Thanks.
Probably no risk in adding to adm group as purpose of adm group is to be
able to parse log files.
On Monday, 13 June 2016 19:25:44 UTC+1, Darin Perusich wrote:
>
> Instead of using Nagios NPRE, think about using check_mk to extend
> nagios to support all and more of what NPRE does. Th
I have tried something different and used logger to push server ping
failures to the /var/log/message. I do see this when I grep the Ossec
archive.
2016 Jun 13 23:30:22 alamo->/var/log/messages alamo logger: ServPing Domain
DC01 down
So this works but I can not seam to get past phase one pre
Hi
We installed OSSEC in our production machines yesterday and today we saw
that all the iptables rules in all the machines were flushed. Something
similar to iptables -F
Any idea on what can cause this ? I am aware that OSSEC active-response can
add or remove entries from iptables but have ne
On Tue, Jun 14, 2016 at 7:39 AM, Jacob Mcgrath
wrote:
> I have tried something different and used logger to push server ping
> failures to the /var/log/message. I do see this when I grep the Ossec
> archive.
>
> 2016 Jun 13 23:30:22 alamo->/var/log/messages alamo logger: ServPing Domain
> DC01 do
On Tue, Jun 14, 2016 at 8:17 AM, Zeal Vora wrote:
> Hi
>
> We installed OSSEC in our production machines yesterday and today we saw
> that all the iptables rules in all the machines were flushed. Something
> similar to iptables -F
>
> Any idea on what can cause this ? I am aware that OSSEC active-
I'm using the latest version of OSSEC ( 2.8 ) and yes active response is
enabled.
So currently OSSEC clients are actively blocking attacks but due to some
reason they have also flushed all the iptables rules from memory ( like
iptables -F )
On Tuesday, June 14, 2016 at 6:24:52 PM UTC+5:30, dan
On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora wrote:
> I'm using the latest version of OSSEC ( 2.8 ) and yes active response is
> enabled.
>
The latest version is 2.8.3.
> So currently OSSEC clients are actively blocking attacks but due to some
> reason they have also flushed all the iptables rules
Yes. In the active-response I do see various entries of adding IP's to
host-deny.sh
/var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X
1465234313.25970854 5720.
However I am not sure on what caused OSSEC to flush all the iptables rules.
We installed it yesterday and in all the machi
On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora wrote:
> Yes. In the active-response I do see various entries of adding IP's to
> host-deny.sh
>
> /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X
> 1465234313.25970854 5720.
>
> However I am not sure on what caused OSSEC to flush all the ipt
On Tue, Jun 14, 2016 at 9:42 AM, dan (ddp) wrote:
> On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora wrote:
>> Yes. In the active-response I do see various entries of adding IP's to
>> host-deny.sh
>>
>> /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X
>> 1465234313.25970854 5720.
>>
Also,
Indeed. I went through the machine logs and there are 2 entries ( many of
them with different IP ):-
/var/ossec/active-response/bin/firewall-drop.sh add - X.X.X.X
1465898743.25694869 5706
/var/ossec/active-response/bin/host-deny.sh delete X.X.X.X *
Is there any way to figure out on what exactly
On Tue, Jun 14, 2016 at 9:53 AM, Zeal Vora wrote:
> Indeed. I went through the machine logs and there are 2 entries ( many of
> them with different IP ):-
>
> /var/ossec/active-response/bin/firewall-drop.sh add - X.X.X.X
> 1465898743.25694869 5706
> /var/ossec/active-response/bin/host-deny.sh dele
Thanks Wes,
Windows appears to be at the 2.83 OSSEC version, is this not the case with
Linux versions?
Thanks!
On Monday, June 13, 2016 at 10:18:17 PM UTC-4, Wes wrote:
>
> I believe if you try to run install.sh, it will ask you if you want to
> update OSSEC to the latest version, although, I
There are several web ui's for ossec which one are you running?
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Wednesday, June 8, 2016 9:12 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Error ossec web
I thought about doing this too. You could look for file extensions as
mentioned before.
But I struggled on how to make it effective, and then how to test it. To
be realistic, I think you'd need a lab with a mirror of your environment
(file share, ossec, etc) and actually run a variant of cryp
On Mon, Jun 13, 2016 at 9:48 AM, Tahir Hafiz >
wrote:
We have a situation in which nagios, to do it's nrpe checks, has to
constantly read the /var/log/syslog.
Therefore, we constantly have alerts at level 3 such as:
Rule: 5502 (level 3) -> 'Login session closed.'
Rule: 5501 (level 3) -> 'Login
On Tue, 14 Jun 2016, Zeal Vora wrote:
We installed OSSEC in our production machines yesterday and today we saw
that all the iptables rules in all the machines were flushed. Something
similar to iptables -F
Any idea on what can cause this ? I am aware that OSSEC active-response can
add or remove
We're using OSSEC 2.8.3 in standalone mode and failing to get syscheck to
be useful. We *are* getting other alerts via both the log file and email.
We're stumped. Any insight would be appreciated.
The ossec.conf configuration that is relevant. There is no fine-grained
"email-alerts" section def
I'll also add that /var/ossec/queue/syscheck contains these 2 files, the
larger of the 2 was last modified ~4 days ago. I don't know if that's
useful info or not:
-rw-r- 1 ossec ossec 3 May 21 10:29 .syscheck.cpt
-rw-r- 1 ossec ossec 494689 Jun 9 10:48 syscheck
--
---
You rec
On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine wrote:
> I'll also add that /var/ossec/queue/syscheck contains these 2 files, the
> larger of the 2 was last modified ~4 days ago. I don't know if that's useful
> info or not:
>
> -rw-r- 1 ossec ossec 3 May 21 10:29 .syscheck.cpt
> -rw-r-
Sry from what I see I do have that timestamp header in my logging from
Elsa...
ServPing Game DeezNutZ down
2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger:
ServPing Game DeezNutZ down
And from my /var/log/message
2016 Jun 14 12:10:03 alamo->/var/log/syslog Jun 14 12
On Tue, Jun 14, 2016 at 1:19 PM, Jacob Mcgrath
wrote:
> Sry from what I see I do have that timestamp header in my logging from
> Elsa...
> ServPing Game DeezNutZ down
>
> 2016 Jun 14 11:04:01 alamo->/var/log/messages Jun 14 11:04:01 alamo logger:
> ServPing Game DeezNutZ down
>
> And from my /var/
Using
^logger
^ServPing
And
Jun 14 13:28:29 ix logger: ServPing Domain server down
Gives me:
ossec-testrule: Type one log per line.
Jun 14 13:28:29 ix logger: ServPing Domain server down
**Phase 1: Completed pre-decoding.
full event: 'Jun 14 13:28:29 ix logger: ServPing Domain ser
On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine > wrote:
> > I'll also add that /var/ossec/queue/syscheck contains these 2 files, the
> > larger of the 2 was last modified ~4 days ago. I don't know if that's
> useful
> > in
Hi Chris,
I know i am late to the party, but i was wondering if you still had the
excel batch file you used to parse the client.keys file?
Thank you
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop
On Tue, Jun 14, 2016 at 1:56 PM, Jeff Blaine wrote:
>
>
> On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine wrote:
>> > I'll also add that /var/ossec/queue/syscheck contains these 2 files, the
>> > larger of the 2 was last modif
Perhaps related to the Active Response bug mentioned in the comments here?
https://web.archive.org/web/20150803131317/http://www.ossec.net/?p=1135
On Tue, Jun 14, 2016 at 9:09 AM, dan (ddp) wrote:
> On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora wrote:
>> I'm using the latest version of OSSEC ( 2.8
ty that did it ty
On Thursday, June 2, 2016 at 6:48:13 AM UTC-5, Jacob Mcgrath wrote:
>
> Was wondering on the best route/option to accomplish this?
>
>
> (similar to the USB storage detection)
>
> Was thinking about a batch or bash that would ping servers from a list to
> a file. That every so
On Tuesday, June 14, 2016 at 2:02:55 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Jun 14, 2016 at 1:56 PM, Jeff Blaine > wrote:
> >
> >
> > On Tuesday, June 14, 2016 at 1:00:14 PM UTC-4, dan (ddpbsd) wrote:
> >>
> >> On Tue, Jun 14, 2016 at 12:47 PM, Jeff Blaine
> wrote:
> >> > I'll also add
On Tue, 14 Jun 2016, Doug Burks wrote:
Perhaps related to the Active Response bug mentioned in the comments here?
https://web.archive.org/web/20150803131317/http://www.ossec.net/?p=1135
No that's a bug in the host-deny.sh script. It has nothing to do with
iptables.
Antonio Querubin
e-mail
The Linux/Unix server/agent appears to be at 2.8.3 as well:
http://ossec.github.io/downloads.html
The above referenced guide was more so in reference to the process, not the
version.
Thanks,
Wes
On Tuesday, June 14, 2016 at 10:36:59 AM UTC-4, namobud...@gmail.com wrote:
>
> Thanks Wes,
>
> Win
31 matches
Mail list logo
