On Wed, Mar 13, 2013 at 6:47 PM, BP9906 wrote:
> Well thats the problem, I dont get any log entry on the OSSEC server AR log
> so I think I need a debug config enabled to verify it is triggering an AR.
> What config setting do I set to see that?
>
You can run "/var/ossec/bin/ossec-control enable
Well thats the problem, I dont get any log entry on the OSSEC server AR log
so I think I need a debug config enabled to verify it is triggering an AR.
What config setting do I set to see that?
On Wednesday, March 13, 2013 2:40:40 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Mar 13, 2013 at 4:43 PM,
I'm testing it at the moment...
Thanks.
On Wed, Mar 13, 2013 at 2:26 PM, dan (ddp) wrote:
> On Wed, Mar 13, 2013 at 2:07 PM, Stephane Rossan
> wrote:
> > I know. I've been banging my head on this one. I can not figure the
> issue. I
> > guess I will have to change my strategy and set email ale
On Wed, Mar 13, 2013 at 4:43 PM, BP9906 wrote:
> Good point.
> For clarity, my AR is set for server execution. It then launches a shell
> script that then loops through a set of servers in a LB pool to do a null
> route on those servers.
> I would then see the AR in the Ossec Server AR log and cli
On Mon, Mar 11, 2013 at 2:16 PM, TWAD wrote:
> Thank you Dan,
> The first issue is solved. I was not monitoring the list (blacklist) so it
> would not fire an alert. I am now monitoring and it does fire.
>
> The second issue: I misunderstood the key to represent the second field. My
> list is now
On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh wrote:
> All fixed but I am not getting alert to my mail box for FTP activity as
> other alerts.
>
Are you getting other alerts in your email?
Do you have access to the maillogs? If so, check to see if the mail is
being rejected or something.
If not
On Tue, Mar 12, 2013 at 2:10 PM, Martin G wrote:
>
> Not for me, but apparently it does for others.
>
I don't really have any troubleshooting tips for this. You could
possibly add some debugging code to figure it out, but I don't know
where to start.
> On Tuesday, March 12, 2013 11:56:56 AM UTC-
On Wed, Mar 13, 2013 at 2:07 PM, Stephane Rossan wrote:
> I know. I've been banging my head on this one. I can not figure the issue. I
> guess I will have to change my strategy and set email alerts to 8, instead
> of 7.
>
Can you upgrade to 2.7? I feel like there was at least 1 fix for
issues wit
On Wed, Mar 13, 2013 at 1:06 PM, Yeikler Perales
wrote:
> We appreciate if you could help us in solving solving a problem with the
> transference of a log file (.dat) to OSSEC server. The application used,
> only generates this .dat extension log files, but we are finding impossible
> nor to tran
Good point.
For clarity, my AR is set for server execution. It then launches a shell
script that then loops through a set of servers in a LB pool to do a null
route on those servers.
I would then see the AR in the Ossec Server AR log and client AR log.
I dont even see the AR log entry on the O
are you checking the right logs and do you have the ARs set for the right
place? Sometimes people forget the log entries will be in agents log files,
not the SERVER.
On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote:
>
> Hello,
> I recently upgraded my ossec server to 2.7 and everyth
Hi Eero
All good points. If you recall, I assumed you already have it installed,
so I didn't get into active response or integrity checks at all. I also
don't mention it because in my experience, large website owners don't
want it on by default, one of the reasons is because of the false
posi
2013/3/13 Tony Perez :
> Hey Folks
>
> I put together this little post to better help those that are using OSSEC on
> their web servers:
> http://tonyonsecurity.com/2013/03/13/ossec-for-website-security-part-i/
>
> It's nothing too complicated but a little something that many seem to forget
> or no
Those dang buggers.. got it thanks.
On 3/13/13 11:21 AM, BP9906 wrote:
Nice write up. Saw a typo just below this in the rule sample you
give. The category end tag got remoed. "In that file you'll find this
rule:"
--
---
You received this message because you are subscribed to the Google
Gro
Gah
I hate when I do that, will go through it again.
Thanks
On 3/13/13 10:54 AM, Kat wrote:
There are a couple of typos thanks to HTML formatting you might want
to fix -- things like < instead of <
But things for the write up -- very nice.
-K
On Wednesday, March 13, 2013 10:20:29 AM UTC-7,
Nice write up. Saw a typo just below this in the rule sample you give. The
category end tag got remoed. "In that file you'll find this rule:"
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving
Still seeing high CPU usage for authd. Hmmm...
On Tuesday, March 12, 2013 1:06:18 PM UTC-7, Kat wrote:
>
> Been seeing that a lot too -- going to try the repo update and see how
> that works.
>
> Perhaps it is time for a 2.7.1 release - I think we have enough general
> fixes to warrant it.
>
> c
I know. I've been banging my head on this one. I can not figure the issue.
I guess I will have to change my strategy and set email alerts to 8,
instead of 7.
On Wed, Mar 13, 2013 at 10:59 AM, Christian Beer <
cb.mailli...@googlemail.com> wrote:
> I also can't find an error here. Maybe it's some
I also can't find an error here. Maybe it's some wierd line ending
problem that is only triggered by the logcollector and not logcheck.
Am 13.03.2013 18:49, schrieb Stephane Rossan:
> Here is my rule, from local_rules.xml
>
> 530
> ossec: output: 'netstat -tan
>
> Listened ports
Hello,
I recently upgraded my ossec server to 2.7 and everything is working great.
The weird issue I'm having is that the active responses sometimes dont
fire.
Its very intermittent because I get email spam for my Rule that is supposed
to trigger a null-route. I check the server's active-respon
There are a couple of typos thanks to HTML formatting you might want to fix
-- things like < instead of <
But things for the write up -- very nice.
-K
On Wednesday, March 13, 2013 10:20:29 AM UTC-7, perezbox wrote:
>
> Hey Folks
>
> I put together this little post to better help those that are
Here is my rule, from local_rules.xml
530
ossec: output: 'netstat -tan
Listened ports status (netstat) changed (new port opened
or closed).
I use the overwrite option a lot, and can not figure what went wrong here.
On Wed, Mar 13, 2013 at 10:31 AM, Christian Beer <
cb.mailli
As I use this overwrite mechanism also very often and it works in 2.6
and 2.7, could you please post your faulty rule overwrite? Maybe you
missed something.
Regards
Christian
Am 13.03.2013 18:16, schrieb Stephane Rossan:
> Hi all,
>
> I use Ossec 2.6 on my server and unix clients.
> Recently, I t
Hey Folks
I put together this little post to better help those that are using OSSEC
on their web servers:
http://tonyonsecurity.com/2013/03/13/ossec-for-website-security-part-i/
It's nothing too complicated but a little something that many seem to
forget or not think about. Hope it helps someone.
Hmm, never figured to read the release notes to see if a book is still good
:)
Thanx a lot guys.
Regards,
Gerard.
On Monday, March 11, 2013 10:26:40 AM UTC+1, Gerard Petersen wrote:
>
> Hi All,
>
> I'm currently testing OSSEC (2.7). I'm clear on what I want to know from
> my infrastructure, t
Hi all,
I use Ossec 2.6 on my server and unix clients.
Recently, I tried to tune rule 533, and set the level of alert from 7 to 6.
In my setup, 6 doesn't generate email alerts.
After few hours of this implementation, I noticed following errors in
ossec.log:
2013/03/11 22:41:35 ossec-syscheckd(1224
We appreciate if you could help us in solving solving a problem with the
transference of a log file (.dat) to OSSEC server. The application used,
only generates this .dat extension log files, but we are finding impossible
nor to transmit .dat files or to edit them. Is there a known problem abou
On Wednesday, March 13, 2013 10:34:05 AM UTC-4, Nathaniel Bentzinger wrote:
>
> Have you considered building an MSI to expedite this? I built an MSI
> that allows me to make transformation file that contains:
>
> SSH keys, SSH host name, user and even the OSSEC shared key to customize
> the ins
Have you considered building an MSI to expedite this? I built an MSI that
allows me to make transformation file that contains:
SSH keys, SSH host name, user and even the OSSEC shared key to customize the
installation via properties.
So on local systems they ssh into our OSSEC via plink.exe run m
Is it possible to setup shared keys in OSSEC so that if I
have multiple systems I can use the same key on all of them? I'm aware of
the security issues but have some severe deadlines and doing one key per
system is causing delays since we having to add hundreds of keys per month.
If their is an
All fixed but I am not getting alert to my mail box for FTP activity as
other alerts.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@
However the logtest works fine for "deleted" and Logged in test:
Not sure why log test is not working for transfer log.
Also I have noticed I am not getting alert for login after applying it on
the server. So far I have not received any alert for any FTP login. I have
also set alert Level to 7.
*
Thanks Dan,
I followed the steps as you mentioned but I am not able to setup the
local_decoder.xml .
local_decoder file was not available under my ../etc folder so I created
one and added decoder for "pure_transfer" as you suggested. But after
running the logtest OSSEC is not able to identify the
33 matches
Mail list logo