Hi Dan,
From what you said , I suppose Rule 554 ( syscheck_new_entry) ,
doesn't get the syscheck-registry New file entries.
That makes registry monitoring (HKEY/.../.../RUN for example)
completely useless . I have added various entries under that key and
did not get an alert on any of them.
The
Watching analysisd I can see it reaches 141M (looking at TOP). If it
hits the size that corresponds to your memory_size parameter, then
can I assume that I should increase the memory_size parameter? Or does
analysisd simply use the memory size you've given it and that is not a
good way to judge
A file integrity check is needed on archived files only. For
instance, /var/log/httpd/*.gz. How is this possible? And can the
rule(s) be set up on the ossec server rather than the clients?
When I get email alerts for mine, I only get back 20 lines back. Seems
to be hard coded.
As an example, monitoring listened ports:
ossec: output: 'netstat -anp tcp | find LISTEN | find /V
127.0.0.1':
TCP0.0.0.0:80 0.0.0.0:0 LISTENING
TCP0.0.0.0:135
On Mon, Dec 19, 2011 at 7:18 PM, helpmailinglist
helpmailingl...@gmail.com wrote:
A file integrity check is needed on archived files only. For
instance, /var/log/httpd/*.gz. How is this possible? And can the
rule(s) be set up on the ossec server rather than the clients?
I haven't tried putting
On Mon, Dec 19, 2011 at 6:46 PM, BP9906 crazi...@gmail.com wrote:
When I get email alerts for mine, I only get back 20 lines back. Seems
to be hard coded.
As an example, monitoring listened ports:
ossec: output: 'netstat -anp tcp | find LISTEN | find /V
127.0.0.1':
TCP 0.0.0.0:80
On Mon, Dec 19, 2011 at 7:13 AM, alsdks als...@gmail.com wrote:
Hi Dan,
From what you said , I suppose Rule 554 ( syscheck_new_entry) ,
doesn't get the syscheck-registry New file entries.
That makes registry monitoring (HKEY/.../.../RUN for example)
completely useless . I have added various
Thanks for finding that. If I haven't already, I'll update the docs.
On Sat, Dec 17, 2011 at 7:46 AM, c0by jake@gmail.com wrote:
I did some more testing, and I am happy to say I believe this issue is
SOLVED!
The issue is that the repeated offenders configuration needs to be on
the
It is just as easy as below to monitor OSSEC logs?
localfile
log_formatsyslog/log_format
location/var/ossec/logs/ossec.log/location
/localfile
Moreover, I have enabled the debug of the syscheck and agent. Will the
log monitoring alert all logs messages or just specific error
messages?
On Mon, Dec 19, 2011 at 9:04 PM, Macus macu...@gmail.com wrote:
It is just as easy as below to monitor OSSEC logs?
localfile
log_formatsyslog/log_format
location/var/ossec/logs/ossec.log/location
/localfile
That should do it.
Moreover, I have enabled the debug of the syscheck and
10 matches
Mail list logo