Hi Maxim,
what was the problem with logstash? How is your configuration?.
A typical configuration is Manager + Logstash forwarder and other machine
with ELK. So you should debug if each part is receiving the logs.
Quick debug guide:
Logstash forwarder:
- /opt/logstash-forwarder/bin/logstas
I'm glad to help. Also, I wrote a post about blocking attacks with active
response (including repeated offenders
configuration): http://blog.wazuh.com/blocking-attacks-active-response/
I hope you find it interesting.
Regards.
On Friday, May 20, 2016 at 8:27:38 AM UTC+2, Xavier Mertens wrote:
>
Have you checked the active responses log on the respective agent/device?
/var/ossec/logs/active-responses.log
or on Windows systems C:\Program Files
(x86)\ossec-agent\active-response\active-responses.log
Am Donnerstag, 19. Mai 2016 18:42:04 UTC+2 schrieb James Siegel:
>
> I have a set of subnet
James,
please check the active-responses.log on the respective agent/device.
and you might want to consider upgrading to a new version, because maybe
there was indeed a bug in active response that has been addressed and fixed
with a more recent version. Current Stable Version is 2.8.3 but if y
How are you configuring those white listed subnets in the config - as a series
of individual addresses?
Sent from my iPad
> On May 19, 2016, at 06:42, James Siegel wrote:
>
> I have a set of subnets that are whitelisted.
> The server and agents were installed quite some time ago and are on 2.8
Hi Jesus,
Yeah, I think I submitted a pull request into OSSEC some time back on
this... If memory serves, the other IDs are because I used the existing MS
ID schema for OSSEC. The odd IDs are just because these live in my
local_rules.xml in production. Sadly, I haven't had the time to update
