Bump, as I'm sure this got lost in weekend email.
-Josh
From: Josh Brower [mailto:j...@defensivedepth.com]
Sent: Saturday, July 30, 2011 4:16 PM
To: 'ossec-list@googlegroups.com'
Subject: OSSEC + OSSIM + Distributed Env.
I am looking at setting up OSSEC on my critical servers, which wi
On 08/01/2011 05:55 PM, Alisha Kloc wrote:
Unfortunately, we can't make any changes to the HP-UX system, which
means no cron jobs, no clearing logs, etc. All we're allowed to touch
is OSSEC agent stuff. Within that, I have some flexibility if I use
the process monitor to call a simple shell scri
On Aug 1, 1:35 pm, Michael Starks
wrote:
>
> We probably didn't solve that in any elegant way. There was nothing
> like check_diff available in OSSEC at the time.
Huh. The reason it's a problem for us is because if we just spit last
to a syslog, we get new alerts on old logins (if user1 has logge
On Mon, Aug 1, 2011 at 4:15 AM, Blauch Armand wrote:
> Hello,
>
> Thanks for your advices.
> The purpose of rule 11 it's to alert when there is a port scan
> detection on the host.
> I tried to active option on, and I my symantec logs don't
> arrive to ossec server. I don't know why.
> In pa
Try "upgrading" the agent (you can probably even use the same version
and upgrade over itself).
I recently had a similar issue, but a reboot seemed to fix everything.
On Mon, Aug 1, 2011 at 12:27 PM, jplee3 wrote:
> Hi all,
>
> I'm running into a problem where I cannot get the OSSEC agent (2.5.1)
You could definitely file an enhancement request
(https://bitbucket.org/dcid/ossec-hids).
You could also setup cron to run the reports for you instead of OSSEC.
The cron job could look for the gzipped file and use that for the
report, staying out of ossec-monitord's way.
On Mon, Aug 1, 2011 at 12:
Log messages like this typically have another error message before them. If not:
Is this a local install, agent install, or server install?
What did you recently change?
On Mon, Aug 1, 2011 at 7:15 AM, George Ochola wrote:
> Hi All
> I have just installed OSSEC 2.6 on my AIX 5.3 machine which was
On Mon, 1 Aug 2011 12:54:24 -0700 (PDT), Alisha Kloc wrote:
Hi Michael,
Hmm, sounds a lot like what we're trying to do. How did you get
around
the fact that "last" spits out all entries in wtmp, not just newly-
added ones?
We probably didn't solve that in any elegant way. There was nothing
Hi Michael,
Hmm, sounds a lot like what we're trying to do. How did you get around
the fact that "last" spits out all entries in wtmp, not just newly-
added ones?
That's our biggest sticking point; wtmp gets very long very quickly
and we don't need old entries, just new ones since the last check.
On Mon, 1 Aug 2011 10:43:43 -0700 (PDT), Alisha Kloc wrote:
Hi again list,
My team is trying to find a way to monitor logins, logouts, and
failed
logins on HP-UX using OSSEC. Problem is, HP-UX only records these in
the binary wtmp and btmp files.
We've experimented with a few different method
Hi again list,
My team is trying to find a way to monitor logins, logouts, and failed
logins on HP-UX using OSSEC. Problem is, HP-UX only records these in
the binary wtmp and btmp files.
We've experimented with a few different methods that involve the
process monitor, but they're all network-inte
I hope Dan will see this so he can note the bug or help me with a work
around.
Apparently when I schedule 3 daily reports to run, the time they run
is shortly after midnight, which is the same time that the log
rollover happens to archive previous day's alerts.log.
My ossec.log shows that the rep
use match instead of srcip and use two rules
XXX.XXX.XXX.XXX
Suppress Alerts from Server
server1
Suppress Alerts from Server
Hi all,
I'm running into a problem where I cannot get the OSSEC agent (2.5.1)
to start due to the "Unable to start OSSEC (check config)" message on
a 64-bit Win2k8 box. I tried modifying the registry as suggested here:
http://groups.google.com/group/ossec-list/browse_thread/thread/8b14612d9f2af055
Hi,
I'm new to ossec but I had this error mesage last week because I had 2
decoders with the same name.
Maybe you can check first if you have the same issue? (I added a
portsentry decoder on the 2.5.1 and there already has a portsentry
decoder with exactly the same name in the 2.6 release)
On 1
I haven't had to face that issue but here is my advice: either go into
regedit and search for the key. Or from the domain controller, run
psexec \\agenthost reg QUERY HKLM\SYSTEM\CurrentControlSetEnum
\USBSTOR'.
where \\agenthost is whatever the host name is for the host where the
OSSEC agent is
Hello,
I've just tried what you advice me, and it's work fine! Thank you!
On 29 juil, 15:20, "dan (ddp)" wrote:
> I think we rely on user contributions forportsentrylogs.
> Try changingportsentry-scan to look like this:
>
> portsentry
> ^attackalert: TCP |^attackalert: UDP
> scan from h
Hi All
I have just installed OSSEC 2.6 on my AIX 5.3 machine which was previouly
running 2.5.1 , but on installing 2.6. I get the following error what could be
the problem, how do i fix this problem,
2011/08/01 14:02:57 ossec-syscheckd(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not a
Hello,
Thanks for your advices.
The purpose of rule 11 it's to alert when there is a port scan
detection on the host.
I tried to active option on, and I my symantec logs don't
arrive to ossec server. I don't know why.
In parallel I work on email alert via symantec endpoint protection
manager
Dear All,
We use the SRCIP Field to specify the priority of alerts.
If an alert is generated by a Private IP address this is generated in
our ticketing system as a Medium alert.
If it is anything else, this is cut as a high. This should mean that
any public IP address is seen as a high Incident.
20 matches
Mail list logo