Which alerts is it?
does the alert has a "alert_by_email" by any chance?
On Thu, Apr 10, 2014 at 9:03 PM, Evan wrote:
> Today I installed OSSEC on my server and I have these settings:
>
>
> yes
> my-email-addr...@gmail.com
> localhost
> ossecm@scaver
>
>
>
> my-e
I found this did not matter for me. What I had to do was modify
/var/ossec/etc/ossec.conf and update like 3 and 4 to the following:
ENTERIPOFSERVERHERE
execute /var/ossec/bin/manage_agents to import key
make sure my server was ready to accept traffic from the agent
execute "/var/ossec/bin/os
On 04/10/2014 07:46 PM, miguel.j...@gmail.com wrote:
If I used ossec-authd only once, and have since revoked the key that was
generated, but already had a number of keys generated *prior* to any use
of ossec-authd, those original keys are safe and need not be revoked,
correct?
Just want to make
Today I installed OSSEC on my server and I have these settings:
yes
my-email-addr...@gmail.com
localhost
ossecm@scaver
my-email-addr...@gmail.com
7
Near the end of the file I have these lines as well:
1
8
But with these settings I get an email
Thanks for the reply,
One final question:
On Friday, April 11, 2014 9:51:15 AM UTC+10, Michael Starks wrote:
>
> On 04/10/2014 06:14 PM, migue...@gmail.com wrote:
>
>
> If you're not using ossec-authd you don't need to do anything. If you
> are, as a precaution, it is recommended to recompile
On 04/10/2014 06:14 PM, miguel.j...@gmail.com wrote:
I read the report, but it's not clear to me whether I need to revoke all
agent keys and regenerate new ones? I don't have ossec-authd running.
In fact I only recently recompiled OSSEC with the SSL headers in order
to use ossec-authd at all (f
Hi,
On Wednesday, April 9, 2014 2:05:31 PM UTC+10, vic hargrave wrote:
>
> We have released an advisory on the CVE-2014-0160 (Heartbeat bug) Advisory
> for OSSEC and what users can do about it.
>
I read the report, but it's not clear to me whether I need to revoke all
agent keys and regenerate
Thank you Josh. Not sure why I though filtering would be more complicated,
lucene syntax is simple enough and it is very easy to add the timestamp
field back in.
I'm having deficilties with the Bettermap. The panel loads with values in
different colour codes and number of alerts (so far so good
Could you paste ifconfig and netstat output (feel free to anonymize any
data if needed)? At this point I don't know what the issue could be but
this info may help.
On Thu, Apr 10, 2014 at 8:32 AM, Devendra Agarwal <
devendra.agra...@gmail.com> wrote:
> No firewall (hardware or software) involve
No firewall (hardware or software) involved and tcpdump does not show any
communication between client and server. As soon as I install it on a
server that doesn't have network bonding/teaming configured (even with
multiple IPs), issue doesn't happen.
On Thursday, 10 April 2014 11:29:39 UTC-4,
Could you check on the server with tcpdump if there is any traffic sent
from the agent and, in case there is, what IP is being used? I know you did
it with Netstat but there could be other factors involved (maybe
firewalls...)
On Thu, Apr 10, 2014 at 8:05 AM, Binet, Valere (NIH/NIA/IRP) [C] <
b
2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2014/04/10 09:08:52 ossec-logcol
Below is snippet from logs..
2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2014/04/10 09:08:52 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
20
What do the logs say?
They should be in /var/ossec/logs
Valère Binet [C]
IT Security Administrator
Kelly Government Solutions On-Site at the NIH
NIH / NIA / IRP
Tel : 410 558 8013
mailto: bin...@nia.nih.gov
NCTS performance comments and survey at:
https://niairpkiosk.irp.nia.nih.gov/content/nct
Hi Santiago,
Thanks for the response. The system does have 2 IPs. I have verified with
netstat that ossec binds to correct IP. There is no communication shown in
the output of tcpdump on either IPs. In every case it fails, that server
has NIC bonding (teaming) setup. I am wondering if I need to
hello
so when i read that we can't do any rules :(
http://blog.didierstevens.com/2014/04/09/heartbleed-packet-capture/
it must be inspect in the network layer
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group an
16 matches
Mail list logo
