Most of my clients are using the default ossec.conf created when
installing from source. What is the preferred method to customize the
client's ossec.conf to be minimal upon install? Is there a way to
minimize the /etc/ossec.conf file before the make install? I don't
have to install OSSEC agent
Hi all,
Is possible to define whole network segment in rule as source ip?
Currently i know for tag but i would like to define i.e. 192.168.1.0/28
and trigger rule for all those addresses without need to define each address in
that segment using .
Regards,
Branimir
Hi all,
I am new to ossec and I am having some issues with it.
I updated the agent.conf file to monitor few windows and Linux directories.
But, for some odd reason, sometime ossec does inform me that the files have
changed (if there is any) and sometime it does not. Also, sometime I get the
not
Christopher,
I am curious how you got this to work. I get all sorts of errors
trying that.
2011/06/07 13:28:22 ossec-syscheckd(1702): INFO: No directory provided
for syscheck to monitor.
2011/06/07 13:28:22 ossec-syscheckd: WARN: Syscheck disabled.
2011/06/07 13:28:22 ossec-rootcheck: System audi
I just posted something similar to what you are reporting regI
removed all but this from my client's ossec.conf...
128.194.198.99
The agent.conf still hasn't been pushed to the clients after 11 hours,
and as expected the missing items from conf throw the following errors
at comman
I've combed through the other posts on agent.conf, and have done all
the troubleshooting I could find on why this isn't working. The
agent.conf file is not being copied to the clients. I'm running OSSEC
2.5.1 on all clients and server.
Last night ( about 11 hours ago) I added an agent.conf to my
I prefer vi. :P
puppet or any other configuration management system should be able to
handle this. You could also replace the ossec.conf bits in the source
before you compile.
On Mon, Jun 6, 2011 at 11:47 PM, treydock wrote:
> Most of my clients are using the default ossec.conf created when
> in
Just a guess, but chown ossecr /var/ossec/etc/shared/merged.mg
The following message made me notice that:
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
11 hours is too long, it shouldn't take more than a couple.
On Tue, Jun 7, 2011 at 11:26 AM,
I believe using a cidr will work. If not, you can create a cdb list for it.
2011/6/7 Branimir Pačar :
> Hi all,
>
>
>
> Is possible to define whole network segment in rule as source ip?
>
>
>
> Currently i know for tag but i would like to define i.e.
> 192.168.1.0/28 and trigger rule for all thos
Reg, the rootcheck errors are probably cause your missing some
files...I have these by default after install from source...
# ls -la etc/shared/
total 176
drwxrwx--- 2 root ossec 4096 Mar 15 16:05 .
dr-xr-x--- 3 root ossec 4096 Jun 6 22:24 ..
-rw-r--r-- 1 ossec ossec 189 May 7 18:44 ar.co
Hi Reggie,
I did not try get it to work. I was just asking a question to understand how
ossec is designed. (I am in the middle of reading the sources).
On Tue, Jun 7, 2011 at 10:35 AM, reg wrote:
> Christopher,
>
> I am curious how you got this to work. I get all sorts of errors
> trying that.
Hi list,
The beta version of OSSEC 2.6 is available and waiting for testers :)
More information (including new features,
download link, etc) here:
http://dcid.me/2011/06/ossec-2-6-beta-1-available/
Please help out if you can.
Thanks,
I looked back through my logs and here is the alert:
ossec-alerts-06.log:Jun 6 10:12:55 bcfossec kernel: [501421.634671]
ossec-csyslogd[3014]: segfault at 0 ip b7775821 sp bfc4ffbc error 4 in
libc-2.11.1.so[b7702000+153000]
To the original poster: what OS are you running your OSSEC server on?
I am running OSSEC on Centos 5 (2.6.18-194.32.1.el5)
I haven't had a problem with this daemon crashing since I restarted
the OSSEC service yesterday morning - I am keeping my eyes open,
though :)
FYI, I did make a code change in alert.c so that the format of the
OSSEC syslog output would be the s
It shouldn't segfault even during a package update... If any of you
can run it under gdb, it would be awesome :)
thanks,
On Tue, Jun 7, 2011 at 1:44 PM, Jefferson, Shawn
wrote:
> I looked back through my logs and here is the alert:
>
> ossec-alerts-06.log:Jun 6 10:12:55 bcfossec kernel: [501421
This is the first segfault I've had running the system for months and months,
so I don't think it makes sense for me to run it under gdb (unless I see more
segfaults, and then I definitely will.)
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jun 7, 2011, at 12:26 PM, Daniel Cid wrote:
> Hi list,
>
> The beta version of OSSEC 2.6 is available and waiting for testers :)
> More information (including new features,
> download link, etc) here:
>
> http://dcid.me/2011/06/ossec-2-6-beta-1-av
SUCCESS!! Thank you dan. I didn't ever think the ONLY error in my
logs could cause that file to not go down to clients..but upon fixing
the permissions and restarting both server and agent, the file is
there and working.
Would there be a reference to what permissions should be applied to
files u
If I were to put this daemon under gdb, I am concerned that I could be
accumulating debugger data this for weeks before this daemon crashes
again. Hopefully, this daemon crash is a once in a blue moon event. On
the other hand, once in a blue moon events are very hard to
troubleshoot. If it's indeed
19 matches
Mail list logo