[ossec-list] Re: rules 550,551,552 Decoded_as

Hi Dan, From what you said , I suppose Rule 554 ( syscheck_new_entry) , doesn't get the syscheck-registry New file entries. That makes registry monitoring (HKEY/.../.../RUN for example) completely useless . I have added various entries under that key and did not get an alert on any of them. The

[ossec-list] memory_size option and knowing when you've hit the limit

Watching analysisd I can see it reaches 141M (looking at TOP). If it hits the size that corresponds to your memory_size parameter, then can I assume that I should increase the memory_size parameter? Or does analysisd simply use the memory size you've given it and that is not a good way to judge

[ossec-list] File integrity check needed on archived logs

A file integrity check is needed on archived files only. For instance, /var/log/httpd/*.gz. How is this possible? And can the rule(s) be set up on the ossec server rather than the clients?

[ossec-list] Re: Monitoring Command Output : is there a line number limitation

When I get email alerts for mine, I only get back 20 lines back. Seems to be hard coded. As an example, monitoring listened ports: ossec: output: 'netstat -anp tcp | find LISTEN | find /V 127.0.0.1': TCP0.0.0.0:80 0.0.0.0:0 LISTENING TCP0.0.0.0:135

Re: [ossec-list] File integrity check needed on archived logs

On Mon, Dec 19, 2011 at 7:18 PM, helpmailinglist helpmailingl...@gmail.com wrote: A file integrity check is needed on archived files only. For instance, /var/log/httpd/*.gz. How is this possible? And can the rule(s) be set up on the ossec server rather than the clients? I haven't tried putting

Re: [ossec-list] Re: Monitoring Command Output : is there a line number limitation

On Mon, Dec 19, 2011 at 6:46 PM, BP9906 crazi...@gmail.com wrote: When I get email alerts for mine, I only get back 20 lines back. Seems to be hard coded. As an example, monitoring listened ports: ossec: output: 'netstat -anp tcp | find LISTEN | find /V 127.0.0.1':  TCP    0.0.0.0:80      

Re: [ossec-list] Re: rules 550,551,552 Decoded_as

On Mon, Dec 19, 2011 at 7:13 AM, alsdks als...@gmail.com wrote: Hi Dan, From what you said , I suppose Rule 554 ( syscheck_new_entry) , doesn't get the syscheck-registry New file entries. That makes registry monitoring (HKEY/.../.../RUN for example) completely useless . I have added various

Re: [ossec-list] Re: Repeated Offenders not triggering

Thanks for finding that. If I haven't already, I'll update the docs. On Sat, Dec 17, 2011 at 7:46 AM, c0by jake@gmail.com wrote: I did some more testing, and I am happy to say I believe this issue is SOLVED! The issue is that the repeated offenders configuration needs to be on the

[ossec-list] Re: how to monitor the ossec agent status

It is just as easy as below to monitor OSSEC logs? localfile log_formatsyslog/log_format location/var/ossec/logs/ossec.log/location /localfile Moreover, I have enabled the debug of the syscheck and agent. Will the log monitoring alert all logs messages or just specific error messages?

Re: [ossec-list] Re: how to monitor the ossec agent status

On Mon, Dec 19, 2011 at 9:04 PM, Macus macu...@gmail.com wrote: It is just as easy as below to monitor OSSEC logs? localfile    log_formatsyslog/log_format    location/var/ossec/logs/ossec.log/location  /localfile That should do it. Moreover, I have enabled the debug of the syscheck and