re: [ossec-list] Ossec stops after 48 hours
Sorry, it was actually hanging processes that caused the problem for me, on issuing a restart command. After checking currently running processes after issuing a stop, I saw that some were hung. I manually stopped those, and then ossec would run well on start. One other issue that I worked though at the time was the missing /bin in ossec-command when checking rules on start using ossec-logtest. (present in original ossec 2.6) I added a symlink in /var/ossec/ for /var/ossec/bin/ossec-logtest and have not run into issues with hanging since. Hope this helps. Scott On Oct 23, 2012, at 11:31 PM, C. L. Martinez carlopm...@gmail.com wrote: On Tue, Oct 23, 2012 at 5:00 PM, Scott Klauminzer sklaumin...@gmail.com wrote: If I remember right my issue was solved by a fixing permissions. Scott What permissions Scott??
Re: [ossec-list] Ossec stops after 48 hours
If I remember right my issue was solved by a fixing permissions. Scott On Oct 22, 2012, at 11:36 PM, C. L. Martinez carlopm...@gmail.com wrote: On Tue, Oct 23, 2012 at 5:54 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I have a strange problem with one of my ossec servers. After 48 hours working, some ossec processes stops. Active process at this moment: 24346 ?S 0:07 /data/ossec/bin/ossec-csyslogd 24350 ?S 0:05 /data/ossec/bin/ossec-maild 24354 ?S 0:00 /data/ossec/bin/ossec-execd 24377 ?S 12:32 /data/ossec/bin/ossec-monitord And ossec.log shows me: 2012/10/20 17:51:55 ossec-logcollector: socketerr (not available). 2012/10/20 17:51:55 ossec-logcollector(1224): ERROR: Error sending message to queue. 2012/10/20 17:51:58 ossec-logcollector(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/10/20 17:51:58 ossec-logcollector(1211): ERROR: Unable to access queue: '/data/ossec/queue/ossec/queue'. Giving up.. 2012/10/20 17:51:58 ossec-remoted: socketerr (not available). 2012/10/20 17:51:58 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2012/10/20 17:52:01 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'. 2012/10/20 17:52:01 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up.. 2012/10/20 18:22:07 ossec-monitord: socketerr (not available). 2012/10/20 18:22:07 ossec-monitord(1224): ERROR: Error sending message to queue. 2012/10/21 03:49:27 ossec-syscheckd: socketerr (not available). 2012/10/21 03:49:27 ossec-rootcheck(1224): ERROR: Error sending message to queue. 2012/10/21 03:49:30 ossec-syscheckd(1210): ERROR: Queue '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2012/10/21 03:49:30 ossec-rootcheck(1211): ERROR: Unable to access queue: '/data/ossec/queue/ossec/queue'. Giving up.. Ossec is 2.6 release and host is CentOS 6.3 x86_64 Any idea?? More info: there is only one Windows 2003 agent connected to this ossec server. I see some people asking about the same problem in this mailing list. Exists some solution?? Thanks.
Re: [ossec-list] What is the best way to test rules on Windows Event Logs?
James, If you have the logall option set, then you should see all windows events (with event iDs) in the archive.log files I use these as a resource to pass to ossec-logtest. The first portion is the ossec appended value info, so you need to strip that. The Windows events begin with WinEvtLog: followed by the log source. (i.e. Application:, Security: etc.) Hope this helps. Scott. What is the best way to test rules on Windows Event Logs? With syslog or weblog related stuff I know I can take a line from the log and feed it to ossec-logtest. However with Windows Event Logs what format is ossec expecting? Can I just cut and paste the event as seen when double clicking on the event in windows? Thanks, James Whittington
Re: [ossec-list] where does this number come from
Is it possible you have set setmaxagents to 1024 on make? Scott On Oct 5, 2012, at 10:00 AM, Michael Barrett michael_barr...@mgic.com wrote: It seems to be messed up. The agent ID used to default to the next number, now it seems to be stuck on 1025 Mail Attachment.gif Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Re: [ossec-list] Syscheck Windows Agent
Correct, but if auditing is set up to specify the same directories, you would have additional audit events to correlate. On Sep 25, 2012, at 10:48 AM, dan (ddp) ddp...@gmail.com wrote: Very nice info. Unfortunately, if I undetstand this correctly, syscheck would not have access to this data. On Sep 25, 2012 1:43 PM, Scott Klauminzer sklaumin...@gmail.com wrote: This may help in building rules to monitor. Also the Event IDs change based on OS Version (Vista+) http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are all relevant, and not currently within ossec rule sets. This depends on having Windows Auditing set to audit object access, which is difficult to make sure works according to plan, see this: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx I know this info is Windows 7 and 2008 based, but the concepts are the same, Windows has evolved, and with Domain, Local and auditpol.exe access to Policy settings, that all have different refresh times and overrides, this can get clustered quickly. Net result is auditpol.exe /get /category:* is the best resource for actual up to the minute Audit Policy settings, but this will change if you have competing polices! On Sep 25, 2012, at 7:01 AM, dan (ddp) ddp...@gmail.com wrote: On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: Thanks Dan. I'll try. My idea is to register the usern logged on a computer that deletes or modifies a file (like windows security log). maybe some mix between them... There's too much of a chance for false positives. Many systems are multi-user these days. I was hoping for a file attribute that possibly tracked the last user to modify the file. 2012/9/25 dan (ddp) ddp...@gmail.com On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez ajm.marti...@gmail.com wrote: OK, thanks. If you know a good way to get that info, let us know. We can try to get it in after 2.7. 2012/9/25 dan (ddp) ddp...@gmail.com F we could magically associate a username with a file modification it would be the default. On Sep 25, 2012 6:08 AM, Alejandro ajm.marti...@gmail.com wrote: Hi. I'm using ossec to monitor some windows agents on 2003 server. The server is running centos and saving the information in a mysql database. When I receive a syscheck event from windows (file modified, deleted or added) the username is empty. Is it possible to modify some rule to have that username logged on the event ? Thanks a lot.
Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives?
Did you verify that all ossec services stopped before restarting? I had this issue previously, and one of the services was hanging and not allowing the restart to function. run: ps -eaf | grep ossec On Jul 26, 2012, at 11:12 AM, William Lindfors wrote: Here is a screen capture of what I'm talking about. Thx. image001.png -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, July 26, 2012 1:08 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors lindfo...@checkers.com wrote: How do I get all the agents back online? I stopped and started the service, but they all remain red and I am getting the following message: Red? What are you seeing red in? 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8 Location: profim01-/var/log/secure Src IP: UNKNOWN Possible attack on the ssh server (or version gathering). This looks unrelated. There should be a log message that goes with that. Check the ossec.log on the manager and the agents to see if there are any log messages about why they are disconnected. Double check with `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of your agents been connected at some point? -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, July 26, 2012 9:02 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors lindfo...@checkers.com wrote: Latest events 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8 Location: profim01-/var/log/secure Src IP: UNKNOWN Possible attack on the ssh server (or version gathering). What's the question exactly?
Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives?
it looks like you are missing /var/ossec/bin/ossec-remoted which makes sense from the error you have. you should try debug mode on the manager, /var/ossec/bin/ossec-control enable debug /var/ossec/bin/ossec-control restart and watch the results. On Jul 26, 2012, at 2:55 PM, William Lindfors wrote: The list below is what I got when I ran the command. I even rebooted the ossec server and the list stated the same. I don’t know what services need to be running. Does the list below look ok? ossecm 24686 1 0 00:42 ?00:00:00 /var/ossec/bin/ossec-csyslogd ossecm 24690 1 0 00:42 ?00:00:00 /var/ossec/bin/ossec-maild root 24694 1 0 00:42 ?00:00:00 /var/ossec/bin/ossec-execd ossec24698 1 0 00:42 ?00:00:05 /var/ossec/bin/ossec-analysisd root 24702 1 0 00:42 ?00:00:00 /var/ossec/bin/ossec-logcollector root 24714 1 0 00:42 ?00:00:18 /var/ossec/bin/ossec-syscheckd ossec24718 1 0 00:42 ?00:00:00 /var/ossec/bin/ossec-monitord root 29455 29425 0 17:49 pts/100:00:00 grep ossec From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Scott Klauminzer Sent: Thursday, July 26, 2012 2:26 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? Did you verify that all ossec services stopped before restarting? I had this issue previously, and one of the services was hanging and not allowing the restart to function. run: ps -eaf | grep ossec On Jul 26, 2012, at 11:12 AM, William Lindfors wrote: Here is a screen capture of what I'm talking about. Thx. image001.png -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, July 26, 2012 1:08 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors lindfo...@checkers.com wrote: How do I get all the agents back online? I stopped and started the service, but they all remain red and I am getting the following message: Red? What are you seeing red in? 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8 Location: profim01-/var/log/secure Src IP: UNKNOWN Possible attack on the ssh server (or version gathering). This looks unrelated. There should be a log message that goes with that. Check the ossec.log on the manager and the agents to see if there are any log messages about why they are disconnected. Double check with `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of your agents been connected at some point? -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Thursday, July 26, 2012 9:02 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? All agents inactive, what gives? On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors lindfo...@checkers.com wrote: Latest events 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8 Location: profim01-/var/log/secure Src IP: UNKNOWN Possible attack on the ssh server (or version gathering). What's the question exactly?
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
Dan, I too am unable to make use of the ideas here: http://dcid.me/2010/03/detecting-usb-storage-usage-with-ossec/ Using OSSEC HIDS 2.6 - When I have the the command in a local Windows machine agent.conf I get the following in my log on agent restart. 2012/06/21 09:42:43 ossec-agent: Remote commands are not accepted from the manager. Ignoring it on the agent.conf 2012/06/21 09:42:43 ossec-agent(1202): ERROR: Configuration error at 'shared/agent.conf'. Exiting. the command set is as follows: localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command /localfile within my agent_config os=windows section. without this command the above error does not log. Ideas? was command disabled in 2.6? On Jun 21, 2012, at 7:53 AM, dan (ddp) wrote: On Thu, Jun 21, 2012 at 9:44 AM, sahil sharma sharmasahil0...@gmail.com wrote: ossec.conf or agent.conf depending on how you want to do it. I'll make sure this is mentioned earlier in the documentation. I am working on ubuntu server and I have a window client. I want to get log whenever someone inserts USB to the client system. When do we use ossec.conf OR agent.conf to add new definitions? How choose between them? This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. And you've restarted the agent's ossec processes? Yes, after adding the code, I restarted the server -restart and also the client ossec agent. I checked, ossec.agent with the added rule was pushed automatically. Then, I inserted USB into the windows client. But there was no LOG for USB detection or no such message in the Web Interface. The rule won't be pushed to the agents. The /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to date on the agent (if it's Windows it's probably c:\program files\ossec\shared\agent.conf or something). Though web interface was showing alerts whenever I logged-in s successfully to the windows client (it shows they are connected propely). Do you have email alerts enabled? I not, check the alerts.log file on the server. I don't trust the WUI. (2)Added following to the local rules: rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'reg QUERY/match check_diff / descriptionNew USB device connected/description /rule In order to check_diff the log message will have to have fired at least once before. So if the reg command hadn't been checked before you inserted the USB drive nothing would happen. You can enable the log all option on the OSSEC server, and check for the reg log entries. That will give you something to make sure your match statement is correct (I use aliases for my commands, so I don't know what they show up as without the alias). Main problem: I got no GROUP NAME for this rule so I added this rule inside the predefined group group name=local,syslog,. Is it right thing to do? Did you try it without putting it inside of those group tags? Yes, it's fine. OR i need to place it somewhere else in this file. Please help. Kindly tell if I need to make any other change too. Yes I tried it putting outside them, It gives ERROR when I put the -restart command in the terminal. I thought, it was due to missing group name, then I gave it an arbitrary group name group name=USB rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'reg QUERY/match check_diff / descriptionNew USB device connected/description /rule /group Then there was no error, but again no such event was detected even after the restart. Please help.
Re: [ossec-list] multiple daily email reports?
Follow on question; What are the user type=relation options? Because we use DHCP, we have non-unique scrip, and I'd like to generate an auth report daily by system. I've tried system_name and hostname, neither of which work. On Jun 5, 2012, at 8:10 AM, Eero Volotinen wrote: Hi List, What is correct syntax of multiple email reports on ossec.conf: is it like this ? reports categoryauthentication_success/category user type=relationsrcip/user titleDaily report: Successful logins/title email_tom...@example.com/email_to /reports reports categorysyscheck/category titleDaily report: File changes/title email_tom...@example.com/email_to /reports I just want both reports to my email at daily thanks. br, -- Eero Scott
Re: [ossec-list] Re: OSSEC large scale deployment
Nate, Have you run a sample log entry through ossec-logtest What is the result? If it fires rule 14 , have you restarted ossec since emailing the rule? Scott On May 18, 2012, at 12:42 PM, Sanders, Nate nsand...@bioware.com wrote: Thinking about it, I tried this in local_rules.xml rule id=14 level=5 if_sid18105/if_sid match4771/match match0x18/match descriptionFailed Password/description groupwin_authentication_failed,/group /rule I also tried the above with ONLY the 2nd match statement (0x18). I see events triggering in the alert.log for this, but I see nothing in Splunk for the group Failed Password. Does anyone know exactly where Splunk gets it's grouping from? On my OSSEC dashboard in Splunk I see, Windows DC Logon Failure., Windows is shutting down, Windows audit failure event, all of these look to be taken right from description in the OSSEC rule, but the one above I created isn't showing up. root@ausossec01:/var/ossec/etc$ grep -c 18105 ../logs/alerts/alerts.log 4880 root@ausossec01:/var/ossec/etc$ grep -c 14 ../logs/alerts/alerts.log 0 It looks like my rule is not triggering. Why? -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Sanders, Nate Sent: Friday, May 18, 2012 11:21 AM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Re: OSSEC large scale deployment You don't necessarily need a sub-decoder to do that. You can just write a subordinate rule that matches on the failure code string in the event. Decoders are only needed when you want to extract a specific part of the log and match it up with a specific tag for correlation purposes. Help me wrap my brain around the actual design for this. It seems much more complicated than it sounds. The Goal: - alert for specific Event ID's that contain specific sub codes - don't alert on the parent ID unless you've verify the sub code matches - regroup Event ID's into better groups (Bad Password, Invalid Username, etc) Problems: - Original rule groupings contain multiple Event ID's per group - You have to silence the original rules, regroup the event IDs into new groups AND match the specific sub code per parent I'm having a hard time thinking about how to do this, on a mass scale of all the Windows Event IDs.
Re: [ossec-list] AnaLogi - OSSEC WUI
Andy, It looks like the AnaLogi_v1.0.1.zip is not available. AnaLogi_v1.0.1.zip returns a file not found. Scott On May 15, 2012, at 7:38 AM, techsupp...@ecsc.co.uk wrote: Hi James, Many thanks for letting me know... https://github.com/ECSC/analogi/downloads Not sure how I've got downloads at the wrong place in the link ! Andy On Tuesday, 15 May 2012 09:55:17 UTC+1, techs...@ecsc.co.uk wrote: Hi, I/We are very happy to announce the release of AnaLogi, an 'Analytical Log Interface' for analysis of database stored OSSEC alerts. This project was started as we could not find any alternative project that met our own requirements, and we love using OSSEC. AnaLogi was built for OSSEC 2.6 and requires no modifications to OSSEC or the database schema that ships with OSSEC. AnaLogi requires a Webserver sporting PHP and MySQL (for setup follow the standard OSSEC MySQL tutorial). http://cloud.github.com/downloads/ECSC/analogi/u%20AnaLogiDetail%201_01%20n.png http://cloud.github.com/downloads/ECSC/analogi/u%20AnaLogiOverview%201_01%20n.png AnaLogi v1.0 is published under GPL v3 licence and is available on github: https://github.com/downloads/ECSC/analogi/ I hope you find it as useful as we do. Kind Regards Andy
Re: [ossec-list] ossec-logtest and actual alerts not working the same
I think you've hit it Christopher. I hadn't been checking to see that the process tree had stopped. It appears that at one point in the past the tree failed to respond. After waiting 10 minutes the tree was still active, I killed all ossec proceses and it now responds as I would expect to the stop command. I'm assuming that this will fix my alert issues, as the rules were likely never recycled. Thank you for the helpful reminder. Scott On Apr 20, 2012, at 8:05 AM, Christopher Moraes wrote: Scott, Can you try this - 1. Shutdown ossec 2. Wait for a minute 3. Check that no ossec processes are running (ps -eaf | grep ossec) 4. Start OSSEC and check if you are still getting the alerts On Thu, Apr 19, 2012 at 11:19 AM, Scott Klauminzer sklaumin...@gmail.com wrote: Yes, Only 1 entry is returned: grep rule id=\1002\ /var/ossec/rules/*.xml /var/ossec/rules/syslog_rules.xml: rule id=1002 level=2 Scott On Apr 18, 2012, at 1:08 PM, Christopher Moraes wrote: Since you mentioned this - On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer sklaumin...@gmail.com wrote: This is happening with all syslog_rules.xml modifications, but msauth_rules.xml mods *are* working. Is it possible that there is a copy of your syslog-rules.xml file that is triggering the rule 1002? If you grep rule id=\1002\ /var/ossec/rules/*.xml do you have only one entry, as below? syslog_rules.xml: rule id=1002 level=2
Re: [ossec-list] ossec-logtest and actual alerts not working the same
I think you've hit it Christopher. I hadn't been checking to see that the process tree had stopped. It appears that at one point in the past the tree failed to respond. After waiting 10 minutes the tree was still active, I killed all ossec proceses and it now responds as I would expect to the stop command. I'm assuming that this will fix my alert issues, as the rules were likely never recycled. Thank you for the helpful reminder. Scott On Apr 20, 2012, at 8:05 AM, Christopher Moraes wrote: Scott, Can you try this - 1. Shutdown ossec 2. Wait for a minute 3. Check that no ossec processes are running (ps -eaf | grep ossec) 4. Start OSSEC and check if you are still getting the alerts On Thu, Apr 19, 2012 at 11:19 AM, Scott Klauminzer sklaumin...@gmail.com wrote: Yes, Only 1 entry is returned: grep rule id=\1002\ /var/ossec/rules/*.xml /var/ossec/rules/syslog_rules.xml: rule id=1002 level=2 Scott On Apr 18, 2012, at 1:08 PM, Christopher Moraes wrote: Since you mentioned this - On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer sklaumin...@gmail.com wrote: This is happening with all syslog_rules.xml modifications, but msauth_rules.xml mods *are* working. Is it possible that there is a copy of your syslog-rules.xml file that is triggering the rule 1002? If you grep rule id=\1002\ /var/ossec/rules/*.xml do you have only one entry, as below? syslog_rules.xml: rule id=1002 level=2
Re: [ossec-list] ossec-logtest and actual alerts not working the same
Yes, Only 1 entry is returned: grep rule id=\1002\ /var/ossec/rules/*.xml /var/ossec/rules/syslog_rules.xml: rule id=1002 level=2 Scott On Apr 18, 2012, at 1:08 PM, Christopher Moraes wrote: Since you mentioned this - On Mon, Apr 16, 2012 at 11:59 AM, sklauminzer sklaumin...@gmail.com wrote: This is happening with all syslog_rules.xml modifications, but msauth_rules.xml mods *are* working. Is it possible that there is a copy of your syslog-rules.xml file that is triggering the rule 1002? If you grep rule id=\1002\ /var/ossec/rules/*.xml do you have only one entry, as below? syslog_rules.xml: rule id=1002 level=2