So Phil,
I checked out your posting. What did you fix to make it work?
And Eric,
is a legit tag for a composite rule.
See http://www.ossec.net/main/manual/configuration-options/#rules_options
Table 4.1
- Dave
Hi Dave
Sorry for the late reply as I was out of Office
I followed the steps, but still I am not receiving the logs , including
from CISCO router as well
Also can I search these logs via the web interface, or can I create any
queries
Kindly help
Muraleedaran Kanapathy| Linux/Unix System Eng
Dan,
Upon reading the OSSEC book again it appears to confirm my suspicion
that "all" means "all" agents.
So, how do you include the server as well?
I tried server,all as someone else's post
suggested but it doesn't work. The active response seems to work only
on the server if I attack an agent.
I'm seeing the same problem. Level 5 and 7 alerts in an email with the
subject claiming level 10.
To change the aggregation setting, edit /var/ossec/etc/internal_options.conf
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=1
On Thu, May 6, 2010 at
On Thu, May 6, 2010 at 7:18 PM, Alessandro Di Giuseppe
wrote:
> Re: Watch for spam and or defacement
> Can't a CAPTCHA be implemented to prevent spambot from posting?
>
That's not nearly as effective as you might think, speaking from
experience with involvement in other popular open source projec
Running two of the logs through ossec-logtest shows a few differences:
May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure;
logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost=
user=root
**Phase 1: Completed pre-decoding.
full event: 'May 7 09:50:46 Server su(pam
Dear Sirs
We are in the process of installing the OSSEC for the log analyzing
purposes for the PCI DSS requirement
In windows I have installed the OSSEC agent, but I am unable to see any
Windows event logs such Application, System, except for the Security
logs ( Including CISCO logs)
Hi Dave
Sorry for the late reply as I was out of Office
I followed the steps, but still I am not receiving the logs , including
from CISCO router as well
Also can I search these logs via the web interface, or can I create any
queries
Kindly help
Muraleedaran Kanapathy| Linux/Unix System Eng
Hi,
OSSEC by default will only generate alerts on events that have potential
security
value. Most events from the "System" and "Application" event log are just
informational
and OSSEC will not store them.
If you need to have all of them stored, go to your ossec.conf (on the
manager)
and set to "
Hi Muraleedaran,
You cannot browse all windows events from the web interface, you can only view
Windows Events that have been triggered by a rule to generate an alert. Take a
look in this file on the ossec server:
/rules/msauth_rules.xml
You could write your own rule to generate alerts for other
I googled this question before posting and found not hits, I apologize in
advance if I have missed this discussion on the list. I want to create rules
that treat web application scans from McAfee ScanAlert differently in OSSEC.
Because of the number of source IPs that ScanAlert uses, I was going to
Sounds reasonable, but if accounts are indeed manually created, how is spam
getting into the wiki then?
From: Chris Buechler
To: ossec-list@googlegroups.com
Sent: Fri, May 7, 2010 7:39:41 PM
Subject: Re: [ossec-list] Re: Comprehensive manual - or - something
O
Dear Daniel
Thanks a lot for the reply.
Yes I have made it as to yes but still I am not getting any
logs in the alerts.
For the CISCO and other Network devices can we get the syslog data to
the OSSEC..
Best regards,
Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS De
Hello,
I have 3 checkpoint firewalls in windows. Is there any way to send the logs to
ossec?
Juan Jorge Cruces Fernández
Accelya
Hi Max
Thanks a lot for the reply
May I know what did you use to collect the logs from network devices?
(Router and switches)
And OSSEC did you use it only for File Integrity check, if so what is
the syslog and syslog viewer you implemented
Kindly advice
Muraleedaran Kanapa
The two different sets of log entry samples came from two different versions
of Linux. The remote servers are using spitting out the first log entries
when the remote servers are RHEL v4 based (I have not tested RHEL v5.)
The local ossec management server, that all the agents talk to, is running
C
The logall option will save the logs in /var/ossec/logs/archives/
(after restarting the server of course). There probably aren't any
default rules for these logs, so you may have to write your own.
You should be able to forward the syslog data to a system that is
listening for syslog messages so th
The ossec regex rules are in the wiki or the manual, can't remember which.
I prefer using matches where possible, regex if necessary. Ossec's
pretty fast though, so regex is probably ok.
On Mon, May 10, 2010 at 9:42 AM, Nicholas Ritter wrote:
> The two different sets of log entry samples came fro
It looks like anonymous editting was allowed for a bit. Not positive though.
On Mon, May 10, 2010 at 1:34 PM, Alessandro Di Giuseppe
wrote:
> Sounds reasonable, but if accounts are indeed manually created, how is spam
> getting into the wiki then?
>
> From: Chris
19 matches
Mail list logo
