Hello Dan/Doug,
I added the rule to the ossec.conf of the agent and I see that the agent
executes the command itself. However it doesn't generate an alert on the
server. Is there something I need to do to tell the agent to transmit the
results of the command to the server?
Thank you for your h
On Nov 29, 2011 4:11 AM, "Artien Bel" wrote:
>
> Hello Dan/Doug,
>
> I added the rule to the ossec.conf of the agent and I see that the agent
executes the command itself. However it doesn't generate an alert on the
server. Is there something I need to do to tell the agent to transmit the
results o
Hello Dan,
My configuration is as follows:
Server:
Local_rules.xml
530
ossec: output: 'uptime':
load average:
Load average reached 0..
Ossec.conf
no
yes
(at the bottom)
command
uptime
Agent:
Ossec-agent.conf:
==
On Nov 29, 2011 5:51 AM, "Artien Bel" wrote:
>
> Hello Dan,
>
> My configuration is as follows:
>
> Server:
>
> Local_rules.xml
>
>
>
>530
>ossec: output: 'uptime':
>load average:
>Load average reached 0..
>
>
>
>
> Ossec.conf
>
>
>no
>yes
>
>
Hello dan,
Indeed, that was the issue! Thank you very much for your help.
Regards,
artien
Van: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] Namens
dan (ddp)
Verzonden: dinsdag 29 november 2011 13:15
Aan: ossec-list@googlegroups.com
Onderwerp: RE: [ossec-list] server-agent r
Hey guys,
I was wondering if you guys could help me out with some questions I have
regarding OSSEC...
Q1. Even though I've changed 'maild.groupping=1' to 'maild.groupping=0' in the
configuration file "internal_options.conf" and
restarted OSSEC, I keep getting grouped events via e-mail. Any idea
On Nov 29, 2011 8:52 AM, "Dimitris Chontzopoulos" <
dchontzopou...@euronetworldwide.com> wrote:
>
> Hey guys,
>
> I was wondering if you guys could help me out with some questions I have
regarding OSSEC...
>
> Q1. Even though I've changed 'maild.groupping=1' to 'maild.groupping=0'
in the configurat
Hi Dimitris,
1. Have you looked at the email_maxperhour and do_not_group options?
http://www.ossec.net/main/manual/configuration-options
http://www.ossec.net/wiki/Know_How:GranularEmail
2. Have you looked at the logall option?
http://www.ossec.net/main/manual/configuration-options
http://www.os
In general the overwriting seems to work, but doesn't really help, because I
have no tools to EXCLUDE or NEGATE a hostname and I don't have a dstip :-(
the exclude or negate is also missing in category, user, program_name, …
It does follow reg exp syntax, but reg exp doesn't allow an exclude reall
I appreciate the quick response. Well I guess I can ask about the real
problem, which is with prelude support:
When starting ossec, the analysisd daemon is started and it is supposed to
create the queue/ossec/queue which is where the other daemons
(log-collector, syscheck) send their events. How
help
-Original Message-
From: Oliver Müller
To: ossec-list
Sent: Tue, Nov 29, 2011 1:02 pm
Subject: Re: [ossec-list] Override rules on a per server basis
In general the overwriting seems to work, but doesn't really help, because I
have no tools to EXCLUDE or NEGATE a hostname
Hi,
I have a question about the behavior of the parameter inside the
agent.conf file.
Right now, the OSSEC agent has the agent.conf file with
86400 setup, or it will scan the files every 20 hours.
One observation from the OSSEC server is the timestamp of the output integrity
files found at
I can't think of a reason for the syscheck db to be written to when
there were no changes.
`/var/ossec/bin/syscheck_control -i AGENT_ID` will show the timestamp
of the changes for AGENT.
You can also check the agent's ossec.log file for entries about
syscheck running.
On Tue, Nov 29, 2011 at 8:4
Patience. :)
On Tue, Nov 29, 2011 at 5:19 PM, wrote:
> help
>
>
>
> -Original Message-
> From: Oliver Müller
> To: ossec-list
> Sent: Tue, Nov 29, 2011 1:02 pm
> Subject: Re: [ossec-list] Override rules on a per server basis
>
> In general the overwriting seems to work, but doesn't rea
What do you mean by "start the syscheck database?" The syscheck db is
a file on the manager, the agent's syscheck process gets the hashes of
the configured files and forwards them to the manager (via
ossec-agentd -> ossec-remoted).
On Mon, Nov 28, 2011 at 8:37 PM, Macus wrote:
> I am using OSSEC
15 matches
Mail list logo
