hi
ich have the same issue with an exim4 smtp mail gateway and an ibm
notes server .
i got addional 2 bounces from exim
SMTP error from remote mail server after end of data:
host ismailia.asknet.intern [10.10.223.25]: 552 A message header line is
too long
it looks like an bug (
Hi, been running ossec for about a month now, after testing for
another month. Tonight I received the following from one my production
machines:
OSSEC HIDS Notification.
2010 Nov 18 19:36:56
Received From: (host) 10.1.1.1->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection even
I am seeing this too. In our case I believe it is related to our Oracle
cluster's heartbeat since it is only occurring on those servers. Not sure if
that helps you any though.
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of x509v
There is a discussion and a toool here:
http://www.ossec.net/dcid/?p=87
I suspect this is a bug in an application that is looking for a random
port to communicate on.
It binds to the port and then fails to listen, or it stops listening
then fails to unbind.
Since the issue seems to be showin
I'm really enjoying ossec, but one of the areas that consistently
confounds me is getting a reliable centralized config working.
The goal is to have as minimal-as-possible ossec.conf on each agent,
and drive all configs from the ossec master's agent.conf. I've
purchased and read the book, followe
Have you made sure that the agent is definitely connected to the server and
that there are no communication issues between the two (check with
agent_control -l)? Off the top of my head that would be the primary thing...
if they are communicating properly, after restarting both the server and
agent(
Hello -
In src/os_maild/sendmail.c you have following code in 2 places:
/* Solaris doesn't have the "%z", so we set the timezone to 0. */
#ifdef SOLARIS
strftime(snd_msg, 127, "Date: %a, %d %b %Y %T -\r\n",p);
#else
strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
You mean besides the successful "agent_control -i 001" summary I
included in my original post? ;)
Seriously though, I ran tcpdump on the agent and verified that there
is bi-directional traffic on port 1514/udp when I run agent_control -R
001. I also verified that the server is restarting the agen
If the agent is running as user ossec...
ps -ef |grep agentd
ossec15812 1 0 Nov17 ?00:01:00 /var/ossec/bin/ossec-agentd
then the file must be owned by ossec before it can be updated...
ls -l /var/ossec/etc/shared/agent.conf
-rw-r--r-- 1 ossec ossec 146 2010-11-18 11:03
/var/osse
Ahh missed that. Forgot that it also tells you the status, etc.
I dunno then - if it's connected and agent_control results in a restart,
then maybe something with the agent.conf syntax is off? Try turning debug on
maybe and look at the ossec.log?
On Fri, Nov 19, 2010 at 10:19 AM, x509v3 wrote:
I wonder why these mail servers handle the traffic so differently.
On the "does not work" list we have:
exim4
Exchange
Anyone else having issues want to chime in?
I've tried it with OpenBSD's smtpd, and probably sendmail. So those
will be the start of a "does work" list. Anyone want to contribut
Do you happen to know which versions of Solaris support %Z?
On Fri, Nov 19, 2010 at 1:15 PM, Serge Dubrouski wrote:
> Hello -
>
> In src/os_maild/sendmail.c you have following code in 2 places:
>
> /* Solaris doesn't have the "%z", so we set the timezone to 0. */
> #ifdef SOLARIS
> strft
On Fri, Nov 19, 2010 at 1:07 AM, x509v3 wrote:
> Hi, been running ossec for about a month now, after testing for
> another month. Tonight I received the following from one my production
> machines:
>
> OSSEC HIDS Notification.
> 2010 Nov 18 19:36:56
>
> Received From: (host) 10.1.1.1->rootcheck
>
I've checked man pages for strftime on Solaris 8,9,10. All of them
claim to support "%Z".
On Fri, Nov 19, 2010 at 12:29 PM, dan (ddp) wrote:
> Do you happen to know which versions of Solaris support %Z?
>
> On Fri, Nov 19, 2010 at 1:15 PM, Serge Dubrouski wrote:
>> Hello -
>>
>> In src/os_maild/
What version of gcc are you using?
On Thu, Nov 18, 2010 at 1:47 AM, Henry wrote:
> I got the same problem even I used the latest version
>
> On Nov 17, 10:48 pm, "dan (ddp)" wrote:
>> Try the latest snapshot:http://ossec/net/files/snapshots
>>
>>
>>
>> On Wed, Nov 17, 2010 at 3:58 AM, Henry wro
And you've been running with this for a bit? And it works as expected?
It looks like %z is not posix, but %Z is(?). So a complete switch to
%Z across the board might not be a bad idea...
On Fri, Nov 19, 2010 at 2:38 PM, Serge Dubrouski wrote:
> I've checked man pages for strftime on Solaris 8,9,
On Fri, Nov 19, 2010 at 12:04 PM, x509v3 wrote:
> I'm really enjoying ossec, but one of the areas that consistently
> confounds me is getting a reliable centralized config working.
>
> The goal is to have as minimal-as-possible ossec.conf on each agent,
> and drive all configs from the ossec maste
On Fri, Nov 19, 2010 at 12:46 PM, dan (ddp) wrote:
> And you've been running with this for a bit? And it works as expected?
Yes, I've been running with "%Z" on Solaris 8 and everything looks
good. e-mails come with the correct time. Mail headers look like this:
Before change: Date: Fri, 19 Nov 2
Hi there, I am manually trying to run the ossec-reportd process to have
a look at some of the reporting available, and I am getting the
following error:
ossec-reportd(1207): ERROR: Unable to switch to group: 'ossec'.
I'm running the following for my initial test:
cat /var/ossec/logs/ale
Are you running this as root?
The ossec group exists right?
On Fri, Nov 19, 2010 at 6:50 PM, Scott Closter wrote:
> Hi there, I am manually trying to run the ossec-reportd process to have a
> look at some of the reporting available, and I am getting the following
> error:
>
>
>
> ossec-reportd(
The ossec group does exist. I'm logged in as a standard user (scloster),
but using "sudo" to run the command. I've verified that my scloster
account is part of the ossec group. I also tried it using sudo -i in the
console then running the command and got the same result.
Scott Closter | | CU Tec
Sendmail works for sure, I have verified that.
Scott Closter | | CU Technical & Administrative Services Corp. | 250 627 3654
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf Of dan (ddp)
Sent: November 19, 2010 11:23 AM
To: ossec-list@
I'm trying to write a rule to match on a regex, but only if it comes from
certain hosts.
It's easy enough to do this:
1002
10.10.10.10
10.10.10.20
[\d+]: this is a false positive
no_email_alert
Don't send email alerts on these bogus false
positives
if there's onl
The only other instace of this I've seen was fixed with a re-compile/re-install.
On Fri, Nov 19, 2010 at 7:31 PM, Scott Closter wrote:
> The ossec group does exist. I'm logged in as a standard user (scloster),
> but using "sudo" to run the command. I've verified that my scloster
> account is par
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Nov 19, 2010, at 2:23 PM, dan (ddp) wrote:
> I wonder why these mail servers handle the traffic so differently.
>
> On the "does not work" list we have:
> exim4
> Exchange
>
> Anyone else having issues want to chime in?
>
> I've tried it with Ope
25 matches
Mail list logo