Hi guys,
Here is my Custom decoder.
*
windows
Security: (\w+)\((\d+)\):
Security:
\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+
Caller User Name:\s+(\w+)
status, id, system_name, extra_data, user
**
On Tue, Oct 1, 2013 at 2:58 PM, Eric wrote:
> Hello,
>
> I am using OSSEC in a server config with no actual agents. I am having Snare
> logs from my Windows servers sent to /var/log/remotesys.log and having OSSEC
> monitor that file to trip alerts. This works for the most part but I'm
> having a f
Hello,
I am using OSSEC in a server config with no actual agents. I am having
Snare logs from my Windows servers sent to /var/log/remotesys.log and
having OSSEC monitor that file to trip alerts. This works for the most part
but I'm having a few issues. The main issue is on rules such as 40112 -
Sure.
https://bitbucket.org/jbcheng/ossec-hids/issue/57/syscheck-file-deleted-events-are-not
On Tuesday, October 1, 2013 10:03:36 AM UTC-7, Michael Starks wrote:
>
> On 01.10.2013 10:45, Roy Feintuch wrote:
> > Dan, I would like to note that I have never seen a file deleted event
> > fired with
On 01.10.2013 10:45, Roy Feintuch wrote:
Dan, I would like to note that I have never seen a file deleted event
fired without realtime=true.
I have also verified it by deleting a file when ossec agent was down.
This file was never reported as deleted again even after full scans
(unlike new files
On Tue, Oct 1, 2013 at 11:45 AM, Roy Feintuch wrote:
> Dan, I would like to note that I have never seen a file deleted event fired
> without realtime=true.
>
> I have also verified it by deleting a file when ossec agent was down. This
> file was never reported as deleted again even after full scan
Dan, I would like to note that I have never seen a file deleted event fired
without realtime=true.
I have also verified it by deleting a file when ossec agent was down. This
file was never reported as deleted again even after full scans (unlike new
files / updated file - that were reported afte
Sorry for the misinformation. it is a standalone server install and not
OSSEC in AlienVault/OSSIM.
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Tuesday, October 01, 2013 8:35 AM
To: ossec-list@googlegroups.com
On Tue, Oct 1, 2013 at 9:36 AM, Blake Johnson wrote:
> Hi Dan -
>
> Thanks for following up.
>
> Just so I understand going forward, is this considered a feature or a bug?
Are those the only choices? It just is.
> Nested comments feel intuitive in the XML style but if they're not intended
> to w
On Fri, Sep 27, 2013 at 3:28 PM, Jay B wrote:
> Had a look in /var/ossec/logs/alerts/2013/Sep/ossec-alerts.log and found
> some firewall vpn negotiation error Alerts from early this morning so looks
> like it's working as expected.
>
> Just not seeing many (which is a good thing I guess... :)
>
Hi Dan -
Thanks for following up.
Just so I understand going forward, is this considered a feature or a bug?
Nested comments feel intuitive in the XML style but if they're not intended
to work I'll be sure to document that internally and avoid them in my
maintenance of our configurations going
On Tue, Oct 1, 2013 at 2:31 AM, vtrack wrote:
> Hello,
>
> I would like to know the features we can use with enabling realtime=yes for
> each monitored directory. Is that just for file deletion alerts?
>
It should detect all file changes, just like a non-realtime syscheck scan.
> I think each ag
On Mon, Sep 30, 2013 at 9:52 AM, Ford,Luckie J wrote:
> I am running standalone OSSEC 2.6. I am not limiting file descriptors for my
> OSSEC users. My client.keys file has those permissions as well:
If it's a standalong (local) installation, you don't need remoted.
ossec-remoted is only for se
On Tue, Oct 1, 2013 at 3:26 AM, richard orero wrote:
> Hi Guys,
>
> I have been running ossec v2.7 quite smoothly for some time now at a
> client's place until recently when it started bringing up this error on the
> client "ossec-agentd(1218): ERROR: Unable to send message to server." This
> is d
Hello fellow OSSEC users,
I just published a quick video on OSSEC and ELSA. In this video,
you'll see how quickly you can configure OSSEC and ELSA using Security
Onion. We'll then use the ELSA web interface to hunt through OSSEC
alerts and all logs received from all OSSEC agents. Also note that
Hi Guys,
I have been running ossec v2.7 quite smoothly for some time now at a
client's place until recently when it started bringing up this error on the
client "ossec-agentd(1218): ERROR: Unable to send message to server." This
is despite successfully connecting to the server.
Anyone have ide
Hello,
I would like to know the features we can use with enabling realtime=yes for
each monitored directory. Is that just for file deletion alerts?
I think each agent machines should also have inotify-tools and
inotify-tools-devel installed. I did some tests with real time but did not
get ale
17 matches
Mail list logo