Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Mon, Nov 25, 2013 at 2:06 PM, C. L. Martinez wrote: > On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) wrote: >> On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez wrote: >>> On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) wrote: On Mon, Nov 25, 2013 at 6:36 AM, C. L. Martinez wrote: > Hi

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 6:12 AM, C. L. Martinez wrote: > On Mon, Nov 25, 2013 at 2:06 PM, C. L. Martinez wrote: >> On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) wrote: >>> On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez >>> wrote: On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) wrote: > On M

[ossec-list] deploying ossec-agents with puppet

hi there, i know this question has probably been asked a hundred times beforei've also done some digging in our beloved ossec google groups, but haven't found the right answer yet. i want to deploy the ossec-agents with puppet, and therefore i'd need a puppet manifest. i have already added

Re: [ossec-list] ossec remoted - segfault error

On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich wrote: > > > On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >> >> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk >> wrote: >> > We actually are running 2.7.1. And since i am new to ossec i did not >> > create >> > any specifi

Re: [ossec-list] Hybrid mode. Does it really work?

Can anyone answer the previous post? El lunes, 25 de noviembre de 2013 18:37:34 UTC+1, Gonzalo Sanchez escribió: > > Hi, > > I added next lines on */var/ossec/ossec-agent/etc/ossec.conf *on Server A > (hybrid mode)*:* > > > > ossecalert > /var/ossec/logs/alerts/alerts.log > > > And I

Re: [ossec-list] Hybrid mode. Does it really work?

It's been less than 24h since you asked. Hold your horses. On Nov 26, 2013 6:58 AM, "Gonzalo Sanchez" wrote: > Can anyone answer the previous post? > > El lunes, 25 de noviembre de 2013 18:37:34 UTC+1, Gonzalo Sanchez escribió: >> >> Hi, >> >> I added next lines on */var/ossec/ossec-agent/etc/oss

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 1:12 AM, C. L. Martinez wrote: > On Mon, Nov 25, 2013 at 2:06 PM, C. L. Martinez wrote: >> On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) wrote: >>> On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez >>> wrote: On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) wrote: > On M

Re: [ossec-list] Hybrid mode. Does it really work?

On Mon, Nov 25, 2013 at 12:37 PM, Gonzalo Sanchez wrote: > Hi, > > I added next lines on /var/ossec/ossec-agent/etc/ossec.conf on Server A > (hybrid mode): > > > > ossecalert > /var/ossec/logs/alerts/alerts.log > > > And I restarted ossec with ossec-control > Right > > Checking the /va

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 5:48 AM, Darin Perusich wrote: > On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich wrote: >> >> >> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>> >>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk >>> wrote: >>> > We actually are running 2.7.1. A

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Mon, Nov 25, 2013 at 9:06 AM, C. L. Martinez wrote: > On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) wrote: >> On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez wrote: >>> On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) wrote: On Mon, Nov 25, 2013 at 6:36 AM, C. L. Martinez wrote: > Hi

Re: [ossec-list] Help with email alerts

On Mon, Nov 25, 2013 at 5:51 PM, funwithossec wrote: > All, > I need to have ossec detect changes to files and then send emails to > specific groups when it detects said changes. I have had great success when > the file is a specific file but in order to complete my task I have to set > up rule

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 3:08 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 6:12 AM, C. L. Martinez wrote: >> On Mon, Nov 25, 2013 at 2:06 PM, C. L. Martinez wrote: >>> On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) wrote: On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez wrote:

Re: [ossec-list] ossec remoted - segfault error

On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich wrote: > > > On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >> >> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk >> wrote: >> > We actually are running 2.7.1. And since i am new to ossec i did not >> > create >> > any specifi

[ossec-list] restart-ossec active response doesn't works in 2.7.1

On the ossec server, are you missing a disable/enable param in active responses? The -L should show it if the server recognizes it. also, its in ossec.conf right? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this gr

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 1:09 PM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 3:08 AM, C. L. Martinez wrote: >> On Tue, Nov 26, 2013 at 6:12 AM, C. L. Martinez wrote: >>> On Mon, Nov 25, 2013 at 2:06 PM, C. L. Martinez >>> wrote: On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) wrote: > On M

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 8:52 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 1:09 PM, dan (ddp) wrote: >> On Tue, Nov 26, 2013 at 3:08 AM, C. L. Martinez wrote: >>> On Tue, Nov 26, 2013 at 6:12 AM, C. L. Martinez >>> wrote: On Mon, Nov 25, 2013 at 2:06 PM, C. L. Martinez wrote:

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 1:12 PM, dan (ddp) wrote: > On Mon, Nov 25, 2013 at 9:06 AM, C. L. Martinez wrote: >> On Mon, Nov 25, 2013 at 2:02 PM, dan (ddp) wrote: >>> On Mon, Nov 25, 2013 at 8:51 AM, C. L. Martinez >>> wrote: On Mon, Nov 25, 2013 at 1:17 PM, dan (ddp) wrote: > On Mon, N

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 8:55 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 1:12 PM, dan (ddp) wrote: >> On Mon, Nov 25, 2013 at 9:06 AM, C. L. Martinez wrote: >> >> What tests are those? It's pretty simple to make sure. Change >> /var/ossec/etc/shared/ >> agent.conf and check alerts.log fo

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 1:55 PM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 8:52 AM, C. L. Martinez wrote: >> On Tue, Nov 26, 2013 at 1:09 PM, dan (ddp) wrote: >>> On Tue, Nov 26, 2013 at 3:08 AM, C. L. Martinez >>> wrote: On Tue, Nov 26, 2013 at 6:12 AM, C. L. Martinez wrote:

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 9:00 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 1:55 PM, dan (ddp) wrote: >> On Tue, Nov 26, 2013 at 8:52 AM, C. L. Martinez wrote: >>> On Tue, Nov 26, 2013 at 1:09 PM, dan (ddp) wrote: On Tue, Nov 26, 2013 at 3:08 AM, C. L. Martinez wrote: > On

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) wrote: >>> >>> Then I misunderstood. What part of the script looks incorrect to you? >>> >> >> The content of the restart-ossec.sh script. It is not appears an >> ossec-control restart action when agent.conf is modified. For example, >> executing wit

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 9:09 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) wrote: > Then I misunderstood. What part of the script looks incorrect to you? >>> >>> The content of the restart-ossec.sh script. It is not appears an >>> ossec-control restart

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 2:11 PM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 9:09 AM, C. L. Martinez wrote: >> On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) wrote: >> > > Then I misunderstood. What part of the script looks incorrect to you? > The content of the restart-osse

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 9:20 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 2:11 PM, dan (ddp) wrote: >> On Tue, Nov 26, 2013 at 9:09 AM, C. L. Martinez wrote: >>> On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) wrote: >>> >> >> Then I misunderstood. What part of the script looks in

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 2:24 PM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 9:20 AM, C. L. Martinez wrote: >> On Tue, Nov 26, 2013 at 2:11 PM, dan (ddp) wrote: >>> On Tue, Nov 26, 2013 at 9:09 AM, C. L. Martinez >>> wrote: On Tue, Nov 26, 2013 at 2:03 PM, dan (ddp) wrote: >>

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez wrote: > This: > [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf > 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf > So the agent.conf isn't being updated on the agent. Check permissions of the files in etc/shared. Re

Re: [ossec-list] Hybrid mode. Does it really work?

SELinux is not installed. I'm working with Debian 7. Checking permissions on */var/ossec/log/alerts on server A:* drwxr-x--- 3 ossec ossec 4,0K nov 25 12:36 2013 -rw-r- 2 ossec ossec 15K nov 26 15:33 alerts.log I think everything is correct, but problem persist. El martes, 26 de noviemb

Re: [ossec-list] Hybrid mode. Does it really work?

On Tue, Nov 26, 2013 at 9:38 AM, Gonzalo Sanchez wrote: > SELinux is not installed. I'm working with Debian 7. > > Checking permissions on /var/ossec/log/alerts on server A: > > drwxr-x--- 3 ossec ossec 4,0K nov 25 12:36 2013 > -rw-r- 2 ossec ossec 15K nov 26 15:33 alerts.log > > > I think ev

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 2:32 PM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez wrote: >> This: >> [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf >> 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf >> > > So the agent.conf isn't being updated on

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 9:39 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 2:32 PM, dan (ddp) wrote: >> On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez wrote: >>> This: >>> [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf >>> 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/sha

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 2:50 PM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 9:39 AM, C. L. Martinez wrote: >> On Tue, Nov 26, 2013 at 2:32 PM, dan (ddp) wrote: >>> On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez >>> wrote: This: [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent

Re: [ossec-list] restart-ossec active response doesn't works in 2.7.1

On Tue, Nov 26, 2013 at 9:57 AM, C. L. Martinez wrote: > On Tue, Nov 26, 2013 at 2:50 PM, dan (ddp) wrote: >> On Tue, Nov 26, 2013 at 9:39 AM, C. L. Martinez wrote: >>> On Tue, Nov 26, 2013 at 2:32 PM, dan (ddp) wrote: On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez wrote: > Thi

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) wrote: > On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich wrote: >> >> >> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: >>> >>> On Mon, Nov 25, 2013 at 10:13 AM, Andrew Strozyk >>> wrote: >>> > We actually are running 2.7.1. And si

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich wrote: > On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) wrote: >> On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich wrote: >>> >>> >>> On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbsd) wrote: On Mon, Nov 25, 2013 at 10:13 AM, Andre

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 10:18 AM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich wrote: >> On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) wrote: >>> On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich wrote: On Monday, November 25, 2013 10:18:58 AM UTC-5, dan (ddpbs

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 10:39 AM, Darin Perusich wrote: > On Tue, Nov 26, 2013 at 10:18 AM, dan (ddp) wrote: >> On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich wrote: >>> On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) wrote: On Mon, Nov 25, 2013 at 11:04 AM, Darin Perusich wrote: > >

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 10:51 AM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 10:39 AM, Darin Perusich wrote: >> On Tue, Nov 26, 2013 at 10:18 AM, dan (ddp) wrote: >>> On Tue, Nov 26, 2013 at 10:07 AM, Darin Perusich wrote: On Tue, Nov 26, 2013 at 8:22 AM, dan (ddp) wrote: > On Mon, No

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 12:57 PM, Darin Perusich wrote: > This "fixed" remoted. What's so special about this included zlib, > other then being 8.5 years old and getting ever more unmaintained? I > haven't had a chance to diff it against upstream yet. > I don't know actually. I remember the Debian

Re: [ossec-list] deploying ossec-agents with puppet

I wrote this manifest. You have to be sure you have an OSSEC user defined, either locally or through LDAP. In this case, the UID is 11002. You may have to change that. In my environment, we had several OSSEC server, that's why I defined: $ossec_server = extlookup("ossec_server") -Stephan

Re: [ossec-list] ossec remoted - segfault error

On Tue, Nov 26, 2013 at 12:59 PM, dan (ddp) wrote: > On Tue, Nov 26, 2013 at 12:57 PM, Darin Perusich wrote: >> This "fixed" remoted. What's so special about this included zlib, >> other then being 8.5 years old and getting ever more unmaintained? I >> haven't had a chance to diff it against upst

[ossec-list] How to backup and restore ossec manager

I have need to backup the OSSEC manager on one Ubuntu Linux server and restore it onto a new Ubuntu Linux server. I have hundreds of agents deployed and would prefer to not have to reinstall or reconfigure every agent to talk to the new server. Is there a process to back up the OSSEC manager,

Re: [ossec-list] ossec remoted - segfault error

On 11/26/2013 09:18 AM, dan (ddp) wrote: I'm not familiar with this distro, could selinux or apparmor be crashing remoted? My experience has been that selinux works fine with OSSEC even in enforcing mode. -- --- You received this message because you are subscribed to the Google Groups "os

Re: [ossec-list] Re: BIG PROBLEM - runaway syscheckd process

Hi guys, I'm encountering this problem on an Ubuntu 10.04 server running OSSEC 2.7.0. It even occurred after I disabled rootcheck. I do have wildcards in my syscheck directories config, but I was under the impression from the thread that that bug was fixed already, and I don't see any "No such