The manager doesn't need a key. It will run, and you get the key for
the agents from the manager.
On Fri, Oct 29, 2010 at 8:31 PM, Ben Morgan wrote:
> I understand once i start ossec. But the trouble is it won't run without the
> key. And i can't get the key unless i run it, right?
>
>
>
>
>
>> D
You have to install the ossec linux server, the use the manage agents
program, to first add the host, then export the key for use on your
clients. AFAIK ossec clients won't work well stand-alone.
-rich
On Fri, Oct 29, 2010 at 8:31 PM, Ben Morgan wrote:
> I understand once i start ossec. But the t
I understand once i start ossec. But the trouble is it won't run without the
key. And i can't get the key unless i run it, right?
> Date: Fri, 29 Oct 2010 19:21:34 -0400
> Subject: Re: [ossec-list] How to import a Key using windows
> From: ddp...@gmail.com
> To: ossec-list@googlegroups.com
There's a gui front end on the Windows side. It should be in the Start
menu ("Start -> programs -> ossec" I think).
If you're wondering how to get the key in the first place, you have to
use the "/var/ossec/bin/manage_agents" program on the manager to
create the agent identity. You can then export
I am wondering how to import a key. I am using windows. When i
installed it prompted me to input the server ip and the authentication
code. How can i get the latter?
Thanks
I recently added the configuration to my ossec.conf file but
something isn't working correctly because the emails are showing up
blank. I have read all the posts about the report showing up in the
subject line but that isn't happen in this case. The subject line is
correct but the email body is
Everything was restarted properly, the setting is changed and the
binaries all have new timestamps.
# Maild full subject (0=disabled, 1=enabled)
maild.full_subject=0
-Reggie
On Oct 28, 2:37 pm, "dan (ddp)" wrote:
> The OSSEC processes all restarted properly? Did the binaries actually change?
>
Are there any error messages either on the agents or manager? Perhaps
something related to the rids files?
On Fri, Oct 29, 2010 at 11:47 AM, blacklight wrote:
> The agent hosts that show this problem are Linux 2.6 hosts running
> either Fedora Core 5 or Centos 5. Beyond that, I cannot tell you mu
The agent hosts that show this problem are Linux 2.6 hosts running
either Fedora Core 5 or Centos 5. Beyond that, I cannot tell you much
more (because there is not much more to tell :)) The problem occurs
intermittently (as in not very often) and is immediately corrected
whenever the rids queues ar
I have a couple of agents showing this behavior. I'm not sure if the
manager missed the message from the agent, or what.
On Thu, Oct 28, 2010 at 2:53 PM, Jeremy Lee wrote:
> Anybody else seeing this?
>
> On Wed, Oct 27, 2010 at 11:10 AM, jplee3 wrote:
>>
>> Hey all,
>>
>> I seem to be having iss
I've never seen this problem. In fact I've never had to clear out the
rids files.
Can you provide a bit more information about the hosts showing this problem?
On Thu, Oct 28, 2010 at 1:31 PM, blacklight wrote:
> Hello Folks,
>
> Once in a while, the active response does not kick in. Then I have t
You can do that. It's generally considered bad form to re-use IDs
though. It could cause issues with old data.
If you re-use a client ID and run a historical report later the data
could get all mixed up.
On Fri, Oct 29, 2010 at 2:25 AM, Mike Sievers
wrote:
> Yes.
> Remove line at file client.keys
for the syslog issue, you can configure syslog.conf in such a way that
the incoming events from other servers are stored in a seperate log
file and not your default /var/log/messages.
http://www.aboutdebian.com/syslog.htm
If I rememeber correctly, the log collector daemon is the only daemon
runnin
Hac
You can configure your Syslog to write remote events to an other file
than /var/log/messages
Then OSSEC will not screen remote events.
Sample config :
source from_net {
udp(port(514));
tcp(port(514) keep-alive(yes) max-connections(200));
};
# this is for separating out network hos
Yes.
Remove line at file client.keys?
2010/10/28 dan (ddp)
> I don't understand the question. Are you trying to re-use an ID?
>
> On Thu, Oct 28, 2010 at 2:38 AM, Mike Sievers
> wrote:
> > ... I now created a new id/key and it works.
> > Is it also possible to remove an ID instead only an agent
15 matches
Mail list logo