What are the permission on the queue? Needs to be owned by ossec user/
group.
On Aug 2, 12:44 am, George Ochola wrote:
> This is a server install
>
>
>
>
> From: dan (ddp)
> To: ossec-list@googlegroups.com
> Sent: Tuesday, August 2, 2011 12:25 AM
> Subject: Re
Hi all,
Is there a way to issue an Active Response "Undo" through
agent_control?
Like if I wanted to unblock an IP that I blocked using: "./
agent_control -b 192.168.1.50 -f route-null0 -u 010"
Thanks!
More information:
I can now see switch logs in /var/log/messages. I had to stop ossec, edit
syslog-ng.conf to allow remote network logging, restart syslog, then
restart ossec. The order of restart was important. If ossec were already
running, syslog would not start with the remote option. I
I have two questions regarding agent-auth
1) when i create the key on the server the normal way it sets the IP
of the server, when i utilize agent-auth it uses "any" instead of IP
for all servers added via the auth-agent. Is this normal behavior, can
the IP be added via the agent? And does having
Sigh just realized it was syslog-ng. But, since the HP gear will use UDP, most
of what I wrote will still apply; it just needs to be recast into syslog-ng
notation.
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
303-441-3953
-Original Message-
From: ossec-list@go
Usually networking gear uses a different syslog facility from what might be
configured as your default. This seems to be "user" for HP gear but it can be
changed to "local0" or whatever you want, BUT your syslogd MUST be configured
to pay attention (example line from /etc/syslog.conf):
user.*
I set up logging to mysql for version 2.6. I created the schema using the
mysql.schema file included in the src/ directory of the distribution.
All fields barring the dstip field are being populated. I am not sure where
to start troubleshooting the issue. No ossec-dbd errors are logged in
/var/
I am having trouble configuring syslog-ng.conf on my ossec server (SUSE
Linux Enterprise 11) so I can see HP switch logs. The logs are not
showing up in /var/log/messages, which would then be analyzed by ossec.
The switches have been configured for logging and to use the IP address of
the osse
If I could, that's exactly how I'd do it. Unfortunately, like I said,
we are not allowed to clear the logs on these systems - they have to
remain there locally. We can't do anything except read them.
Believe me, I'd love to be able to use your suggestion, because it
would solve this whole issue ve
Depends what you're looking for. I would start by installing OSSEC
and then installing Splunk, then installing the Splunk for OSSEC app
and seeing if it meets all of your needs.
On Aug 1, 11:38 pm, Manuari wrote:
> Hi Group
> Looking for help in Ossec + Splunk Integration. I have a project to
>
Hello,
Thanks for your advices, yes I've restarted the manager's OSSEC
processes after I added the option to the manager's
ossec.conf. It's the same things, no scan log detection logs are send
to the manager.
On 1 août, 23:45, "dan (ddp)" wrote:
> On Mon, Aug 1, 2011 at 4:15 AM, Blauch Armand
This is a server install
From: dan (ddp)
To: ossec-list@googlegroups.com
Sent: Tuesday, August 2, 2011 12:25 AM
Subject: Re: [ossec-list] OSSEC 2.6 ERROR: Queue '/var/ossec/queue/ossec/queue'
not accessible: 'Queue not found
Log messages like this typically
Hi Group
Looking for help in Ossec + Splunk Integration. I have a project to
design, document and come up with a working prototype.
Any ideas from where to start? I'm new at this.
thank you.
13 matches
Mail list logo
