RE: [ossec-list] Log file not triggering alert

Dynamic log file names on Windows are indeed a bit challenging and will require creative work arounds, unless you happen to know how to modify the source code. One idea would be to script a scheduled task that looks for new log files when you expect them to be created and edit the agent’s

Re: [ossec-list] Testing integratord

Dear Daniel, I did the installation of integrator, but I do not understand why my server had lost the connection with my agents. To service back works, I need restart the ossec. Can you help me? I have downloaded this: dcid-ossec-hids-d29f2859d5c6.tar.gz PS: Apologize me for my poor english, my

[ossec-list] agentless alerts do not appear in the "alerts.log" or in the WUI

When testing agentless motioning noticed that agentless alerts do not appear in the "alerts.log" nor in the WUI, why is that and can it be fixed? I'm using ssh_integrity_check_linux I do receive email alerts as shown below. OSSEC HIDS Notification. 2016 Jan 28 10:46:22 Received From:

[ossec-list] strange in 'full_command' output

Hello list! OSSEC can "cut" some data from 'full_command' output. this is from ossec-alerts.log ossec: output: 'tcp_netstat': Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0

Re: [ossec-list] strange in 'full_command' output

list,sorry for typo the first example is not "from ossec-alerts.log" but "from ossec.log" cheers. On 29.01.2016 01:49, q wrote: > Hello list! > > OSSEC can "cut" some data from 'full_command' output. > > > > this is from ossec-alerts.log > > ossec: output: 'tcp_netstat': > Active Internet

[ossec-list] OSSEC Log Transport over SSL

Hello OSSEC group, I've tried googling a lot of this information but I'm unable to find what I need. (Probably from a lack of understanding). Scenario: I have four agent servers and one master server. They are all communicating and the logs are being transported. Recently I created an SSL key

Re: [ossec-list] How to to set up agentless monitoring with non-standard SSH ports?

Haven't tested it but I guess a quick and dirty solution would be to copy the script, renaming those like: ssh_integrity_check_linux_22 ssh_integrity_check_linux_123 ssh_integrity_check_linux_456 And then have those triggered for the different agents depending on their where their sshd service

Re: [ossec-list] OSSEC Log Transport over SSL

On Jan 28, 2016 3:24 PM, wrote: > > Hello OSSEC group, I've tried googling a lot of this information but I'm unable to find what I need. (Probably from a lack of understanding). > > Scenario: I have four agent servers and one master server. They are all communicating and

Re: [ossec-list] agentless alerts do not appear in the "alerts.log" or in the WUI

Are you sure it is not in the alerts file? ossec-maild (the smtp agent) reads the alerts.log file in order to send emails. See below: root@vpc-ossec-manager:~# lsof /var/ossec/logs/alerts/alerts.log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ossec-csy 506 ossecm3r REG

Re: [ossec-list] firewall.log and ICMP?

Issue submitted! /x On Wed, Jan 27, 2016 at 5:04 PM, Brent Morris wrote: > Is this worth submitting as an issue to github? > > https://github.com/ossec/ossec-hids/issues > > > On Wednesday, January 27, 2016 at 12:08:54 AM UTC-8, Xavier Mertens wrote: >> >> I'll patch my

Re: [ossec-list] syscheck not working with restrict option

The issue was in my branch there. Mind getting the latest again? Should be working now: https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz Sorry for the waste of time :/ thanks, On Thu, Jan 28, 2016 at 1:34 PM, Luke Hansey wrote: > Thanks for the reply, Santiago.

Re: [ossec-list] Testing integratord

Mind sending the last 20-30 lines of your ossec.log? It can give us an idea to what is going on. thanks, On Thu, Jan 28, 2016 at 1:42 PM, Marcelo wrote: > Dear Daniel, > > I did the installation of integrator, but I do not understand why my > server had lost the

[ossec-list] Global Mail limit

Hi, I use ossec to monitor all servers activities from my enterprise including creation/modification of file. I forward to each sysadmin (configured in ossec.conf) all alert from their server. Today i face a problem, i have many server wich generate mail alert, and the global mail

Re: [ossec-list] decoder prematch (regex) issue

correct, I think that it is. On Wed, Jan 27, 2016 at 11:06 PM, Fredrik wrote: > Hi Santiago! > > > Thanks for your input. As you pointed out the \D+ is out of place and I > couldn't figure out why that would match whereas the latter regex, that I > believed to be more

Re: [ossec-list] Global Mail limit

Yes periodically we have some burst, especially when executing "yum update" on all server. We get mail alert, but their delayed so we have problem to detect file modification. ok this is what I thought for the patch. Le jeudi 28 janvier 2016 11:02:28 UTC+1, Eero Volotinen a écrit : > > So, you

Re: [ossec-list] Global Mail limit

So, you are sending over in one hour? Changing that requires patch and recompiling ossec server. -- Eero 2016-01-28 11:10 GMT+02:00 Lionel Caignec : > Hi, > > I use ossec to monitor all servers activities from my enterprise including > creation/modification of file. > >

Re: [ossec-list] How to to set up agentless monitoring with non-standard SSH ports?

Thanks Santiago. I assume you are referring to the "ssh_integrity_check_linux" script. I tried that but it seems to break agentless monitoring on hosts that use port 22 for ssh connections, or for that matter, other non standard ports. Is there any work around for this? To put the question

[ossec-list] Re: Global Mail limit

Hi, I found that limit and it's hardcoded at function Read_Global(), in src/config/global-config.c if ((Mail->maxperhour <= 0) || (Mail->maxperhour > )) { merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content); return (OS_INVALID); } You may increase this limit as you need

[ossec-list] Monthly Management Reports

Is there a way to do monthly management reports in OSSEC if I have ELK stack sitting on top of it? I need to have be able to deliver monthly reports to management Thanks, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe