[ossec-list] Local ossec-agent rules
Is it possible to use local ossec-agent rules? I need to configure ossec-agent locally monitor logs and locally start active-response script. Ossec server should only write alerts.
Re: [ossec-list] Re: How can I monitor logs on ossec agents?
Thanks a lot. I found a bug. "shared" dir had 755 permissions and ossec owner. I changed permissions to 775 and merged.mg with "ossecr" owner and "ossec" group created. пятница, 12 октября 2012 г., 18:22:58 UTC+4 пользователь dan (ddpbsd) написал: > > On Fri, Oct 12, 2012 at 10:14 AM, kay kay > > wrote: > > I can't find any 'merged' logs in /var/ossec/logs/ossec.log > > Is there any option for ossec-server I should change? > > > > I only turned on debugging on the server: > /var/ossec/bin/ossec-control enable debug && > /var/ossec/bin/ossec-control restart > > > Also the last modification date of merged.mg is: > > -bash-3.2# ls -la /var/ossec/etc/shared/merged.mg > > -rw-r--r-- 1 ossec ossec 74572 Jun 25 16:00 /var/ossec/etc/shared/ > merged.mg > > > > The last modification date of agent.conf is: > > -bash-3.2# ls -la /var/ossec/etc/shared/agent.conf > > -rw-r--r-- 1 ossec ossec 146 Oct 12 17:06 > /var/ossec/etc/shared/agent.conf > > > > Try deleting the contents of those files before restarting the > processes (first on the server, then the agent): > > cat /dev/null > /var/ossec/etc/shared/merged.mg ; cat /dev/null > > /var/ossec/etc/shared/agent.conf > > > > пятница, 12 октября 2012 г., 18:07:22 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Fri, Oct 12, 2012 at 10:02 AM, kay kay wrote: > >> > I have just enabled detailed debug log (level 2) but can't find any > logs > >> > for > >> > "shared" or "agent.conf" > >> > Could you please explain what should look for ? > >> > > >> > >> On the server I changed my agent.conf, restarted the server processes. > >> Then restarted the agent's ossec processes and saw the following in > >> the server's ossec.log: > >> > >> 2012/10/12 10:05:13 ossec-remoted: DEBUG Sending file 'merged.mg' to > >> agent. > >> > >> The merged.mg file is a few config files merged together. They get > >> split on the agent side. After seeing this message I waited a minute, > >> and checked the md5 of the agent.conf. It matched the new agent.conf > >> on the server. > >> > >> > пятница, 12 октября 2012 г., 17:49:05 UTC+4 пользователь dan (ddpbsd) > >> > написал: > >> >> > >> >> On Fri, Oct 12, 2012 at 9:24 AM, kay kay wrote: > >> >> >> I thought nginx had its own format? > >> >> > > >> >> > It works great on ossec-server. > >> >> > > >> >> >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf > are > >> >> >> valid. I am not familiar with ossec-agent.conf. > >> >> > > >> >> > /var/ossec/etc/ossec.conf is a symlink to > >> >> > /var/ossec/etc/ossec-agent.conf on > >> >> > ossec agents. > >> >> > > >> >> > >> >> Not on any ossec agent I have, but it doesn't really matter. > >> >> > >> >> >> How long did you wait? It can take a while for the transfer to > >> >> >> complete. > >> >> > > >> >> > About 4 hours already. > >> >> > > >> >> > I even can't find any logs related to agent.conf pushing. > >> >> > > >> >> > >> >> Restarting the ossec processes in debug mode might produce some logs > >> >> about > >> >> it. > >> >> > >> >> I'd try touching agent.conf and making sure the permissions are > >> >> correct. This works for me: > >> >> > >> >> [ddp@junction] :; ls -l /var/ossec/etc/shared/agent.conf > >> >> -rw-r--r-- 1 ossec ossec 10908 Aug 16 11:52 > >> >> /var/ossec/etc/shared/agent.conf > >> >> > >> >> > >> >> > пятница, 12 октября 2012 г., 17:18:36 UTC+4 пользователь dan > (ddpbsd) > >> >> > написал: > >> >> >> > >> >> >> On Fri, Oct 12, 2012 at 9:15 AM, kay kay > wrote: > >> >> >> > Dear Dan > >> >> >> > > >> >> >> >> What did you set in the agent.conf file? > >> >> >> > > >> >> >> > here is my
Re: [ossec-list] Re: How can I monitor logs on ossec agents?
I can't find any 'merged' logs in /var/ossec/logs/ossec.log Is there any option for ossec-server I should change? Also the last modification date of merged.mg is: -bash-3.2# ls -la /var/ossec/etc/shared/merged.mg -rw-r--r-- 1 ossec ossec 74572 Jun 25 16:00 /var/ossec/etc/shared/merged.mg The last modification date of agent.conf is: -bash-3.2# ls -la /var/ossec/etc/shared/agent.conf -rw-r--r-- 1 ossec ossec 146 Oct 12 17:06 /var/ossec/etc/shared/agent.conf пятница, 12 октября 2012 г., 18:07:22 UTC+4 пользователь dan (ddpbsd) написал: > > On Fri, Oct 12, 2012 at 10:02 AM, kay kay > > wrote: > > I have just enabled detailed debug log (level 2) but can't find any logs > for > > "shared" or "agent.conf" > > Could you please explain what should look for ? > > > > On the server I changed my agent.conf, restarted the server processes. > Then restarted the agent's ossec processes and saw the following in > the server's ossec.log: > > 2012/10/12 10:05:13 ossec-remoted: DEBUG Sending file 'merged.mg' to > agent. > > The merged.mg file is a few config files merged together. They get > split on the agent side. After seeing this message I waited a minute, > and checked the md5 of the agent.conf. It matched the new agent.conf > on the server. > > > пятница, 12 октября 2012 г., 17:49:05 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Fri, Oct 12, 2012 at 9:24 AM, kay kay wrote: > >> >> I thought nginx had its own format? > >> > > >> > It works great on ossec-server. > >> > > >> >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > >> >> valid. I am not familiar with ossec-agent.conf. > >> > > >> > /var/ossec/etc/ossec.conf is a symlink to > >> > /var/ossec/etc/ossec-agent.conf on > >> > ossec agents. > >> > > >> > >> Not on any ossec agent I have, but it doesn't really matter. > >> > >> >> How long did you wait? It can take a while for the transfer to > >> >> complete. > >> > > >> > About 4 hours already. > >> > > >> > I even can't find any logs related to agent.conf pushing. > >> > > >> > >> Restarting the ossec processes in debug mode might produce some logs > about > >> it. > >> > >> I'd try touching agent.conf and making sure the permissions are > >> correct. This works for me: > >> > >> [ddp@junction] :; ls -l /var/ossec/etc/shared/agent.conf > >> -rw-r--r-- 1 ossec ossec 10908 Aug 16 11:52 > >> /var/ossec/etc/shared/agent.conf > >> > >> > >> > пятница, 12 октября 2012 г., 17:18:36 UTC+4 пользователь dan (ddpbsd) > >> > написал: > >> >> > >> >> On Fri, Oct 12, 2012 at 9:15 AM, kay kay wrote: > >> >> > Dear Dan > >> >> > > >> >> >> What did you set in the agent.conf file? > >> >> > > >> >> > here is my /var/ossec/etc/shared/agent.conf: > >> >> > > >> >> > > >> >> > > >> >> > apache > >> >> > >> >> I thought nginx had its own format? > >> >> > >> >> > /var/log/nginx/error_log > >> >> > > >> >> > > >> >> > > >> >> >> Did the agent.conf file get transferred from the server to the > >> >> >> agents? > >> >> > > >> >> > No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, > >> >> > /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and > >> >> > /var/ossec/etc/shared/ossec.conf > >> >> > > >> >> > >> >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > >> >> valid. I am not familiar with ossec-agent.conf. > >> >> > >> >> >> Did you restart the agent processes after the new agent.conf was > >> >> >> transferred? > >> >> > > >> >> > agent.conf was not transferred but I tried to reatsrt it anyway. > >> >> > > >> >> > >> >> How long did you wait? It can take a while for the transfer to > >> >> complete. > >> >> > >> >> >> Why
Re: [ossec-list] Re: How can I monitor logs on ossec agents?
I have just enabled detailed debug log (level 2) but can't find any logs for "shared" or "agent.conf" Could you please explain what should look for ? пятница, 12 октября 2012 г., 17:49:05 UTC+4 пользователь dan (ddpbsd) написал: > > On Fri, Oct 12, 2012 at 9:24 AM, kay kay > > wrote: > >> I thought nginx had its own format? > > > > It works great on ossec-server. > > > >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > >> valid. I am not familiar with ossec-agent.conf. > > > > /var/ossec/etc/ossec.conf is a symlink to > /var/ossec/etc/ossec-agent.conf on > > ossec agents. > > > > Not on any ossec agent I have, but it doesn't really matter. > > >> How long did you wait? It can take a while for the transfer to > complete. > > > > About 4 hours already. > > > > I even can't find any logs related to agent.conf pushing. > > > > Restarting the ossec processes in debug mode might produce some logs about > it. > > I'd try touching agent.conf and making sure the permissions are > correct. This works for me: > > [ddp@junction] :; ls -l /var/ossec/etc/shared/agent.conf > -rw-r--r-- 1 ossec ossec 10908 Aug 16 11:52 > /var/ossec/etc/shared/agent.conf > > > > пятница, 12 октября 2012 г., 17:18:36 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Fri, Oct 12, 2012 at 9:15 AM, kay kay wrote: > >> > Dear Dan > >> > > >> >> What did you set in the agent.conf file? > >> > > >> > here is my /var/ossec/etc/shared/agent.conf: > >> > > >> > > >> > > >> > apache > >> > >> I thought nginx had its own format? > >> > >> > /var/log/nginx/error_log > >> > > >> > > >> > > >> >> Did the agent.conf file get transferred from the server to the > agents? > >> > > >> > No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, > >> > /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and > >> > /var/ossec/etc/shared/ossec.conf > >> > > >> > >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > >> valid. I am not familiar with ossec-agent.conf. > >> > >> >> Did you restart the agent processes after the new agent.conf was > >> >> transferred? > >> > > >> > agent.conf was not transferred but I tried to reatsrt it anyway. > >> > > >> > >> How long did you wait? It can take a while for the transfer to > complete. > >> > >> >> Why do you think it isn't working? > >> > > >> > Modification time of *.conf files on agents is not changed. And conf > >> > files > >> > actually doesn't contain: > >> > /var/log/nginx/error_log > >> > > >> > > >> > пятница, 12 октября 2012 г., 16:35:27 UTC+4 пользователь dan (ddpbsd) > >> > написал: > >> >> > >> >> On Fri, Oct 12, 2012 at 7:37 AM, kay kay wrote: > >> >> > I tried to follow the > >> >> > http://www.ossec.net/doc/manual/agent/agent-configuration.htmlmanual > >> >> > but > >> >> > agents doesn't get the configuration from shared directory > >> >> > (/var/ossec/etc/shared directory on server). > >> >> > > >> >> > >> >> Please use specifics. What did you set in the agent.conf file? Did > the > >> >> agent.conf file get transferred from the server to the agents? Did > you > >> >> restart the agent processes after the new agent.conf was > transferred? > >> >> Why do you think it isn't working? > >> >> > >> >> > пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay kay > >> >> > написал: > >> >> >> > >> >> >> At the moment I use syslog-ng to collect logs from whole servers > and > >> >> >> analyze them on ossec-server with decoders and rules. > >> >> >> > >> >> >> How can I configure ossec-server to avoid log collecting with > >> >> >> syslog-ng? > >> >> >> > >> >> >> I.e. I have two servers (ossec-agents) with nginx. I need to > analyze > >> >> >> nginx > >> >> >> logs. Should I configure decoder and rule on each ossec-agents or > I > >> >> >> can > >> >> >> create one decoder and one rule on ossec-server and it will be > >> >> >> automatically > >> >> >> pushed to ossec-agents? > >> >> > >> > >
Re: [ossec-list] Re: How can I monitor logs on ossec agents?
> I thought nginx had its own format? It works great on ossec-server. > /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > valid. I am not familiar with ossec-agent.conf. /var/ossec/etc/ossec.conf is a symlink to /var/ossec/etc/ossec-agent.conf on ossec agents. > How long did you wait? It can take a while for the transfer to complete. About 4 hours already. I even can't find any logs related to agent.conf pushing. пятница, 12 октября 2012 г., 17:18:36 UTC+4 пользователь dan (ddpbsd) написал: > > On Fri, Oct 12, 2012 at 9:15 AM, kay kay > > wrote: > > Dear Dan > > > >> What did you set in the agent.conf file? > > > > here is my /var/ossec/etc/shared/agent.conf: > > > > > > > > apache > > I thought nginx had its own format? > > > /var/log/nginx/error_log > > > > > > > >> Did the agent.conf file get transferred from the server to the agents? > > > > No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, > > /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and > > /var/ossec/etc/shared/ossec.conf > > > > /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > valid. I am not familiar with ossec-agent.conf. > > >> Did you restart the agent processes after the new agent.conf was > >> transferred? > > > > agent.conf was not transferred but I tried to reatsrt it anyway. > > > > How long did you wait? It can take a while for the transfer to complete. > > >> Why do you think it isn't working? > > > > Modification time of *.conf files on agents is not changed. And conf > files > > actually doesn't contain: > > /var/log/nginx/error_log > > > > > > пятница, 12 октября 2012 г., 16:35:27 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Fri, Oct 12, 2012 at 7:37 AM, kay kay wrote: > >> > I tried to follow the > >> > http://www.ossec.net/doc/manual/agent/agent-configuration.htmlmanual > >> > but > >> > agents doesn't get the configuration from shared directory > >> > (/var/ossec/etc/shared directory on server). > >> > > >> > >> Please use specifics. What did you set in the agent.conf file? Did the > >> agent.conf file get transferred from the server to the agents? Did you > >> restart the agent processes after the new agent.conf was transferred? > >> Why do you think it isn't working? > >> > >> > пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay kay > >> > написал: > >> >> > >> >> At the moment I use syslog-ng to collect logs from whole servers and > >> >> analyze them on ossec-server with decoders and rules. > >> >> > >> >> How can I configure ossec-server to avoid log collecting with > >> >> syslog-ng? > >> >> > >> >> I.e. I have two servers (ossec-agents) with nginx. I need to analyze > >> >> nginx > >> >> logs. Should I configure decoder and rule on each ossec-agents or I > can > >> >> create one decoder and one rule on ossec-server and it will be > >> >> automatically > >> >> pushed to ossec-agents? > >> > > >
Re: [ossec-list] Re: How can I monitor logs on ossec agents?
Dear Dan > What did you set in the agent.conf file? here is my /var/ossec/etc/shared/agent.conf: apache /var/log/nginx/error_log > Did the agent.conf file get transferred from the server to the agents? No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and /var/ossec/etc/shared/ossec.conf > Did you restart the agent processes after the new agent.conf was transferred? agent.conf was not transferred but I tried to reatsrt it anyway. > Why do you think it isn't working? Modification time of *.conf files on agents is not changed. And conf files actually doesn't contain: /var/log/nginx/error_log пятница, 12 октября 2012 г., 16:35:27 UTC+4 пользователь dan (ddpbsd) написал: > On Fri, Oct 12, 2012 at 7:37 AM, kay kay > > wrote: > > I tried to follow the > > http://www.ossec.net/doc/manual/agent/agent-configuration.html manual > but > > agents doesn't get the configuration from shared directory > > (/var/ossec/etc/shared directory on server). > > > > Please use specifics. What did you set in the agent.conf file? Did the > agent.conf file get transferred from the server to the agents? Did you > restart the agent processes after the new agent.conf was transferred? > Why do you think it isn't working? > > > пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay kay > написал: > >> > >> At the moment I use syslog-ng to collect logs from whole servers and > >> analyze them on ossec-server with decoders and rules. > >> > >> How can I configure ossec-server to avoid log collecting with > syslog-ng? > >> > >> I.e. I have two servers (ossec-agents) with nginx. I need to analyze > nginx > >> logs. Should I configure decoder and rule on each ossec-agents or I can > >> create one decoder and one rule on ossec-server and it will be > automatically > >> pushed to ossec-agents? > >
[ossec-list] Re: How can I monitor logs on ossec agents?
I tried to follow the http://www.ossec.net/doc/manual/agent/agent-configuration.html manual but agents doesn't get the configuration from shared directory (/var/ossec/etc/shared directory on server). пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay kay написал: > > At the moment I use syslog-ng to collect logs from whole servers and > analyze them on ossec-server with decoders and rules. > > How can I configure ossec-server to avoid log collecting with syslog-ng? > > I.e. I have two servers (ossec-agents) with nginx. I need to analyze nginx > logs. Should I configure decoder and rule on each ossec-agents or I can > create one decoder and one rule on ossec-server and it will be > automatically pushed to ossec-agents? >
[ossec-list] How can I monitor logs on ossec agents?
At the moment I use syslog-ng to collect logs from whole servers and analyze them on ossec-server with decoders and rules. How can I configure ossec-server to avoid log collecting with syslog-ng? I.e. I have two servers (ossec-agents) with nginx. I need to analyze nginx logs. Should I configure decoder and rule on each ossec-agents or I can create one decoder and one rule on ossec-server and it will be automatically pushed to ossec-agents?
Re: [ossec-list] Re: Is it possible to disable alert.log and use only database?
We have thousands alerts per second. Is it possible to redirect alerts via pipe to another software like flume? среда, 26 сентября 2012 г., 16:29:54 UTC+4 пользователь Daniel Cid написал: > > How many events/alerts per second do you have? I don't think writing > to a log file > will cause any issue (and if is, it will be much worse when writing to the > db). > > thanks, > > -- > Daniel B. Cid > http://dcid.me > > On Wed, Sep 26, 2012 at 4:01 AM, kay kay > > wrote: > > Disk utilization is too high. > > > > вторник, 25 сентября 2012 г., 22:41:09 UTC+4 пользователь JB написал: > >> > >> May I ask why do you want to disable alert.log? > >> > > >
[ossec-list] Re: Is it possible to disable alert.log and use only database?
Disk utilization is too high. вторник, 25 сентября 2012 г., 22:41:09 UTC+4 пользователь JB написал: > > May I ask why do you want to disable alert.log? > >
Re: [ossec-list] Is it possible to disable alert.log and use only database?
Thank you for sane answer. So why didn't you tell me at once "it is impossible to implement it in default ossec" instead of "use vi"? вторник, 25 сентября 2012 г., 18:45:30 UTC+4 пользователь dan (ddpbsd) написал: > > On Tue, Sep 25, 2012 at 10:41 AM, kay kay > > wrote: > > I didn't ask about which tool to use, I ask about which file to modify, > what > > exactly. And is it possible at all. > > > > Yes it's possible, but you'll have to modify the source code to do it. > That "feature" isn't implemented. If I took the time to tell you what > to modify and how to do it exactly I might as well do it myself. > > > вторник, 25 сентября 2012 г., 18:26:58 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Tue, Sep 25, 2012 at 10:21 AM, kay kay wrote: > >> > Any sane response? > >> > > >> > >> Use vi? > >> > >> > вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan > (ddpbsd) > >> > написал: > >> >> > >> >> Start warming up emacs. > >> >> > >> >> On Sep 25, 2012 6:07 AM, "kay kay" wrote: > >> >>> > >> >>> I would like to disable alert.log and use only database. Is it > >> >>> possible > >> >>> to implement in default ossec or I should modify source code? >
Re: [ossec-list] Is it possible to disable alert.log and use only database?
I didn't ask about which tool to use, I ask about which file to modify, what exactly. And is it possible at all. вторник, 25 сентября 2012 г., 18:26:58 UTC+4 пользователь dan (ddpbsd) написал: > > On Tue, Sep 25, 2012 at 10:21 AM, kay kay > > wrote: > > Any sane response? > > > > Use vi? > > > вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> Start warming up emacs. > >> > >> On Sep 25, 2012 6:07 AM, "kay kay" wrote: > >>> > >>> I would like to disable alert.log and use only database. Is it > possible > >>> to implement in default ossec or I should modify source code? >
Re: [ossec-list] Is it possible to disable alert.log and use only database?
Any sane response? вторник, 25 сентября 2012 г., 14:12:45 UTC+4 пользователь dan (ddpbsd) написал: > > Start warming up emacs. > On Sep 25, 2012 6:07 AM, "kay kay" > > wrote: > >> I would like to disable alert.log and use only database. Is it possible >> to implement in default ossec or I should modify source code? >> >
[ossec-list] Is it possible to disable alert.log and use only database?
I would like to disable alert.log and use only database. Is it possible to implement in default ossec or I should modify source code?
Re: [ossec-list] Pass hostname to active-response script
I have found a solution. We can build psql query in active-response script, and we can get the full log message from postgresql database: SQL_COMMAND="SELECT alertid,full_log FROM alert,data WHERE alertid = '"$ALERTID"' AND data.id = alert.id AND data.server_id = alert.server_id" ALERTTEXT=`/usr/bin/psql -h 127.0.0.1 -U ossec_user -d ossecdb -c "$SQL_COMMAND"` But sometimes active-response is faster than DB transaction and there could be no data. понедельник, 17 сентября 2012 г., 19:03:20 UTC+4 пользователь dan (ddpbsd) написал: > > On Mon, Sep 17, 2012 at 10:55 AM, kay kay > > wrote: > > Well. Is it possible to run ossec decoder with active-response on remote > > ossec-client directly? In that case I don't need to use syslog-ng > collector > > and "hostname" variable. > > > > I don't understand the question. You can run a standalone instance of > OSSEC. Either way, you don't _need_ syslog-ng. > > Part of the problem might be that you haven't told us your goal, or > your setup. I'm getting an idea of what's going on here, but I could > be way off. (I'm hoping I'm way off) > > > Where should I put the rules? On ossec-server and the rules should be > > automatically deployed on each remote client? Or I should configure each > > client to use these rules? > > > > Agents do not get rules, only the server and standalone instances. The > agents send the log messages to the server, which then checks them. > > > понедельник, 17 сентября 2012 г., 17:20:14 UTC+4 пользователь dan > (ddpbsd) > > написал: > >> > >> On Mon, Sep 17, 2012 at 9:14 AM, kay kay wrote: > >> > Unfortunately I don't need srcip, I need hostname which was generated > in > >> > log > >> > file. Is there any possibility to parse it? At the moment I can't > regexp > >> > whole log file but only starting from "[Wed Sep" > >> > > >> > >> The only way will be to modify the source. > >> >
Re: [ossec-list] Pass hostname to active-response script
Well. Is it possible to run ossec decoder with active-response on remote ossec-client directly? In that case I don't need to use syslog-ng collector and "hostname" variable. Where should I put the rules? On ossec-server and the rules should be automatically deployed on each remote client? Or I should configure each client to use these rules? понедельник, 17 сентября 2012 г., 17:20:14 UTC+4 пользователь dan (ddpbsd) написал: > > On Mon, Sep 17, 2012 at 9:14 AM, kay kay > > wrote: > > Unfortunately I don't need srcip, I need hostname which was generated in > log > > file. Is there any possibility to parse it? At the moment I can't regexp > > whole log file but only starting from "[Wed Sep" > > > > The only way will be to modify the source. > >
Re: [ossec-list] Pass hostname to active-response script
Unfortunately I don't need srcip, I need hostname which was generated in log file. Is there any possibility to parse it? At the moment I can't regexp whole log file but only starting from "[Wed Sep" понедельник, 17 сентября 2012 г., 17:07:23 UTC+4 пользователь dan (ddpbsd) написал: > > On Mon, Sep 17, 2012 at 4:52 AM, kay kay > > wrote: > > I need to pass hostname to the active-response script. Here is the log > test: > > > > **Phase 1: Completed pre-decoding. > > full event: 'Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 > > 2012] "Failed to send <8937140> messages to remote log server > > <192.168.0.1:3621> "' > > hostname: 'someservername.local' > > program_name: '(null)' > > log: '[Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to > remote > > log server <192.168.0.1:3621> "' > > > > I tried to use the following construction: > > > > > > log_error > > test.sh > > no > > hostname > > > > > > But ossec doesn't pass hostname to script. > > /var/ossec/logs/active-responses.log: > > the ip address is /var/ossec/active-response/bin/test.sh add - - > > 1347870299.890849 100018 /var/log/remote.log > > > > P.S. Here is original text message in /var/log/remote.log: > > > > Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed > to > > send <8937140> messages to remote log server <192.168.0.1:3621> " > > The only things you can really send to AR are srcip and user. Also, > hostname doesn't show up in the log message, only the pre-decoded bits > at the beginning. >
[ossec-list] Pass hostname to active-response script
I need to pass hostname to the active-response script. Here is the log test: **Phase 1: Completed pre-decoding. full event: 'Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to remote log server <192.168.0.1:3621> "' hostname: 'someservername.local' program_name: '(null)' log: '[Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to remote log server <192.168.0.1:3621> "' I tried to use the following construction: log_error test.sh no hostname But ossec doesn't pass hostname to script. /var/ossec/logs/active-responses.log: the ip address is /var/ossec/active-response/bin/test.sh add - - 1347870299.890849 100018 /var/log/remote.log P.S. Here is original text message in /var/log/remote.log: Sep 17 12:24:57 someservername.local [Wed Sep 5 10:31:37 2012] "Failed to send <8937140> messages to remote log server <192.168.0.1:3621> "
Re: [ossec-list] Force ossec server and client to use TCP only
No, I had active-response problems. I've fixed them using ssh + key authorization. UDP is not reliable for active-response. пятница, 29 июня 2012 г., 21:40:10 UTC+4 пользователь Michael Starks написал: > > On 29.06.2012 01:16, kay kay wrote: > > Is it possible to use only TCP protocol? UDP packets are not reliable > > and frequently are being lost and some active-response not executed. > > I've tried to find an option for ossec server to listen TCP port, but > > found only TCP option for clients (syslog protocol). > > You could use a syslog client which can do TCP and analyze the logs on > the server side. > >
Re: [ossec-list] Force ossec server and client to use TCP only
And did anyone faced "lost UDP packets" problem? пятница, 29 июня 2012 г., 15:59:49 UTC+4 пользователь dan (ddpbsd) написал: > > On Fri, Jun 29, 2012 at 2:16 AM, kay kay wrote: > > Is it possible to use only TCP protocol? UDP packets are not reliable > and > > frequently are being lost and some active-response not executed. I've > tried > > to find an option for ossec server to listen TCP port, but found only > TCP > > option for clients (syslog protocol). > > It's not currently possible. >
[ossec-list] Force ossec to listen TCP port instead of UDP
Not sure why my previous message not appeared in list. I want to force ossec server to listen TCP port instead of UDP. As UDP packets are frequently being lost. And lots of active-response on agents doesn't work. I've found only one option to use TCP, but it is related to syslog protocol.
[ossec-list] Force ossec server and client to use TCP only
Is it possible to use only TCP protocol? UDP packets are not reliable and frequently are being lost and some active-response not executed. I've tried to find an option for ossec server to listen TCP port, but found only TCP option for clients (syslog protocol).