I mean force to trigger the agent's syscheck process to forward the hashes
to the manager. Is there any command to do this? I want to do this because
after I made an big changes on the files in the monitored dir, I would like
to trigger the syscheck to generate the hash again.
I have made the following rules in the rule/local_rule.xml in the OSSEC
manager. But it seems still cannot delete any file was deleted. How to make
it works?
ossec
syscheck_deleted
File deleted. Unable to retrieve checksum.
syscheck,
I'm not quite sure for using in this case.
For the false positive, the source ip of brute force attack and the
adduser might be from different hosts.
On Thu, Nov 17, 2011 at 1:52 AM, Franky4fngrs wrote:
> Hello,
>
> I have an ossec deployment with a little over 700 agents
> communicating. The
Hi,
There is some examples I found
https://bitbucket.org/dcid/ossec-hids/src/4b86abf62d5b/src/syscheckd/create_db.c#cl-344
https://bitbucket.org/dcid/ossec-hids/src/4b86abf62d5b/src/win32/ossec.conf#cl-98
The notation might be drive letter:\, for others, will be /
Hubert
On Thu, Nov 17, 2011 at
What's the cause of the following errors? I can resolve it by clean
the db in the manager and restart the manager.
ossec.log.2:2011/11/18 20:03:25 ossec-syscheckd(1224): ERROR: Error
sending message to queue
Hi,
I'm using
command
last -i
After setting the config, you could see
/var/ossec/logs/archives/archives.log shows
2011 Nov 30 15:25:40 ubuntu->last -i ossec: output: 'last -i': hubert
pts/0192.168.111.1Wed Nov 30 14:55 still logged in
So for local_decoder.xml
The following error was observed in the manager log. Then the agent cannot
send hash to the manager and the syscheck do not work any more. What's the
cause of this ?
ossec-analysisd: Invalid integrity message in the database.
Hey there,
did anybody encounter the above problem? I'm running OSSEC 2.6 on a VPS for
private purposes. Since installing/enabling Pro-FTPd, my OSSEC install ist
freaking out. It sends Level 12 messages and keeps my cellphone busy:
OSSEC HIDS Notification.
2011 Nov 29 22:03:46
Received From: v
My guess, without being able to investigate, is a corrupted syscheck db
entry. What system are you running this on? What version of ossec? You seem
to be having a lot of syscheck issues.
On Nov 30, 2011 6:15 AM, "Macus" wrote:
> The following error was observed in the manager log. Then the agent
I can't test it, but what about it doesn't work? I usually get alerts about
deleted files by default.
On Nov 30, 2011 6:12 AM, "Macus" wrote:
> I have made the following rules in the rule/local_rule.xml in the OSSEC
> manager. But it seems still cannot delete any file was deleted. How to make
> i
Not sure, are there any errors in the logfile before that one?
Are all of the processes running?
On Nov 30, 2011 6:13 AM, "Macus" wrote:
> What's the cause of the following errors? I can resolve it by clean
> the db in the manager and restart the manager.
>
> ossec.log.2:2011/11/18 20:03:25 ossec
You can restart the ossec processes or if you have active response enabled
syscheck_control (I think) on the manager.
On Nov 30, 2011 6:11 AM, "Macus" wrote:
> I mean force to trigger the agent's syscheck process to forward the hashes
> to the manager. Is there any command to do this? I want to
I haven't seen them on the mailing list. Next time I get a chance I can
investigate a bit more.
On Nov 30, 2011 7:35 AM, "Hey, Lukas (KRZ)" wrote:
> Hey there,
>
> did anybody encounter the above problem? I’m running OSSEC 2.6 on a VPS
> for private purposes. Since installing/enabling Pro-FTPd,
Good day everyone:
RE: http://dcid.me/2011/09/detecting-outdated-web-applications-with-ossec/
Is there a way for each agent that detects outdated web applications
that in addition to the email alert the ossec server sends out, the
agent could pipe the information to a file that can be included in
You know, I was thinking it was that simple - then I thought - "But
wait, it can't be that simple".. And yet sometimes it is.
DOH!
On Nov 28, 2:16 pm, "dan (ddp)" wrote:
> /home/*/.ssh ?
>
Ok this one has me stumped and I am not sure it can be done.
I have a dozen or so accounts using ssh keys. Pretty normal. I want to
set an alert only if one of these accounts suddenly starts asking for
a password? Any ideas?
thanks
~k
How were you able to fix this? I'm getting the same errors on one of my
servers. It's not a firewall issue since I have another server on the same
subnet that works... 2011/11/16 19:10:43 ossec-agent: INFO: Started (pid: 3032).
2011/11/16 19:10:53 ossec-agent: WARN: Process locked. Waiting for p
Hello Dan,
Yes I run ossec-makelists (it said it did not need to be compiled)
It is like this
/var/ossec/rules/trusted_ips
The list is not a problem as it works as expected for sshd logins .
In windows however as stated I get alerted no matter if the IP is or
is not in the list.
Thank you
On
Thank you for clearing it out Dan!
On Nov 28, 10:26 pm, "dan (ddp)" wrote:
> On Wed, Nov 23, 2011 at 4:47 AM, alsdks wrote:
> > Yes I got it to work eventually , get the agent.conf working that is.
>
> > About the agent-control commands , I can query for information the
> > Windows agent but I c
@Mark C
Sometime it gets stuck , especially if you are using agent.conf . (At
least in my case, don't know why this happens)
Have you tried restarting ossec-control server ? Also review your
confs .
On Nov 30, 7:40 pm, Mark C wrote:
> How were you able to fix this? I'm getting the same errors
Hi,
Rather than using email, I would like OSSEC to send it’s notifications
to a bash script which I wrote.
This script then publishes the message to Amazon’s Simple Notification
Service (SNS).
So the usage for my script is as so:
./myscript $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11, etc.
I have this wo
On Wed, Nov 30, 2011 at 5:13 PM, Kat wrote:
> Ok this one has me stumped and I am not sure it can be done.
>
> I have a dozen or so accounts using ssh keys. Pretty normal. I want to
> set an alert only if one of these accounts suddenly starts asking for
> a password? Any ideas?
ssh reports diffe
22 matches
Mail list logo
