Does the administrator know the agent name?
If yes, "agent_control -l" can list all agent names and their associated
IDs. You can use 'grep' and 'cut' to get the agent ID.
On Wednesday, February 13, 2013 6:13:25 AM UTC-8, TWAD wrote:
>
> Hey There,
>
> I find myself in a situation where all hos
I think I figured out my problem:
The presence of means *any* event of this level or higher triggers
the active-response. Regardless of the
I misunderstood that it would be 'only these rules with these IDs, at level
10 or higher'.
Let me know if I'm right :)
Thanks!
On Thursday, Febru
Hello,
I have active-response enabled in ossec.conf of the server as follows:
firewall-drop
all
10
31151,5712,104130
600
It is correctly blocking IPs with firewall-drop in response to rules
31151,5712, 104130 as configured above.
Problem:
I am *also* seeing IPs ge
On Wed, 13 Feb 2013 11:42:13 + "C. L. Martinez"
wrote:
> HI all,
>
> I have one ossec agent monitoring some syslog format files and
> triggers some alerts if src IP or dst IP matches in a CDB list
> configured on ossec server. All works ok until logrotate rotates these
> log files. After th
Hey There,
I find myself in a situation where all hosts in our network must execute
syscheck and rootcheck through a manual process vs. a scheduled basis. And
when I say manual process, I mean each administrator must have the
capability/choice to run it at the least intrusive time of operati
Good timing. We are rolling out some TACACS+ in the next month or so and
will be integrating to our OSSEC, I will contribute anything worthwhile
that comes out of it.
On Tuesday, February 12, 2013 8:18:22 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Feb 12, 2013 at 1:53 PM, Dustin Lenz
> >
> wro
HI all,
I have one ossec agent monitoring some syslog format files and
triggers some alerts if src IP or dst IP matches in a CDB list
configured on ossec server. All works ok until logrotate rotates these
log files. After that, no alerts are produced. Exists some problem
with this combination??
Hey,
I'm using ossec configuration on a web-server matching which is hosting a
very critical application for my organization. I want to know how can i use
ossec to monitor changes to the system?
I'm new to ossec use, but common sense says if I'm monitoring each and
every file (e.g hosts, nets