it is telling you that ossec either crashed or failed to start.
On 12/03/2010 01:27 PM, Nicholas Ritter wrote:
I started getting queue and connection errors on my ossec 2.5.1 server
that I can't seem to resolved. I tried a solution on the FAQ, but that
only temp. fixed the error. Here is a samp
Could be permissions error.
ossec runs under the system account and "system" should have full
control and read.
use regedit to check permissions on the key.
On 12/03/2010 02:21 PM, dan (ddp) wrote:
On Thu, Dec 2, 2010 at 7:33 PM, wrote:
Anyone see these errors, from WinXP clients. Just s
Hi all,
I'm running the latest version 2.5.1 and noticed that after a number
of hours, a handful of my agents, mostly Windows machines (but there
are a few Linux boxes too) show up as "disconnected" when I run
agent_control -l
What is odd is when I log in to look at these boxes, they appear to
st
Well, I have a different view. Probably, it may be that it's some malware
who has rendered your registry key unavailable, as intendedI would
sugget you run an AntiVirus Scan as well as a setup to clean/repair the
registry.
Regards
Tanishk
-Original Message-
From: ossec-list@googlegrou
Hello,
I was trying to setup OSSEC in the company that I work.
So far I was able to configure everything that I wanted. Integration
with prelude, email alerts, agents, server, etc..
Now I'm trying to setup up a text message alerts service. What I
intended to acomplish was having OSSEC send the a
Pudding test, try to log in to one of the windows boxes and put in the
wrong password.
If that does not show up in the alerts log on the server, it is not working.
On 12/06/2010 12:31 PM, jplee3 wrote:
Hi all,
I'm running the latest version 2.5.1 and noticed that after a number
of hours, a han
Tested this on a Linux box and Windows box. All failed attempts are
logging to the central OSSEC server. Seems like there might be an
issue with agent_control?
On Dec 6, 10:46 am, "loyd.darby" wrote:
> Pudding test, try to log in to one of the windows boxes and put in the
> wrong password.
> If
You could just use the sms functionality built into OSSEC.
Other than that, I guess looking at alerts.log would get you all or
most of the information you need.
On Mon, Dec 6, 2010 at 1:42 PM, 2xtreme wrote:
> Hello,
>
> I was trying to setup OSSEC in the company that I work.
>
> So far I was abl
Hi,
I have a centralized syslog that contains logs from Windows and Unix hosts
(and devices). The logs are all single line logs, but with different
signatures.
E.g. the windows event log format is
Sep 18 00:01:06 TXX2.syxd.com MSWinEventLog ...
A sample unix log format is
Sep 18 00:
Don't think format is your issue but look at
/var/ossec/etc/decoder.xml, this is where the log format is interpreted.
There is a catchall syslog rule that generates the "unknown problem".
look at /var/ossec/rules/syslog_rules.xml
If any of these word are found
core_dumped|failure|error|attack|
If I remove the registry check, the agent does not seem to recognize
that I want a directory check and does nothing. Is there any way to
bypass the registry check?
On Mon, Dec 6, 2010 at 3:59 PM, Chris wrote:
> If I remove the registry check, the agent does not seem to recognize
> that I want a directory check and does nothing. Is there any way to
> bypass the registry check?
Apparently not. Just setup a registry check for some inconsequential
registry ent
On Mon, Dec 6, 2010 at 2:49 PM, Christopher Moraes
wrote:
> Hi,
> I have a centralized syslog that contains logs from Windows and Unix hosts
> (and devices). The logs are all single line logs, but with different
> signatures.
> E.g. the windows event log format is
> Sep 18 00:01:06 TXX2.syxxx
That's what I figured...I set one up to monitor the ossec service.
Thanks
On Dec 6, 4:07 pm, "dan (ddp)" wrote:
> On Mon, Dec 6, 2010 at 3:59 PM, Chris wrote:
> > If I remove the registry check, the agent does not seem to recognize
> > that I want a directory check and does nothing. Is there a
Hey guys,
Is there a specific command or flag in agent_control or
syscheck_control that will display the actual changes to a file where
report_changes was set to "yes" ?
Or do I just have to go into the "/var/ossec/queue/diff/local/*"
directory and view the changed files myself?
Thanks!
I'm not aware of support for seeing the diffs through agent_control.
On Mon, Dec 6, 2010 at 4:17 PM, jplee3 wrote:
> Hey guys,
>
> Is there a specific command or flag in agent_control or
> syscheck_control that will display the actual changes to a file where
> report_changes was set to "yes" ?
>
Hi Loyd, Dan,
Thank you for your helpful responses.
On Mon, Dec 6, 2010 at 4:10 PM, dan (ddp) wrote:
> On Mon, Dec 6, 2010 at 2:49 PM, Christopher Moraes
> wrote:
> > Hi,
> > I have a centralized syslog that contains logs from Windows and Unix
> hosts
> > (and devices). The logs are all sing
When you see that check with agent_control -i and check when the last
keep alive was. It should be within 10 minutes of the current time.
On Mon, Dec 6, 2010 at 14:12, jplee3 wrote:
> Tested this on a Linux box and Windows box. All failed attempts are
> logging to the central OSSEC server. Seems
If you have a rule set up to alert when files are changed the changes
will also be shown in the alert.
On Mon, Dec 6, 2010 at 16:17, jplee3 wrote:
> Hey guys,
>
> Is there a specific command or flag in agent_control or
> syscheck_control that will display the actual changes to a file where
> repo
Hello List,
When I run this report against a Windows 2003 (sharepoint 2007 intranet)
server (that is using kerberos), it seems that failed logins just get
username of "SYSTEM":
# zcat logs/alerts/2010/Nov/ossec-alerts-30.log.gz |./bin/ossec-reportd -n
"Logins summary" -f group authentication_fail
On Mon, 6 Dec 2010 17:19:47 -0500, NetSyphon
wrote:
Hello List,
When I run this report against a Windows 2003 (sharepoint 2007
intranet)
server (that is using kerberos), it seems that failed logins just get
username of "SYSTEM":
This is "correct" but not necessarily "right." Windows cannot
This is correct - all of the agents are outside of the 10 minute
window.
Does this just mean that OSSEC stopped sending keep-alives, but not
necessarily that the agents are actually 'disconnected' ?
On Dec 6, 2:06 pm, Joe Gedeon wrote:
> When you see that check with agent_control -i and chec
Thanks for the info. BTW: is there a certain rule that would do this?
The only reservation I would have about this is if we're dealing with
files that contain keys that are never/rarely supposed to change where
the keys are not supposed to be replicated around or in plain view. It
seems that OSSEC
23 matches
Mail list logo