Hello all,
I am having a few problems with the behaviour of OSSEC's new file
alerting on Windows agents.
We are wanting to do real-time alerting of files being added to
particular directories. However, I'm getting some slightly unexpected
behaviour. I can get new file alerts on the manager, but i
On Wed, Jan 4, 2012 at 6:12 AM, Paul wrote:
> Hello all,
>
> I am having a few problems with the behaviour of OSSEC's new file
> alerting on Windows agents.
>
> We are wanting to do real-time alerting of files being added to
> particular directories. However, I'm getting some slightly unexpected
On Tue, Jan 3, 2012 at 6:21 PM, BP9906 wrote:
> Try putting this into your agent.conf file on the ossec server for
> your Windows machine(s). Its a good test if you do it against a
> machine with many ports open. Perhaps you could setup a Windows DC to
> test with?
>
That's out of my budget at th
http://www.ossec.net/doc/syntax/regex.html
We do things a little bit differently.
On Sun, Dec 25, 2011 at 4:18 PM, Dave Werden wrote:
> Hi all and Merry Christmas/Happy Holidays,
>
> I have a general question based on the below thread.
>
> In the element , it’s a mix of regexp and strings. I don
BP9906 I do not have an issue with a netstat command . Please read
again my first post .
I was asking if there is a limitation to a command's output in how
many lines can it be .
The conclusion is that there is definetelly a line number limitation
which restricts the use of commands that their out
Right, I'm pointing out here that there is a line limitation on ossec
emailing of result output. You're saying that the rule processing must
have a limitation shorter as permissions on files beginning with D are
not alerting.
I added it to the thread because it is relevant that there are several
"
I few people have mentioned that they were working on making RPMs for
OSSEC, given the issues with the Atomic RPMs linked on the OSSEC
download page. Have you had any success? Do you have a SPEC file you
can share?
I created my own RPM for OSSEC. What I did, I downloaded the latest
snapshot from mercurial, and run the install.sh on a test machine.
Once installed, I created a tarball of the ossec directory and used it to
create a RPM.
In my case, the application has to be under /apps.
Here is my spec file:
%de
Is there away to log all alerts to alerts.log, but only insert alerts into a database which match a specified alert level (i.e. only write alerts with a level >=3 to my database)? I don't want to insert everything into a MySQL database due to the large number of low-level alerts, but still want to
