Re: [ossec-list] Is there a way to send AGENT's ossec.log to syslog server using ryslog.conf

2019-03-25 Thread Scott R. Shinn 
You could have ossec monitor ossec.log like it does with active-
responses.log. You'd just have to write rules for it, or barring that
turn on archives.log

-Scott

On Mon, 2019-03-25 at 08:02 -0400, dan (ddp) wrote:
> On Fri, Mar 22, 2019 at 12:01 PM YoYo  wrote:
> > Hi All,
> > 
> > We are planning to deploy the HIDS agent in large network (say 10k
> > servers).
> > 
> > I need to track the agent installation, key registration & startup
> > failure.
> > 
> > Is there any way to send AGENT's logs/ossec.log to some external
> > syslog server or to the server configured syslog.conf?
> > 
> > Is there any way to achieve this in Agent side or some work around
> > to do this?
> > 
> 
> The agent doesn't have any built-in way to do this.
> You could use your syslog daemon to read the file and forward the
> logs. I'm pretty sure rsyslogd can do this, not sure about the
> others.
> 
> > Apologies if it is a duplicate discussion. I couldn't able to find
> > one.
> > 
> > Thanks in advance.
> > 
> > Thanks & Regards,
> > Vijay.
> > 
> > --
> > 
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Updates rules and signatures

2017-06-14 Thread Scott R. Shinn 
They're internal to the package *for the moment*, so when we release an
OSSEC update the new rules come along with it. When you update to 2.9.1
 its going to update the rules along with it. Eventually we're going to
break the more dynamic content (rules, decoders, etc) into a separate
package. 

Hope this helps!

-Scott
CTO, Atomicorp


On Sat, 2017-06-10 at 20:19 -0400, dan (ddp) wrote:
> On Thu, Jun 8, 2017 at 2:01 PM, Alexis Lessard
>  wrote:
> > Do you update the version every time you add new rules? We've
> > manage to
> > install with with yum using atomicorp repo's, so if you could
> > update them
> > with yum, that'd much easier.
> > 
> 
> Atomic may update the rules separately. I don't use the packages, so
> I
> do not know.
> 
> > > 
> > 
> > --
> > 
> > ---
> > You received this message because you are subscribed to the Google
> > Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> 
> 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [ossec-list] Detecting changes to running processes ports

2010-08-26 Thread Scott R. Shinn 

If you could send me your changes I can get those added into the main
package too.

-Scott

On Thu, 2010-08-26 at 11:41 -0400, David Porcello wrote: 
 Indeed I am. Specifically, here are the Atomic packages I installed:
 
 inotify-tools-3.11-1.el5.art.x86_64.rpm
 ossec-hids-2.4-1.el5.art.x86_64.rpm
 ossec-hids-client-2.4-1.el5.art.x86_64.rpm
 
 Would be great to see your SPEC fix if you'd like to share. Otherwise I'll 
 just build a new RPM from source.
 
 Thanks!!
 d.
 
 -Original Message-
 From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
 Behalf Of Jason 'XenoPhage' Frisvold
 Sent: Wednesday, August 18, 2010 4:25 PM
 To: ossec-list@googlegroups.com
 Subject: Re: [ossec-list] Detecting changes to running processes  ports
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Aug 12, 2010, at 11:53 AM, David Porcello wrote:
  Hi all,
 
  I'm running OSSEC client 2.4.1 on a handful of RedHat EL 5.5 servers and 
  I'm seeing the following behavior across the board: It appears that 
  client-logcollector and client-syscheckd aren't detected as running, and 
  therefore aren't stopped by ossec-control. If these daemons aren't killed, 
  multiple instances begin building up with each start or restart request, 
  and new agent.conf configs are prevented from loading.
 
 Are you, perchance, running the atomicturtle RPM version of ossec?  
 Specifically version 2.4.1-4 ?  If so, I think this is a bug in that RPM 
 causing the problem..  I have a SPEC that fixes the problem if you want it, 
 though it removes all of the atomicturtle specific stuff (rules, decoders, 
 etc).
 
  Found a couple related threads, but none with a resolution. Anyone else 
  seeing this?
 
  Thanks,
  d.
 
 - ---
 Jason 'XenoPhage' Frisvold
 xenoph...@godshell.com
 - ---
 Any sufficiently advanced magic is indistinguishable from technology.
 - - Niven's Inverse of Clarke's Third Law
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
 
 iEYEARECAAYFAkxsQZ0ACgkQ8CjzPZyTUTSQWQCgmLRn3ZAjHP8eZqYvinCFZ4+d
 nqUAn0CoHOSjIEBoJAyuhxy4wYBXynSb
 =g6SA
 -END PGP SIGNATURE-
 
 NOTICE: The information contained in this e-mail and any attachments is 
 intended solely for the recipient(s) named above, and may be confidential and 
 legally privileged. If you received this e-mail in error, please notify the 
 sender immediately by return e-mail and delete the original message and any 
 copy of it from your computer system. If you are not the intended recipient, 
 you are hereby notified that any review, disclosure, retransmission, 
 dissemination, distribution, copying, or other use of this e-mail, or any of 
 its contents, is strictly prohibited.
 
 Although this e-mail and any attachments are believed to be free of any virus 
 or other defects, it is the responsibility of the recipient to ensure that it 
 is virus-free and no responsibility is accepted by the sender for any loss or 
 damage arising if such a virus or defect exists.

[ossec-list] Release Announcement: OSSEC-HODS 2.0 RPM packages for CentOS, RHEL, Fedora

2009-03-06 Thread Scott R. Shinn 

This is an initial release of OSSEC-HIDS 2.0 from the [atomic] rpm
repository for:

* CentOS 4
* CentOS 5
* RHEL 4
* RHEL 5
* Fedora 4-10

available for both i386 and x86_64 platforms. The atomic yum repository
is located at: http://www.atomicrocketturtle.com


Short Installation instructions:

Step 1) Configure the repository for your system using the installer
wget -q -O - http://www.atomicorp.com/installers/atomic |sh


Step 2) Install OSSEC server
yum install ossec-hids ossec-server

or for clients
yum install ossec-hids ossec-client


-Scott