[ossec-list] netstat part of syscheck not seeing all ports on initial read

2016-04-14 Thread Noway2
I have been using Ossec on a couple of my servers for several years now. I recently updated one of them to Ubuntu 14.04 server edition and found that the agent running on that machine was no longer communicating with the server. I took this as an opportunity to upgrade both machines from

[ossec-list] Re: Email notification for adding new users, new packages, triggering hours later

2016-04-14 Thread thak
So after some investigating it seems what's ACTUALLY happening is that the realtime notifications aren't working, and the syscheck 20 hour scan is picking up the changes. Thus, one could reasonably (I think) interpret this as delayed realtime notifications. I certainly have the realtime="yes"

[ossec-list] Re: Email notification for adding new users, new packages, triggering hours later

2016-04-14 Thread thak
I hadn't really considered the mail server may be the problem - we naturally utilize sendmail to offload the notifications and route them through our corporate O365 exchange server. I was getting some integrity changes hours after the changes actually occurred (on boxes with realtime=yes and

[ossec-list] Re: Windows Agent Compilation

2016-04-14 Thread Kumar Mg
Thank you Victor. We tried with both 2.8.2 as well as the 2.8.3 version. But both were throwing error for make. The changes were made as suggested, however there were some errors and not sure if all the executables were created. These are the only exe files under src\win-pkg 04/14/2016

[ossec-list] Re: Windows Agent Compilation

2016-04-14 Thread Kumar Mg
Thank you Victor. We tried with both 2.8.2 as well as the 2.8.3 version. But both were throwing error for make. The changes were made as suggested, however there were some errors and not sure if all the executables were created. These are the only exe files under src\win-pkg 04/14/2016

Re: [ossec-list] RootCheck disableing

2016-04-14 Thread eyal gershon
2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan. 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured. 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file configured. 2016/04/14

Re: [ossec-list] RootCheck disableing

2016-04-14 Thread dan (ddp)
On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon wrote: > Hey, > > I tried to disabled the rootcheck on one of the servers. > I have added the following line to the agent.conf file - > > > yes > > > and after I am restarting the service I get the following output - >

Re: [ossec-list] windows active response logic

2016-04-14 Thread dan (ddp)
On Wed, Apr 13, 2016 at 2:49 PM, Rob B wrote: > Thanks, that gave me the food for thought I needed... > I will push my packages with updated .conf files for agents in an automated > "update like" fashion. > > Will test the directory that ossec agent needs to fire my package

[ossec-list] RootCheck disableing

2016-04-14 Thread eyal gershon
Hey, I tried to disabled the rootcheck on one of the servers. I have added the following line to the agent.conf file - yes and after I am restarting the service I get the following output - Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck disabled. Exiting.