Re: [ossec-list] Re: Ossec active response on agent

Hello @dan Thank you for your answer. Yes, it seems that ossec-execd is running on my agent : [root@hostname etc]# ps -edf | grep ossec-exec[d] root 20235 1 0 08:36 ?00:00:00 /var/ossec/bin/ossec-execd And yes, the restart.sh is listed on the agent : [root@hostname etc]# cat

Re: [ossec-list] Merge EventChannel fix into 2.8?

Looks great! New build creates tmp dir, no bookmark errors. EventChannel logs still being successfully processed. -Josh On Monday, October 12, 2015 at 5:25:42 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Oct 9, 2015 at 8:16 PM, SoulAuctioneer > wrote: > > Are there

Re: [ossec-list] Re: Ossec active response on agent

Yes, I created it with the same owner / rights that the default active response scripts : [root@myagent etc]# ls -l /var/ossec/active-response/bin/restart.sh -r-xr-x--- 1 root ossec 59 Oct 8 08:49 /var/ossec/active-response/bin/restart.sh Does some others config files or logs can help to

Re: [ossec-list] Merge EventChannel fix into 2.8?

I believe this is the relevant thread. I have always installed the client with a user that has local admin privileges, so I have never run into this issue Anybody else have any input? On Tuesday, October 13, 2015 at 7:29:19 AM UTC-4, dan

Re: [ossec-list] Re: Ossec active response on agent

On Tue, Oct 13, 2015 at 8:17 AM, Kévin Printz wrote: > Yes, I created it with the same owner / rights that the default active > response scripts : > > > [root@myagent etc]# ls -l /var/ossec/active-response/bin/restart.sh > -r-xr-x--- 1 root ossec 59 Oct 8 08:49 >

Re: [ossec-list] Merge EventChannel fix into 2.8?

On Tue, Oct 13, 2015 at 6:46 AM, DefensiveDepth wrote: > Looks great! > > New build creates tmp dir, no bookmark errors. > > EventChannel logs still being successfully processed. > Awesome. I haven't installed on a win7+ system, does an administrators group need to be

Re: [ossec-list] OSSEC Hash Reporting When File Added

On Mon, Oct 12, 2015 at 10:54 AM, James Edwards wrote: > Hi all, > > Is it possible to have OSSEC report the initial hash of the files indexed by > the agent? > > As an example of the desired output: > > Oct 12 14:30:19 xxx.xx.x.xx Oct 12 10:29:29 ossec01 ossec: Alert Level:

Re: [ossec-list] Re: Ossec active response on agent

On Tue, Oct 13, 2015 at 4:57 AM, Kévin Printz wrote: > Hello @dan > > Thank you for your answer. > > Yes, it seems that ossec-execd is running on my agent : > [root@hostname etc]# ps -edf | grep ossec-exec[d] > root 20235 1 0 08:36 ?00:00:00

Re: [ossec-list] Merge EventChannel fix into 2.8?

If I had to guess, that thread and some of the others you might remember seeing are about the installer setting permissions to the 'Administrators' group. The problem is when Windows is set to use another language that group isn't named the same. The proper way to do this is with well known

[ossec-list] eject usb with ossec

Dear all, I have implemet the alert on my windows agent that someone connect a new usbstor device the agent will send me a notification. Now I have a couple of question that in my case doesn't work. 1. there is a way to set an alert each time someone connect a usbstor also if is already in the

[ossec-list] eject usb storage

Dear all, I have implemet the alert on my windows agent that someone connect a new usbstor device the agent will send me a notification. Now I have a couple of question that in my case doesn't work. 1. there is a way to set an alert each time someone connect a usbstor also if is already in the