When rule 550 or 554 is hit with ANY agent as the source, the command below is
executing on agent 19.
As I understand AR, the command should only be executing on agent 19 when rule
550 or 554 is hit *with agent 19 as the origin*
Is this a bug or a misunderstanding on my part somewhere?
Config
We have log files that must be kept for six years and we have log files
that must be kept for one year. Log files older than 6 years or 1 year must
be expunged after that period. For example, coldfusion logs need to be
saved for six years, but maillogs only need to be kept for 1.
Currently, we
Hello OSSEC Guru's,
I'm trying to figure out how to create an OSSEC Query in Kibana (using the
ELK stack) that could identify logins at off-hours. I'm looking to hunt
for user logins at odd hours (I.E. a user logging in at 2 am on Sun), or
multiple brute-force attempts and so on.
I would
I would do something like this not sure if it is proper way.
rule id=101016 level=0
if_sid1002/if_sid
hostnameserver1/hostname
matchInvalid command opcode:opcode=0x4D/match
descriptionIgnore/description
/rule
On Friday, June 26, 2015 at 3:52:09 AM UTC-6, Wforum Wforum
On 06/26/2015 09:00 AM, Carl Hilinski wrote:
We have log files that must be kept for six years and we have log files
that must be kept for one year. Log files older than 6 years or 1 year
must be expunged after that period. For example, coldfusion logs need to
be saved for six years, but
On Jun 26, 2015 12:23 PM, Jeff Blaine cjbla...@gmail.com wrote:
When rule 550 or 554 is hit with ANY agent as the source, the command
below is executing on agent 19.
As I understand AR, the command should only be executing on agent 19 when
rule 550 or 554 is hit *with agent 19 as the origin*
Oleg, hello!
Ossec agent for windows creates file ossec.log in c:\program files\OSSEC\.
Try to open it. Also it can have problems with file permissions.
I recommend first of all remove current agent, then install agent 2.7.1,
enter key and try to run. If it runs properly, then make in-place
Greetings:
A while ago I ran into a problem where ossec wasn't throwing alerts on MS
Security Essentials (MSE) detection of the EICAR test file. After some
digging, I found a thread by Edward Welch
(https://groups.google.com/forum/#!topic/ossec-list/q8eLKPL1qKc), which put
me on the right
Hello!
I'm building SIEM for OSSEC and Snort on ELK stack.
You can find it on github: https://github.com/dsvetlov/lightsiem
Project contains redy for use logstash patterns and kibana dashboards. It
supports authentication too.
It also capable to send e-mails. Rules for e-mail alerting very
Hi,
I have a lot of errors in our syslog but they are not really an issue
But I get lots of emails about it. How can I ignore these error so I don't
get these mails anymore
example
Level: 2 - Unknown problem somewhere in the system.
Rule Id:1002
Location:(server1)
10 matches
Mail list logo