Hello !
is it possible to set the hostname fixed for an ossec installation? I have
realy big problems with short and FQDN hostnames on serverals installations.
thanx
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this
On Mar 7, 2013 1:57 AM, C. L. Martinez carlopm...@gmail.com wrote:
Hi all,
Is it possible to send logs to an ossec agent via syslog process?? Or
using a socket in this ossec agent?
Thanks.
Not directly, but you could setup a syslog daemon and point ossec at the
resulting log files.
--
Hello Jb,
Yeah I have noticed too; It initially led me to believe the comma was more
of a good practice than a requirement but I removed it from
rules/firewall_rules.xml, commented out the no log option on rule 4101, and
confirmed that the comma was indeed needed.
Anyways, I've stumbled upon
I can confirm that the server-ip /server-ip isn't being populated on
version 2.7 when you run the install.sh and select agent as the ossec mode.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop
On Mar 7, 2013 6:52 AM, Jean-Pierre Zurbrugg jp.zurbr...@gmail.com
wrote:
I can confirm that the server-ip /server-ip isn't being populated on
version 2.7 when you run the install.sh and select agent as the ossec mode.
What OS/distro/version/version and distro of sh? It's worked just fine for
Here's the info:
Ubuntu 10.04.3 LTS
dash Version: 0.5.5.1-3ubuntu2
I ran the install script with sh -x install.sh and noticed the following:
+ [[ X = X
install.sh: 1: [[: not found
+ IP=
+ HNAME=
+ echo ossec_config
+ echo client
+ [ X != X ]
+ [ X != X ]
I did not get a 550... and perhaps 550 may not have been the right choice.
In fact, I do a grep for 192.168.1.10 (an IP in the blacklist) in
audit.log, messages, alert.log, and secure etc, and it does not show up,
even though is is an active agent. Here is the log after immediate
start-up
this problem has go on,i has no idea! :(
thanksBest Regards
From: root
Date: 2013-03-06 21:54
To: dan (ddp); ossec-list
Subject: Re: Re: [ossec-list] Re: how can i match nonzero in rules?
yes,i restart my ossec server,but the problem go on!
thanksBest Regards
From: dan (ddp)
Hello,
The default client port is 1514 for the OSSEC client to talk to
OSSEC manager.
The client server-ip should have been populated when you ran install.sh
on the agent, unless there was a problem.
Yes, I had to add those manually, then it worked. Before I added those
fields manually, the
On 07.03.2013 06:54, dan (ddp) wrote:
On Mar 7, 2013 6:52 AM, Jean-Pierre Zurbrugg jp.zurbr...@gmail.com
[1] wrote:
I can confirm that the server-ip /server-ip isnt being
populated on version 2.7 when you run the install.sh and select agent
as the ossec mode.
What
Yes, but a 2.7.1 has not been uploaded to the download site that corrects
the issues. Latest release still downloads 2.6 even. Due to the bugs that
have been corrected since 2.7 came out one would think that 2.7.1 would
already be the chosen version to host on the site for download.
On Thu,
On Thu, Mar 7, 2013 at 2:48 PM, Michael Starks
ossec-l...@michaelstarks.com wrote:
On 07.03.2013 06:54, dan (ddp) wrote:
On Mar 7, 2013 6:52 AM, Jean-Pierre Zurbrugg jp.zurbr...@gmail.com
[1] wrote:
I can confirm that the server-ip /server-ip isnt being
populated on version 2.7 when
On Thu, Mar 7, 2013 at 4:55 PM, Joe Gedeon joe.ged...@gmail.com wrote:
Yes, but a 2.7.1 has not been uploaded to the download site that corrects
the issues. Latest release still downloads 2.6 even. Due to the bugs that
have been corrected since 2.7 came out one would think that 2.7.1 would
On Thu, Mar 7, 2013 at 9:06 AM, Jean-Pierre Zurbrugg
jp.zurbr...@gmail.com wrote:
Here's the info:
Ubuntu 10.04.3 LTS
dash Version: 0.5.5.1-3ubuntu2
I ran the install script with sh -x install.sh and noticed the following:
Make sure /bin/sh is bash and not dash.
'syscheck_control -u agent_id' delete the syscheck history database file
for this agent on OSSEC server.
It's a way to reduce unwanted alerts, say, after the agent machine was
patched.
It does not delete anything on the agent machine.
On Tuesday, March 5, 2013 3:50:10 PM UTC-8, dan (ddpbsd)
On Thu, Mar 7, 2013 at 7:38 AM, Jean-Pierre Zurbrugg
jp.zurbr...@gmail.com wrote:
Hello Jb,
Yeah I have noticed too; It initially led me to believe the comma was more
of a good practice than a requirement but I removed it from
rules/firewall_rules.xml, commented out the no log option on rule
On 3/7/2013 8:34 PM, dan (ddp) wrote:
On Thu, Mar 7, 2013 at 4:55 PM, Joe Gedeon joe.ged...@gmail.com wrote:
Yes, but a 2.7.1 has not been uploaded to the download site that corrects
the issues. Latest release still downloads 2.6 even. Due to the bugs that
have been corrected since 2.7 came
On 3/7/2013 8:33 PM, dan (ddp) wrote:
Make sure /bin/sh is bash and not dash.
Actually the problem is that the script is using bash syntax even though
is has /bin/sh as the shebang.
The script should either be changed to only use sh syntax or use #!/bin/bash
smime.p7s
Description: S/MIME
On Thu, Mar 7, 2013 at 9:46 PM, Ryan Schulze r...@dopefish.de wrote:
On 3/7/2013 8:33 PM, dan (ddp) wrote:
Make sure /bin/sh is bash and not dash.
Actually the problem is that the script is using bash syntax even though is
has /bin/sh as the shebang.
The script should either be changed to
On Thu, Mar 7, 2013 at 11:20 AM, root r...@cnmoker.org wrote:
this problem has go on,i has no idea! :(
I think part of the problem is the multiple extra_data fields. Rename
them in the order options so that each order is unique.
thanksBest Regards
From: root
Date: 2013-03-06 21:54
On Thu, Mar 7, 2013 at 9:55 PM, Ryan Schulze r...@dopefish.de wrote:
On 3/7/2013 8:34 PM, dan (ddp) wrote:
On Thu, Mar 7, 2013 at 4:55 PM, Joe Gedeon joe.ged...@gmail.com wrote:
Yes, but a 2.7.1 has not been uploaded to the download site that corrects
the issues. Latest release still
There are 2 separate issues that you seem to be munging together.
Let's try to keep them separated a bit.
On Thu, Mar 7, 2013 at 10:54 AM, TWAD higd...@gmail.com wrote:
I did not get a 550... and perhaps 550 may not have been the right choice.
You need to find out what rule is firing. When I
I cannot get a custom rule to work, a simple src or dst IP rule. Whenever I
try to add srcip to a rule its like the rule doesn't work. Here is an
example
rule id=100031 level=0
srcipx.x.x.x/srcip
descriptionIgnoring traffic/description
/rule
--
---
You received this message
On Thu, Mar 7, 2013 at 10:20 PM, Michael Lubinski
michael.lubin...@gmail.com wrote:
I cannot get a custom rule to work, a simple src or dst IP rule. Whenever I
try to add srcip to a rule its like the rule doesn't work. Here is an
example
rule id=100031 level=0
srcipx.x.x.x/srcip
On Thu, Mar 7, 2013 at 4:27 AM, Christian Mahlig
christianmah...@googlemail.com wrote:
Hello !
is it possible to set the hostname fixed for an ossec installation? I have
realy big problems with short and FQDN hostnames on serverals installations.
thanx
I do not understand your questions.
On Thursday, March 7, 2013 10:32:51 PM UTC-5, Michael Lubinski wrote:
Sorry i'm new to ossec.
I don't want to see logs generated by my scanner so TO and FROM the scanner
IP. How can I tell where the process is breaking down?
Easier said than done. Take each log message you don't want
So using srcip in this way wont work?
On Thu, Mar 7, 2013 at 9:41 PM, dan (ddpbsd) ddp...@gmail.com wrote:
On Thursday, March 7, 2013 10:32:51 PM UTC-5, Michael Lubinski wrote:
Sorry i'm new to ossec.
I don't want to see logs generated by my scanner so TO and FROM the
scanner IP. How
On Thursday, March 7, 2013 10:43:35 PM UTC-5, Michael Lubinski wrote:
So using srcip in this way wont work?
Your initial email suggests that this does not work.
On Thu, Mar 7, 2013 at 9:41 PM, dan (ddpbsd) ddp...@gmail.comjavascript:
wrote:
On Thursday, March 7, 2013 10:32:51 PM
Yeah. So at least i'm not crazy then. Can anyone else confirm this behavior?
On Thu, Mar 7, 2013 at 9:48 PM, dan (ddpbsd) ddp...@gmail.com wrote:
On Thursday, March 7, 2013 10:43:35 PM UTC-5, Michael Lubinski wrote:
So using srcip in this way wont work?
Your initial email suggests that
29 matches
Mail list logo