Re: [ossec-list] Ossec agents are not appearing in Ossec Server

On Mon, Mar 4, 2013 at 2:46 AM, Umair Mustafa wrote: > I installed Ossec Server and some agents on other servers. But the thing is > that out of 10 agents only 7 servers are able to communicate with Ossec > Server and 3 are not. > > This is the Ossec Server information > >> DIRECTORY="/var/ossec"

Re: [ossec-list] Has anyone successfully set up agentless monitoring of SonicWALL firewalls?

On Wed, Feb 27, 2013 at 1:49 PM, wrote: > I want to monitor the integrity of the configuration of the firewalls. In > looking at the SonicWALL CLI, I'm thinking that if OSSEC can run a "show > all" then run that again to alert me to any deltas, that would meet our > needs. > Modify one of the e

Re: [ossec-list] Email alerts grouping

On Mon, Mar 4, 2013 at 5:58 AM, Chris H wrote: > Hello. I am running OSSEC 2.6. I am pushing logs from Windows Domain > Controllers > > I only want certain level alerts to generate emails, and different alerts to > go to different groups. For example, all network alerts above 8 go to the > netw

Re: [ossec-list] Whitelist instead of blacklist

On Mon, Mar 4, 2013 at 4:45 PM, TWAD wrote: > Hey everybody, > I have a task that I'm struggling with; could you help? > > Task: I need to have a blacklist capability on all of my agents ( to alert, > not block) > Alerts are only created by the server, not the agents. > Issue 1: The blacklist co

Re: [ossec-list] syscheck on agent - space? Missing something?

On Mon, Mar 4, 2013 at 12:39 PM, Kat wrote: > Just wondering if I am missing something. I have an agent that has used too > much space for syscheck changes. I want to re-init with new rules. If I run > syscheck_control with -u it says it will INIT the database, but the "old" > stuff is still there

Re: [ossec-list] Re: how can i match nonzero in rules?

On Mar 4, 2013 5:41 AM, "root" wrote: > > > hi > > i write rule like this > > > > > rsyslog-pstats > ^0 > rsyslog is right > > > > rsyslog-pstats > ^1 > rsyslog is wrong > > You'll have to replace rule [12] with the correct information. The basic idea is to matc

Re: [ossec-list] Re: Alert.log format issue with "mail - firewall" and rule group delimiting.

On Tue, Mar 5, 2013 at 7:16 AM, Jean-Pierre Zurbrugg wrote: > Ok, looks like this is definitely an error on my side and not a bug since I > have not received any replies yet. > That's all it takes to make it not a bug? I don't know why no one else has responded, but I don't use OSSEC to monitor f

Re: [ossec-list] Cannot get agent profile working on windows (2nd try)

On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко wrote: > Is it possible to add this functionality in a future version of ossec-agent > for win? > Definitely. > > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко > написал: >> >> It looks like this feature was not included i

Re: [ossec-list] Granular E-Mail alerts

On Tue, Mar 5, 2013 at 12:17 PM, Willen Borges Coelho wrote: > Hi, > > > > I'm new using Ossec and I'm trying to configure email alerts, but with no > success. > > I would like to only be notified by email alerts about events id 5715, 5501 > and 5402, but after I configure this granular alert edit

Re: [ossec-list] Re: multiple OSSEC decoders on the same event has some problem

On Mon, Mar 4, 2013 at 11:30 PM, root wrote: > > now, i wrote like this > > > > > > rsyslog-pstats > ^main\sQ > > > > > rsyslog-pstats-main > ^\.*discarded\pfull=(\d+)\.* > extra_data > > > > rsyslog-pstats-main > ^\.*discarded\pnf=(\d+)\.* > extra_data > > > > but server say >

Re: [ossec-list] Re: multiple OSSEC decoders on the same event has some problem

^rsyslogd-pstats rsyslog-pstats ^\S+\p\S+:\d+\p: submitted= ^(\d+) extra_data rsyslog-pstats ^main Q: ^\.+ discarded.full=(\d+) discarded.nf=(\d+) extra_data, extra_data rsyslog-pstats ^action ^(\d+): processed=(\d+) failed=(

[ossec-list] Re: Alert.log format issue with "mail - firewall" and rule group delimiting.

Ok, looks like this is definitely an error on my side and not a bug since I have not received any replies yet. Can anyone confirm this is not happening to them on version 2.7 ? I'll try to setup a VM and test this on a clean 2.7. On Friday, March 1, 2013 4:44:51 PM UTC-4, Jean-Pierre Zurbrugg w

Re: [ossec-list] Granular E-Mail alerts

Hmm, there are various ways to accomplish this. Since you want alerts from a specific set of alerts, I would suggest the following: add the rules you want to be notified of to a additional group and make sure they will trigger sending an email regardless of their level. Then just have ossec sen

[ossec-list] error during installation using philipshramko's deployment instruction

I am trying to deploy agents to my windows desktop and server after following the procedure at http://philipshramko.blogspot.com/ Everything seems to work but I keep getting this error message: Custom Action “wrapInstall1_U” FAILED (could not start it). Location: C:\windows\sysWOW64\, COMMAN

[ossec-list] Granular E-Mail alerts

Hi, I'm new using Ossec and I'm trying to configure email alerts, but with no success. I would like to only be notified by email alerts about events id 5715, 5501 and 5402, but after I configure this granular alert editing ossec.conf, it doesn't work. Whenever I edit the email_alert_level to