Hello everybody,
I am preparing a webinar for next Tuesday (8:00am-9:00am PDT) where I plan
to explain how OSSEC has been integrated into AlienVault/OSSIM SIEM.
My idea is to show how OSSEC can be configured and managed from
AlienVault GUI, as well as a few examples of OSSEC alerts correlation,
i
On 09/20/2013 02:08 PM, Paul Raines wrote:
OK. ossec regex is the first regex variant I have ever run into where
"." isn't a match for any character. Sorry about that.
Thanks for your help
It does mean match on any character, but it is escaped by the \. OSSEC
regex is intentionally limited s
OK. ossec regex is the first regex variant I have ever run into where "."
isn't a match for any character. Sorry about that.
Thanks for your help
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop rece
On Sep 20, 2013 12:51 PM, "Paul Raines" wrote:
>
> I understand why rule 1002 matches, I just didn't understand why it was
applied to that log line in the first place. But if all decoders are
applied to all log files, I guess that explains why. But it seems a very
inefficient design. When one d
I understand why rule 1002 matches, I just didn't understand why it was
applied to that log line in the first place. But if all decoders are
applied to all log files, I guess that explains why. But it seems a very
inefficient design. When one designates the access_log to be watched, one
shou
On Sep 20, 2013 11:45 AM, "Paul Raines" wrote:
>
> I have recently started using ossec and I am trying to filter out bogus
> alerts from my httpd access_log without success.
>
> I often get email alerts with:
>
> Received From: (surfer) 132.183.202.158->/var/log/httpd/access_log
> Rule: 1002 fired
On 09/20/2013 05:20 AM, Michel Käser wrote:
Suggestions
---
1. Daily/weekly/monthly reports
You mean like this? http://www.ossec.net/doc/programs/ossec-reportd.html
2. Log file name/location for decoder
I'm not very sure if this is really needed. I however have some very
generic log
On 09/20/2013 08:48 AM, Chris Lauritzen wrote:
So what I am looking to do is to find a way
to not create 3500 Client.keys files.
You could create a file on a share with all of the keys and have a
post-install script that finds the right key and puts it in the keys
file on the agent. Something
I have recently started using ossec and I am trying to filter out bogus
alerts from my httpd access_log without success.
I often get email alerts with:
Received From: (surfer) 132.183.202.158->/var/log/httpd/access_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Porti
Jared,
What I am trying to do it automate the install. We use LANDesk to push out
apps to over 3500 PC/servers in our company. LANDesk can use batch, msi,
exe, vbs and Powershell scripts to install. I have the install working, it
pushes to the PC's and installs the agent. Where it was failing
The benefit of a mailing list is of course that you can find out if your issue
is actually a bug before submitting a ticket and having it closed immediately.
"Hit and run" reporting rarely gets your bug fixed I've found.
Maybe I'm an old "fuddy duddy", but signing up for a mailing list seems to
now i did it another way
wrote the decoder
**
* ^\d\d\d\d \w+ \d\d \d\d:\d\d:\d\d \(\w+\)
0\.0\.0\.0->WinEvtLog WinEvtLog: Kaspersky Event Log: *
**
write the rule
**
* *
* kaspersky*
* Any Kasper Activity*
* *
**
see logs in archive.log, see alert when test log in ossec-logtest
*root@d
I am not surer that everyone wants to see the gory details, but with
Powershell you can accomplish anythign that you would do normally via the
cmd line or interactively, on linux (ssh) and Windows (WMI).
Here is an example that will migrate servers from a test OSSEC server to a
Productin OSSE
Hi all
Saving time by not telling you how amazing OSSEC is, I'd like to get
straight to the point and suggest some features/improvements for OSSEC.
It might be that some of those were already discussed earlier, some of
them might already be implemented (and I just don't know about them) or
what
14 matches
Mail list logo