[ossec-list] Re: A standard procedure for manually starting rootcheck and syscheck

Does the administrator know the agent name? If yes, "agent_control -l" can list all agent names and their associated IDs. You can use 'grep' and 'cut' to get the agent ID. On Wednesday, February 13, 2013 6:13:25 AM UTC-8, TWAD wrote: > > Hey There, > > I find myself in a situation where all hos

[ossec-list] Re: Rule ID 1003 triggering active response despite not configured to do so?

I think I figured out my problem: The presence of means *any* event of this level or higher triggers the active-response. Regardless of the I misunderstood that it would be 'only these rules with these IDs, at level 10 or higher'. Let me know if I'm right :) Thanks! On Thursday, Febru

[ossec-list] Rule ID 1003 triggering active response despite not configured to do so?

Hello, I have active-response enabled in ossec.conf of the server as follows: firewall-drop all 10 31151,5712,104130 600 It is correctly blocking IPs with firewall-drop in response to rules 31151,5712, 104130 as configured above. Problem: I am *also* seeing IPs ge

Re: [ossec-list] Problems with logrotate and ossec

On Wed, 13 Feb 2013 11:42:13 + "C. L. Martinez" wrote: > HI all, > > I have one ossec agent monitoring some syslog format files and > triggers some alerts if src IP or dst IP matches in a CDB list > configured on ossec server. All works ok until logrotate rotates these > log files. After th

[ossec-list] A standard procedure for manually starting rootcheck and syscheck

Hey There, I find myself in a situation where all hosts in our network must execute syscheck and rootcheck through a manual process vs. a scheduled basis. And when I say manual process, I mean each administrator must have the capability/choice to run it at the least intrusive time of operati

Re: [ossec-list] Re: tacacs logs filtering

Good timing. We are rolling out some TACACS+ in the next month or so and will be integrating to our OSSEC, I will contribute anything worthwhile that comes out of it. On Tuesday, February 12, 2013 8:18:22 PM UTC, dan (ddpbsd) wrote: > > On Tue, Feb 12, 2013 at 1:53 PM, Dustin Lenz > > > wro

[ossec-list] Problems with logrotate and ossec

HI all, I have one ossec agent monitoring some syslog format files and triggers some alerts if src IP or dst IP matches in a CDB list configured on ossec server. All works ok until logrotate rotates these log files. After that, no alerts are produced. Exists some problem with this combination??

[ossec-list] ossec selective monitoring versus complete system monitoring?

Hey, I'm using ossec configuration on a web-server matching which is hosting a very critical application for my organization. I want to know how can i use ossec to monitor changes to the system? I'm new to ossec use, but common sense says if I'm monitoring each and every file (e.g hosts, nets