Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 6:48 PM, Billy McCarthy wrote: > > > On Mon, Jan 10, 2011 at 3:23 PM, dan (ddp) wrote: >> >> is only necessary for syslog connection types. >> >> It's very odd that there's no logs in the manager's ossec.log that >> relate to this agent. Is iptables turned off, or did you

Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 3:23 PM, dan (ddp) wrote: > > is only necessary for syslog connection types. > > It's very odd that there's no logs in the manager's ossec.log that > relate to this agent. Is iptables turned off, or did you add a hole > for UDP 1514 into the ruleset? > > The only thing I

Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 6:15 PM, Billy McCarthy wrote: > > > On Mon, Jan 10, 2011 at 3:02 PM, dan (ddp) wrote: >> >> On Mon, Jan 10, 2011 at 5:48 PM, Billy McCarthy >> wrote: >> > >> > >> > On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) wrote: >> >> >> >> Is ossec-remoted running on the manager? >>

Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 3:02 PM, dan (ddp) wrote: > On Mon, Jan 10, 2011 at 5:48 PM, Billy McCarthy > wrote: > > > > > > On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) wrote: > >> > >> Is ossec-remoted running on the manager? > >> After adding the agent through the manage_agents application, did yo

Re: [ossec-list] ossec agent and logs

On Mon, Jan 10, 2011 at 5:37 PM, Michael Starks wrote: > On Mon, 10 Jan 2011 17:32:09 -0500, "dan (ddp)" wrote: >> >> Hi Andy, >> >> On Mon, Jan 10, 2011 at 5:18 PM, NetSyphon wrote: >>> >>> Hello List, >>> Does OSSEC do any sort of log replay on either windows or *nix, so that >>> if >>> an age

Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 5:48 PM, Billy McCarthy wrote: > > > On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) wrote: >> >> Is ossec-remoted running on the manager? >> After adding the agent through the manage_agents application, did you >> restart the OSSEC processes on the manager? >> Are there any er

Re: [ossec-list] ossec agent and logs

On Mon, Jan 10, 2011 at 5:46 PM, NetSyphon wrote: > Amazing!  Now I just have to find a good front end for log mining and > relationship tracking similar to what the costly stuff does. > I would rather just invest in making ossec more like arcsight etc, not the > other way around :) > Splunk has

Re: [ossec-list] ossec agent and logs

Amazing! Now I just have to find a good front end for log mining and relationship tracking similar to what the costly stuff does. I would rather just invest in making ossec more like arcsight etc, not the other way around :) On Mon, Jan 10, 2011 at 5:32 PM, dan (ddp) wrote: > Hi Andy, > > On

Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) wrote: > On Mon, Jan 10, 2011 at 4:57 PM, Billy McCarthy > wrote: > > > > > > On Mon, Jan 10, 2011 at 11:45 AM, dan (ddp) wrote: > >> > >> Hi Billy, > >> > >> On Mon, Jan 10, 2011 at 12:55 PM, Billy McCarthy > >> wrote: > >> > I've got Ossec up and ru

Re: [ossec-list] ossec agent and logs

On Mon, 10 Jan 2011 17:32:09 -0500, "dan (ddp)" wrote: Hi Andy, On Mon, Jan 10, 2011 at 5:18 PM, NetSyphon wrote: Hello List, Does OSSEC do any sort of log replay on either windows or *nix, so that if an agent is stopped and started that it will "replay" to catch up?  I'm trying to prove t

Re: [ossec-list] ossec agent and logs

Hi Andy, On Mon, Jan 10, 2011 at 5:18 PM, NetSyphon wrote: > Hello List, > Does OSSEC do any sort of log replay on either windows or *nix, so that if > an agent is stopped and started that it will "replay" to catch up?  I'm > trying to prove that OSSEC is at least a better option than something l

[ossec-list] ossec agent and logs

Hello List, Does OSSEC do any sort of log replay on either windows or *nix, so that if an agent is stopped and started that it will "replay" to catch up? I'm trying to prove that OSSEC is at least a better option than something like syslogd/SNARE/logparser for log centralization (and in many case

Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 4:57 PM, Billy McCarthy wrote: > > > On Mon, Jan 10, 2011 at 11:45 AM, dan (ddp) wrote: >> >> Hi Billy, >> >> On Mon, Jan 10, 2011 at 12:55 PM, Billy McCarthy >> wrote: >> > I've got Ossec up and running, using the RPMs provided by Atomicorp, but >> > cannot get agents to

Re: [ossec-list] Trouble with Agents

On Mon, Jan 10, 2011 at 11:45 AM, dan (ddp) wrote: > Hi Billy, > > On Mon, Jan 10, 2011 at 12:55 PM, Billy McCarthy > wrote: > > I've got Ossec up and running, using the RPMs provided by Atomicorp, but > > cannot get agents to talk to the main server. When I run `manage_agents` > on > > my main

Re: [ossec-list] Ossec-agentd CPU Utilization and Limits

Thanks for the ideas, Dan! In fact, there is a pre-existing script that runs every minute which basically greps for specific keywords, etc. If there are greater than 50 it spits information out into an email. The initial reason I was utilizing OSSEC was to eliminate this script. However, it seems

Re: [ossec-list] Ossec-agentd CPU Utilization and Limits

Hi Jeremy, On Mon, Jan 10, 2011 at 2:54 PM, Jeremy Lee wrote: > I classified it as "Syslog" (does the classification make much of a > difference though?). # of lines per entry varies greatly since it's > non-standard. I really wish the app was designed to log in standard format, > but at this poi

Re: [ossec-list] Ossec-agentd CPU Utilization and Limits

I classified it as "Syslog" (does the classification make much of a difference though?). # of lines per entry varies greatly since it's non-standard. I really wish the app was designed to log in standard format, but at this point that would be a minor change request that would be shifted probably a

Re: [ossec-list] Ossec-agentd CPU Utilization and Limits

Hi Jeremy, On Mon, Jan 10, 2011 at 11:35 AM, Jeremy Lee wrote: > Thanks for the response Daniel. Unfortunately, I didn't get to measure # of > events per second for the particular log. One thing I was also wondering > though: would the size of each log potentially create issues? The log is in > n

Re: [ossec-list] Trouble with Agents

Hi Billy, On Mon, Jan 10, 2011 at 12:55 PM, Billy McCarthy wrote: > I've got Ossec up and running, using the RPMs provided by Atomicorp, but > cannot get agents to talk to the main server.  When I run `manage_agents` on > my main server it gives me the short menu, like you see on clients.  I was

Re: [ossec-list] Ossec-agentd CPU Utilization and Limits

Here is a thread on some performance tests that I ran on OSSEC http://groups.google.com/group/ossec-list/browse_thread/thread/224408b3f6b034a8/f758743dacf7ed72?lnk=gst&q=performance+testing#f758743dacf7ed72

Re: [ossec-list] Ossec-agentd CPU Utilization and Limits

Thanks for the response Daniel. Unfortunately, I didn't get to measure # of events per second for the particular log. One thing I was also wondering though: would the size of each log potentially create issues? The log is in non-standard format and so one log entry may end up containing 25+ newline

[ossec-list] Trouble with Agents

I've got Ossec up and running, using the RPMs provided by Atomicorp, but cannot get agents to talk to the main server. When I run `manage_agents` on my main server it gives me the short menu, like you see on clients. I was able to create the client key on that server anyway and import it onto the

Re: [ossec-list] OSSEC in the Enterprise

We have done (and seem) quite a few large deployments, so I can try to help with any issue you guys are having. The main issues I see with any install larger than 1k agents: -You have to re-compile OSSEC to support a large number of agents. By default it is set to max at 256. -You have to increas

Re: [ossec-list] Ossec-agentd CPU Utilization and Limits

Do you know how much events/logs it created per second? On the agent side it should be able to easily handle many thousands of logs per second without any tunning... thanks, On Sat, Jan 8, 2011 at 1:37 PM, jplee3 wrote: > Hi all, > > We experienced 90%+ utliziation from the ossec-agentd on a co

Re: [ossec-list] OSSEC now included in Security Onion and integrated into Sguil

Good stuff! I will be trying it out now :) thanks, On Sun, Jan 9, 2011 at 3:06 PM, Doug Burks wrote: > Fellow OSSEC Users, > > I'm happy to announce that OSSEC is now included in Security Onion and > is integrated into Sguil. > > Screenshots can be found here: > http://securityonion.blogspot.com

Re: [ossec-list] OSSEC in the Enterprise

On a different (but related) note, has anyone set up a a second OSSEC server, to provide enterprise-level resilience?