On Apr 30, 2012 4:11 PM, "carlopmart" wrote:
>
> Hi all,
>
> I have several problems with ossec-remoted process and ossec's syslog
remote options. My ossec server is configured to receive syslog messages
via tcp port.
>
> The problem is the amount of syslog messages that ossec can receive, not
s
Hi all,
I have several problems with ossec-remoted process and ossec's syslog
remote options. My ossec server is configured to receive syslog messages
via tcp port.
The problem is the amount of syslog messages that ossec can receive,
not seem to be many.
Configuration is:
syslog forwa
Modifying the default rules directly isn't encouraged. Your changes
will be overwritten on an upgrade. You should add custom rules to
/var/ossec/rules/local_rules.xml. You can create custom rules to look
for new things the default rules don't cover, or to ignore rules that
are already in place.
On
I'm looking for the rules file for adjusting what gets logged for
Microsoft Windows systems. Is msauth_rules.xml the correct file?
You can add custom rules to /var/ossec/rules/local_rules.xml. You can
use these rules to either look for something that isn't covered by the
default rules or to ignore something you don't want to see.
On Mon, Apr 30, 2012 at 1:59 PM, A-Dubbs wrote:
> Just learning OSSEC here using the documentati
Just learning OSSEC here using the documentation on ossec.net to
troubleshoot some problems.I am receiving excessive HIDS notifications
in a log for a windows machines(an agent) in my OSSEC environment.
When looking at the security log, it seems that too many events are
being added to the queue, m
Oops ... You are right dan .. I have missed timestamp and hostname ...
Doing some adjustements, decoder works now ...
On 04/30/2012 02:59 PM, dan (ddp) wrote:
To start, your log message is missing the syslog header (timestamp and
hostname).
Then taking out the first \s+ in the prematch of the
To start, your log message is missing the syslog header (timestamp and
hostname).
Then taking out the first \s+ in the prematch of the checkpoint
decoder makes this work.
In fact, changing the decoder to this made it work with one of your
examples and one of the examples in the decoder.conf:
^
It seems like execd isn't running. Is active response enabled?
On Mon, Apr 30, 2012 at 3:52 AM, Mike Sievers
wrote:
> Hi List,
>
> I am always getting the following error:
>
> agent_control -r -a
> 2012/04/30 09:44:19 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not
> accessible: 'Queue n
I'm disappointed that Apple released a broken compiler by default. :(
On Sat, Apr 28, 2012 at 4:31 AM, Gappa wrote:
> ahahah i can feel a "little bit" of disappointing in your answer.
> My bad, i'm sorry, i didn't notice that i was using llvm compiler.
>
> I have changed it with the REAL gcc and
W dniu poniedziałek, 30 kwietnia 2012 09:52:29 UTC+2 użytkownik Mike
Sievers napisał:
>
> Hi List,
>
> I am always getting the following error:
>
> agent_control -r -a
> 2012/04/30 09:44:19 agent_control(1210): ERROR: Queue '/queue/alerts/ar'
> not accessible: 'Queue not found'.
>
> 2012/04/30
Hi all,
Somebody have a sample script to generate a weekly report?
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Hi all,
I am doing some tests sending checkpoint fw logs to ossec vi syslog
and the default checkpoint decoder provided by ossec 2.6 doesn't works.
For example using log explained in decoder.xml:
2012/04/30 10:26:13 ossec-testrule: INFO: Reading local decoder file.
2012/04/30 10:26:13 ossec-
Hi List,
I am always getting the following error:
agent_control -r -a
2012/04/30 09:44:19 agent_control(1210): ERROR: Queue '/queue/alerts/ar'
not accessible: 'Queue not found'.
2012/04/30 09:44:34 agent_control(1301): ERROR: Unable to connect to active
response queue.
** Unable to connect to r
14 matches
Mail list logo