how to change the alert level of integrity checking and rootkit detection
by default, the Alert level of integrity checking is 7, and rootkit
detection's is 3
2014 Nov 06 03:48:53
New file '/etc/openvpn/ccd/client' added to the file system.
--
---
You received this message because you are sub
hi,all
i have log like this
Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened for user bot
by robert(uid=0)
and code like this
^pam_unix|^\(pam_unix\)
pam
^session \w+
\.* for user (\S+)
user
but logtest see
**Phase 1: Completed pre-decoding.
full event: 'Nov 6 1
i have finded the ruleid of integrity checking, and solve it.
now only have question about *rootkit detection's alert level.*
在 2014年11月6日星期四UTC+8下午4时28分48秒,Sean Lin写道:
>
> how to change the alert level of integrity checking and rootkit detection
> by default, the Alert level of integrity checki
Has anyone got Hybrid working?
according to lsof, nothing else seems to be accessing the files at the time
that the agent stops processing them.
I've figured out why it's looking at additional files/directories, it's
pulled in the shared agent config; I'd forgotten I'd configured that :)
On
That is an interesting idea, however all the logs are processed server
side, not agent side, thus by the time you detect an uptick in events, you
have already sent the traffic.
In theory you could create a custom rule for # of X event types over a
period of time, and if the rule fires, you have
What Dan says is accurate, and a visual representation might be helpful
For this log :
2014 Nov 05 09:10:02 (w2008) 192.1.1.1->\Programs\myapp\
logs\05-11-2014\Error.log Error - The process started successfully
This part is from the OSSEC agent :
2014 Nov 05 09:10:02 (w2008) 192.1.1.1->
And th
On Thu, Nov 6, 2014 at 7:12 AM, wrote:
> What Dan says is accurate, and a visual representation might be helpful
>
> For this log :
>
> 2014 Nov 05 09:10:02 (w2008) 192.1.1.1->\Programs\myapp\
> logs\05-11-2014\Error.log Error - The process started successfully
>
> This part is from the OSSEC age
On Thu, Nov 6, 2014 at 5:26 AM, Sean Lin wrote:
> i have finded the ruleid of integrity checking, and solve it.
> now only have question about rootkit detection's alert level.
>
Rule ID 509?
>
>
> 在 2014年11月6日星期四UTC+8下午4时28分48秒,Sean Lin写道:
>>
>> how to change the alert level of integrity checkin
On Thu, Nov 6, 2014 at 5:07 AM, wrote:
> hi,all
>
>
> i have log like this
>
> Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened for user bot
> by robert(uid=0)
>
>
> and code like this
>
>
>
>
> ^pam_unix|^\(pam_unix\)
>
>
>
> pam
> ^session \w+
> \.* for user (\S+)
> user
>
On Wed, Nov 5, 2014 at 5:09 PM, wrote:
> Hi all,
>
> 1, Can Ossec triggers a rule based on a predefined condition?
> For example, for the following message from mongod.log, is there a way to
> define a rule which would be triggered if memory field is bigger than 15000
> (15GB)? So far I could ext
On Thu, Nov 6, 2014 at 6:44 AM, Chris H wrote:
> Has anyone got Hybrid working?
>
I have agents that work and I have managers that work. So basically yes.
What distro/version are you using?
Can you try strace to see if that gives you more information on what's going on?
Looking at the code, I thi
Yes.
At last decided to discard Application and System logs and only collect
Security logs.
I hope this can help in much better way
On Thursday, 6 November 2014 17:35:07 UTC+5:30, gr...@castraconsulting.com
wrote:
>
> That is an interesting idea, however all the logs are processed server
> si
Hi.
I'm running on CentOS 6.6.
I enabled debug in internal_options.conf - nothing new in the logs. strace
gives this at the time that it stops reading the file. It means nothing to
me, though.
stat("/logs/ossec/ossec-agent/queue/ossec/.wait", 0x7fffe60bf900) = -1
ENOENT (No such file or dir
On Nov 6, 2014 9:41 AM, "Chris H" wrote:
>
> Hi.
>
> I'm running on CentOS 6.6.
>
> I enabled debug in internal_options.conf - nothing new in the logs.
strace gives this at the time that it stops reading the file. It means
nothing to me, though.
>
Try killing the daemon and restarting it with th
Same thing, unfortunately.
2014/11/06 15:26:33 ossec-logcollector: DEBUG: Starting ...
2014/11/06 15:26:33 ossec-logcollector: DEBUG: Waiting main daemons to
settle.
2014/11/06 15:26:39 ossec-logcollector: INFO: (unix_domain) Maximum send
buffer set to: '229376'.
2014/11/06 15:26:39 ossec-logcol
I've read here
(http://ossec-docs.readthedocs.org/en/latest/formats/json.html) in the
documentation, that we have a JSON format for alerts.
But it refer to what?
We can have standard alert (in /var/ossec/logs/alert/alert.log) in JSON
format, or it refer to the system via syslog?
I have this d
On Thu, Nov 6, 2014 at 11:36 AM, Mario d'Aniello wrote:
> I've read here
> (http://ossec-docs.readthedocs.org/en/latest/formats/json.html) in the
> documentation, that we have a JSON format for alerts.
> But it refer to what?
>
> We can have standard alert (in /var/ossec/logs/alert/alert.log) in J
I regularly perform a "list_agents -n" to check for any non-connected OSSEC
clients in our environment so that I can investigate the reason and resolve.
At present if I perform this check I get quite a long list showing clients
which no longer exist in the client.keys file on our server. I must
Hi all,
Ossec online documents offers three examples for the Process Monitoring
feature.
So far I did see output of a command change example working on my
environment (rule_id=533).
I am really interested in load average (uptime) Example and want to get it
working and understand the underlyin
On Thu, Nov 6, 2014 at 1:16 PM, wrote:
> Hi all,
>
> Ossec online documents offers three examples for the Process Monitoring
> feature.
>
> So far I did see output of a command change example working on my
> environment (rule_id=533).
>
> I am really interested in load average (uptime) Example an
It's surely a reference to ZeroMQ, while syslog have another type of format.
But that's was confusing me :)
Thx for the answer as always.
2014-11-06 17:48 GMT+01:00 dan (ddp) :
> On Thu, Nov 6, 2014 at 11:36 AM, Mario d'Aniello
> wrote:
> > I've read here
> > (http://ossec-docs.readthedocs.org
On Thu, Nov 6, 2014 at 3:12 PM, Mario d'Aniello wrote:
> It's surely a reference to ZeroMQ, while syslog have another type of format.
> But that's was confusing me :)
>
> Thx for the answer as always.
>
I created an issue on github to see about unifying these outputs.
Seems odd to me that they ar
On Thursday, November 6, 2014 4:53:33 AM UTC-8, dan (ddpbsd) wrote:
>
> On Wed, Nov 5, 2014 at 5:09 PM, >
> wrote:
> > Hi all,
> >
> > 1, Can Ossec triggers a rule based on a predefined condition?
> > For example, for the following message from mongod.log, is there a way
> to
> > define a
On Thursday, November 6, 2014 11:33:57 AM UTC-8, dan (ddpbsd) wrote:
>
> On Thu, Nov 6, 2014 at 1:16 PM, >
> wrote:
> > Hi all,
> >
> > Ossec online documents offers three examples for the Process Monitoring
> > feature.
> >
> > So far I did see output of a command change example working
Dan, *could you please also tell me how to set the interval time for OSSEC
executing the command?* When target value is beyond the threshold setting I
hope the alert could be triggered ASAP therefore I may need to reduce the
default interval time in my system. Thanks a lot.
On Thursday, Novemb
but "pam-user" is "pam" child decoder,and "pam" decoder prematch "pam_unix"
On Thursday, November 6, 2014 6:07:39 PM UTC+8, ro...@cnmoker.org wrote:
>
> hi,all
>
>
> i have log like this
>
> Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened for user
> bot by robert(uid=0)
>
>
>
26 matches
Mail list logo
