I agree that would be a huge help for me and my deployment as well.
> Any idea on how I can get Access to show real value instead of %%1538
> and so on?
>
> thanks
>
> On Oct 31, 12:06 pm, [EMAIL PROTECTED] wrote:
>> Looking at the logs my Windows-Ossec agent send:
>>
>> 2008/10/31 12:57:21 oss
Thanks Peter and Daniel. Yeah I should probably reconfigure syslog
eventually. For now I'm also trying to increase my understanding how rules
get triggered. It looks like your suggestion works for me, to add an
element in addition to . My first try was the
following addition to local_rules.xml
Any idea on how I can get Access to show real value instead of %%1538
and so on?
thanks
On Oct 31, 12:06 pm, [EMAIL PROTECTED] wrote:
> Looking at the logs my Windows-Ossec agent send:
>
> 2008/10/31 12:57:21 ossec-agent: DEBUG: Sending message to server:
> 'WinEvtLog: Security: AUDIT_SUCCESS(56
Hi Ricardo,
This is indeed a bug and I just fixed it on the following snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-081103.tar.gz
The first decoder (su-detail) requires a prematch. Basically, the way
it works is that all the
sub-decoders with a prematch are evaluated and if none suc
Hi Ricardo,
You can do it now using the compiled rules:
http://www.ossec.net/dcid/?p=152
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Oct 28, 2008 at 3:41 PM, Daniel Cid <[EMAIL PROTECTED]> wrote:
> Hi Ricardo,
>
> Right now, you can use the maxsize attribute to match if the w
Hi Eric,
If you use the tag as Peter said, it will work properly
(you can probably add 1 to
make sure it is inspected for every event). However, OSSEC will still
waste time processing this events, so it
might be a better idea to configure your syslog server to log every
remote syslog event from
Greetings Eric:
You should be able to update local_rules.xml and use the "
hostname" criteria.
Thank you.
On Mon, Nov 03, 2008 at 07:07:58AM -0800, Kayvan A. Sylvan wrote:
> On Mon, Nov 03, 2008 at 01:39:00PM +0100, Aurora Mazzone wrote:
> >
> > Before:
> >
> > [EMAIL PROTECTED] ~]# echo "Nov 2 09:59:48 satyr seahorse-agent[6175]:
> > Failed to send buffer" |ossec-logtest
> > 2008/11/03 13:30:30 o
On Mon, Nov 03, 2008 at 01:39:00PM +0100, Aurora Mazzone wrote:
>
> Before:
>
> [EMAIL PROTECTED] ~]# echo "Nov 2 09:59:48 satyr seahorse-agent[6175]:
> Failed to send buffer" |ossec-logtest
> 2008/11/03 13:30:30 ossec-testrule: INFO: Started (pid: 13176).
> ossec-testrule: Type one log per li
On Sun, Nov 02, 2008 at 06:22:40PM -0500, Bryan Jacobs wrote:
>
> Try this:
>
>
> 1002
> ^dovecot
> Corrupted index cache file
> no_email_alert
> Ignore dovecot index corruption messages
Thanks! I modified my rules according to this pattern.
Before:
[EMAIL PROTECTED] ~]# echo "Nov 2 09:59:48 satyr seahorse-agent[6175]:
Failed to send buffer" |ossec-logtest
2008/11/03 13:30:30 ossec-testrule: INFO: Started (pid: 13176).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Nov 2 09:59:48
This questions is along the same lines as my other query about regex maching.
I am getting these notifications:
Received From: satyr->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Nov 2 09:59:48 satyr seahorse-agent[61
Try this:
1002
^dovecot
Corrupted index cache file
no_email_alert
Ignore dovecot index corruption messages
On Sat, 2008-11-01 at 13:49 -0700, Kayvan A. Sylvan wrote:
> Hi everyone,
>
> I put the following in local_rules.xml:
>
>
> 1002
> ^dovecot\.*Corrupted
13 matches
Mail list logo