[ossec-list] Re: USB storage detect & recursive file list

I have a batch script I wrote that could be used in replacement of PowerShell... @echo off for /f "tokens=2 delims==" %%d in ('wmic logicaldisk where "drivetype=2" get name /format:value') do ( set var=%%d ) echo dir /s %var% > C:\temp\test.txt type C:\temp\test.txt pause The output is this

[ossec-list] postfix-reject decoder not working with port in log entry

Hi, Trying to configure OSSEC for our mail server I noticed that our postfix log format is different from what ossec expects with the default rules. The postfix-reject decoder reads the source ip and and an error id, but in our logs there is also a port present (instead of "[x.x.x.x]: id" we

[ossec-list] Re: USB storage detect & recursive file list

Wonder if I could wrap it into a test.ps1 and execute threw powershell.exe -noprofile -executionpolicy bypass -file .\test.ps1 On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using

Re: [ossec-list] Re: USB storage detect & recursive file list

I think has a character limitation, try to remove empty spaces or make shorter the test.txt content. On Wed, Apr 20, 2016 at 12:39 AM, Jacob Mcgrath wrote: > Will try droping the | select -Skip 2 from the Get-Content see if that > works or maby a -Raw output arg >

Re: [ossec-list] Re: Rule 1002 continues to fire after creating local overwriting rule

Service restarts did not clear the defunct process. I ended up killing them off and restarting. The server is healthy now and processing rules correctly. Thanks for all the help. On Wednesday, April 20, 2016 at 8:46:21 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Apr 18, 2016 at 5:46 PM, James

Re: [ossec-list] Re: Rule 1002 continues to fire after creating local overwriting rule

On Mon, Apr 18, 2016 at 5:46 PM, James Stallings wrote: > I believe root cause here was a bunch of old OSSEC processes that were still > holding an older config in memory even after I had cycled the daemons on > several occasions. I no longer see the issue. Has anyone seen

[ossec-list] Re: ossec service in windows 10

Ok, I review all permission inside folder for system account and now all run ok. Thanks so much for the help El miércoles, 20 de abril de 2016, 10:02:07 (UTC+2), Victor Fernandez escribió: > > I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for > "SYSTEM". > >

Re: [ossec-list] Disk usage monitor not working in RHEL5

Sure. Current rule: 530 ossec: output: 'df -h': /dev/ 100% Partition usage reached 100% (disk space monitor). low_diskspace, Leave that rule for 100% (so you don't modify the original rules). In local_rules add: 530 ossec: output: 'df -h': /dev/ 9\d%

Re: [ossec-list] Disk usage monitor not working in RHEL5

cool, would you mind sharing those custom rules with us? the threshold (over 90%) one is specifically appealing to me :) Am Mittwoch, 20. April 2016 09:12:29 UTC+2 schrieb Robert Micallef: > > I added custom rules to alert if space is over 90%. > > On 20 April 2016 at 02:16, Santiago Bassett

[ossec-list] Re: ossec service in windows 10

I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for "SYSTEM". Unfortunately, when we change the IP in the UI, the file "ossec.conf" is re-created without SYSTEM permissions, so the service starts and exits suddenly, but it prints the access error in the "ossec.log". So,

[ossec-list] Re: ossec service in windows 10

Hi For install ossec, First i create an Administrators group and add the users to this group(this user belong to Administrator local group too), then install it without error in for example "d:\ossec\ossec-agent". For config the agent (ossec server and key) i use the gui and try

[ossec-list] Re: ossec service in windows 10

P.D.: I detected that sometimes, if I already created the group "Administrators" (for non-English Windows versions), the OSSEC grants files permissions only to the group "Administrators". In order to start a service, executable files must have execution permissions for "SYSTEM". So, please

[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

awesome, thanks for sharing your experience with us Alexandre. I'm sure this could be beneficial to others as well! Am Dienstag, 19. April 2016 21:13:00 UTC+2 schrieb Alexandre Laquerre: > > So the final result was as follows, the first step i exported the agent > list and updated the list ( i

Re: [ossec-list] Disk usage monitor not working in RHEL5

I added custom rules to alert if space is over 90%. On 20 April 2016 at 02:16, Santiago Bassett wrote: > Out of curiosity, what is the rule supposed to trigger the alert? The one > is see by default looks for full partitions... > > >