Hi all,
Just wondering if OSSEC has the ability to capture all commands run
after sudo'ing or su'ing to root (or another privileged user, etc).
TIA!
Hi all,
Just wondering if OSSEC has the ability to capture all commands run
after sudoing or su'ing to root (or another privileged user, etc).
Yes, it is always the same processes (logcollector and syscheckd).
The clients were all binary RPM installs.
Permissions and PID files look correct; here are the results after stopping the
client:
# ps ax |grep oss
7410 ?S 0:00 /var/ossec/bin/client-logcollector
7414 ?S
Guys,
I have a domain controller with ossec agent. Below default rules of ossec:
18105
^672|^673|^675|^676|^681|^4769
Windows DC Logon Failure.
win_authentication_failed,
Logon failed put the information in my log files:
Rule: 18139 (level 5) -> 'Windows DC Logon Failure.
On Mon, Aug 16, 2010 at 6:44 AM, GeorgeY wrote:
> Hi all,
>
> Please forgive me if this has been asked before. I researched and
> found a lot related to syslog but nothing really gave me a clear
> picture.
>
> I noticed Windows event viewer events being logged in /ossec/logs/
> alerts. I know thes
On Mon, Aug 16, 2010 at 8:18 AM, David Porcello
wrote:
> Hi all,
>
> I'm running OSSEC client 2.4.1 on a handful of RedHat EL 5.5 servers and I'm
> seeing the following behavior across the board: It appears that
> client-logcollector and client-syscheckd aren't detected as running, and
> theref
Hi all,
I'm running OSSEC client 2.4.1 on a handful of RedHat EL 5.5 servers and I'm
seeing the following behavior across the board: It appears that
client-logcollector and client-syscheckd aren't detected as running, and
therefore aren't stopped by ossec-control. When this occurs, multiple ins
Hi all,
Please forgive me if this has been asked before. I researched and
found a lot related to syslog but nothing really gave me a clear
picture.
I noticed Windows event viewer events being logged in /ossec/logs/
alerts. I know these events are generated if any events match those
listed under /
@D.B.: did you use wininstall LE for ossec? The one I created using
"Advanced Installer" was corrupt - it installed but could not get the
service created and not too sure about the reg keys too.
On Aug 13, 5:24 pm, smokey wrote:
> Michael, thanks for the tip;)
>
> @GeorgeY: i'm using wininstall