Re: [ossec-list] Re: Strange problem with a FreeBSD agent

On Mon, Jan 28, 2013 at 3:54 PM, C. L. Martinez carlopm...@gmail.com wrote: Ok, I am using the following config in OSSEC server: remote connectionsecure/connection local_ip10.55.10.1/local_ip port47555/port /remote (This server has multiple IP's) ... and from agent side, I

[ossec-list] splunk+ossec ossec-agent Disconnected?

hi,all my ossec now integration to splunk,but some ossec-agent can not connect,like this https://lh4.googleusercontent.com/-V6B7wGTdA8c/UQj_VPpfNbI/AAM/H9T1JClMJo0/s1600/2013-01-30_190734.jpg 2013/01/30 18:40:51 ossec-agentd(4101): WARN: Waiting for server reply (not started).

Re: [ossec-list] this configure is right

why?w i don't konw this options connectionsyslog/connection what mean? 在 2013年1月28日星期一UTC+8下午9时29分50秒，dan (ddpbsd)写道： On Mon, Jan 28, 2013 at 4:35 AM, root ro...@cnmoker.org javascript: wrote: hi,guys in my ossec server's ossec.conf,i configure like this remote

Re: [ossec-list] this configure is right

On Wed, Jan 30, 2013 at 6:00 AM, r...@cnmoker.org wrote: why?w i don't konw this options connectionsyslog/connection what mean? That option forces ossec-remoted to listen for syslog messages. The secure option only allows agents to pass log messages on, so allowed-ips doesn't matter. 在

[ossec-list] Re: ossec-agent: INFO: Event count after '20000'

Hi! Of course it is indeed the only reasonable way to solve this issue, but please let me know, where to start from. Thanx. Y. W dniu czwartek, 20 grudnia 2012 22:58:52 UTC+1 użytkownik Jb Cheng napisał: The 2 came from etc/internal_options.conf # Remoted compression averages

Re: [ossec-list] Agentless non-standard port

On Wed, Jan 30, 2013 at 8:06 AM, Jorge Gonzalez jo...@travelfusion.com wrote: Hi! Is there any way to use agentless via SSH in a non-standard port? Modify the script to use the strange port. Also, SSH passwords are in clear in the file .passlist and I am not comfortable with it, any way to

Re: [ossec-list] splunk+ossec ossec-agent Disconnected?

On Wed, Jan 30, 2013 at 6:13 AM, r...@cnmoker.org wrote: hi,all my ossec now integration to splunk,but some ossec-agent can not connect,like this 2013/01/30 18:40:51 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.x.x'. 2013/01/30 18:55:17

[ossec-list] Restore iptables on restart

Is there a way to set OSSEC to restore all of the active rules, including iptables, on restart of the ossec server? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an

Re: [ossec-list] Restore iptables on restart

On Wed, Jan 30, 2013 at 10:07 AM, Taylor Swartz anin...@gmail.com wrote: Is there a way to set OSSEC to restore all of the active rules, including iptables, on restart of the ossec server? Not really. I just have my systems save the firewall settings and configure it on boot. -- --- You

[ossec-list] Ossec WUI PHP error

I have just started getting this error on my OSSEC server which is running the OSSEC WUI 0.3: [Wed Jan 30 10:27:15 2013] [error] [client ipaddress] PHP Warning: fopen(/var/ossec/logs/alerts/alerts.log): failed to open stream: Value too large for defined data type in

Re: [ossec-list] Restore iptables on restart

But does that give OSSEC the ability to drop the firewall rule after the expiration of the event? On Wednesday, January 30, 2013 9:22:44 AM UTC-6, dan (ddpbsd) wrote: On Wed, Jan 30, 2013 at 10:07 AM, Taylor Swartz ani...@gmail.comjavascript: wrote: Is there a way to set OSSEC to

Re: [ossec-list] Restore iptables on restart

On Wed, Jan 30, 2013 at 10:56 AM, Taylor Swartz anin...@gmail.com wrote: But does that give OSSEC the ability to drop the firewall rule after the expiration of the event? No idea, I don't generally care about unblocking. On Wednesday, January 30, 2013 9:22:44 AM UTC-6, dan (ddpbsd) wrote:

Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.3

Hi Robert, I would need to see a picture of what is on screen to advise (permissions, and absolute file paths come to mind). If anyone sees this again, screen shot (including full URL) would help, and also consider checking the apache logs, and the browser debugger (Firefox is ctrl+shift+j).

[ossec-list] Trying to install on Solaris 10

I have download the package, and although it says it will run on Solaris, I immediately received an error in trying to install. Since I see messages here regarding Solaris, I know it must run. I first tried the install script: OSSEC HIDS v2.7 Installation Script - http://www.ossec.net You

Re: [ossec-list] Trying to install on Solaris 10

On Wed, Jan 30, 2013 at 12:16 PM, brownwrap brownw...@gmail.com wrote: I have download the package, and although it says it will run on Solaris, I immediately received an error in trying to install. Since I see messages here regarding Solaris, I know it must run. I first tried the install

[ossec-list] Windows Agent not reporting deleted files

I'm running Ossec 2.7 on a Centos 5.9 server. I have a Windows Agent on a Windows 2008 R2 Server. I can get it to report changes to files and new files, but I am unable to get it to report deleted files. To test, I created a test directory under the folder I monitor and created some random

Re: [ossec-list] splunk+ossec ossec-agent Disconnected?

Has nothing to do with splunk or not -- and my guess is this is not ossec 2.7? You can check if you have a tool like netcat (default installed on Linux) by doing nc -u server-address 1514 then type a few lines to see if on the server you are seeing errors in the log file (incorrectly

[ossec-list] Re: Trying to install on Solaris 10

OK, thanks. The install.sh script still had the syntax error, but the make all seems to have worked. I have a /var/ossec: ls -larth /var/ossec/ total 30 drwxr-xr-x 46 root sys 1.0K Jan 30 09:47 .. drwxr-x--- 2 ossecossec512 Jan 30 10:18 stats dr-xr-x--- 11 root

Re: [ossec-list] Trying to install on Solaris 10

having built/installed on numerous Solaris systems, even as recently as last week - it does work. But yes, it can be a little touch. Most of it, I have found, is related to the appropriate build environment and libraries. Doublecheck the pre-reqs for things like openssl libraries, and all the

[ossec-list] Re: Windows Agent not reporting deleted files

Just as an update to this, I've done some additional testing and checking on my full debugged log. I've figured out that the numbers in the line that was sent to the server is file size:New MD5sum:New Sha1sum I've also figured out that since I deleted it, it sends that exact same line during

Re: Re: [ossec-list] this configure is right

that mean is i can configure like this? remote connectionsecure/connection /remote remote connectionsyslog/connection allowed-ips192.168.0.0/16/allowed-ips local_ip192.168.224.94/local_ip /remote thanksBest Regards

Re: Re: [ossec-list] splunk+ossec ossec-agent Disconnected?

hi thank you reply it. yes,my ossec server is ossec 2.7 and my ossec-agent is ossec 2.6,but my other agent also is ossec 2.6 and work normal.i down konw why this. thanksBest Regards From: Kat Date: 2013-01-31 03:18

Re: Re: [ossec-list] splunk+ossec ossec-agent Disconnected?

thank you reply,i will read that. thanksBest Regards From: dan (ddp) Date: 2013-01-30 21:51 To: ossec-list Subject: Re: [ossec-list] splunk+ossec ossec-agent Disconnected? On Wed, Jan 30, 2013 at 6:13 AM,

[ossec-list] Re: Windows Agent not reporting deleted files

ok, I feel dumb. I've described the problem incorrectly. I was looking at the wrong test file. I redid the entire process, and now I'm seeing that after the file deletes, it no longer shows up on the syscheck again. Here are the steps I took to test. 1) Restart Agent and let it run the