Response inline
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of dan (ddp)
> Sent: Wednesday, August 3, 2016 5:52 AM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] eventchannel decoder testing
>
> On Tue, Aug 2, 20
Pedro,
Awesome! Your method worked flawlessly. Thanks!
Cal
On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote:
>
> Hi Cal,
>
>
> Try disabling counters. They lose synchronisation specially when agents
> are reinstalled.
> Edit /var/ossec/etc/internal_options.conf and set
> "remoted.
I know that, but maybe somebody know a way around that. Thats why I
ask.There is always a way, and I will find it :-)
Thanks.
On Wed, Aug 3, 2016 at 4:16 PM, dan (ddp) wrote:
> On Wed, Aug 3, 2016 at 9:07 AM, Herman Harperink
> wrote:
> > Hi Dan,
> >
> > When my phone / pc /ipad collects emai
On Wed, Aug 3, 2016 at 9:07 AM, Herman Harperink
wrote:
> Hi Dan,
>
> When my phone / pc /ipad collects email I get an "dovecot authentication
> success" event. I could ignore this event by downrating it to zero in
> local_rules so it won't be logged, but I want to see all succesful
> authenticati
One thing to also check is permissions and ownership on "merged.mg" - many
times I see it get mucked up and OSSEC can't read it. I have found that if
I delete it, then restart OSSEC it will be re-created and it no longer has
issues sending the file after that. (Not sure WHY it happens though)
Hmm -- I re-use IDs all the time. Did it when I had 30,000+ agents, and now
with only 10,000. You just have to delete the key (I don't like that they
are commented out) and make sure you remove the rids agent files in
/var/ossec/queue/ossec/rids - find the number of the agent you removed and
r
my user is an administrator. On his behalf, I ran the executable file
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com
Hi Dan,
When my phone / pc /ipad collects email I get an "dovecot authentication
success" event. I could ignore this event by downrating it to zero in
local_rules so it won't be logged, but I want to see all succesful
authentications on my mailserver from hosts that are not my own (since I am
the
On Tue, Aug 2, 2016 at 10:40 PM, lostinthetubez
wrote:
> I’d give Wazuh a whirl, if I were you. They’ve got decoders and rules for
> sysmon, as well as eventchannel working (or I assume they do, if they have
> that stuff setup for sysmon).
>
>
>
> My current decoder/rule development server and age
On Wed, Aug 3, 2016 at 1:48 AM, Herman Harperink
wrote:
> Hi all,
>
> Can somebody hint me in the right direction on this?
> I have two dynamic hosts with a ddns hostname and I don't want those to
> trigger events. But I can't find a way to do that anywhere.
>
> Thanks in advance.
>
Remove the a
On Wed, Aug 3, 2016 at 4:34 AM, Семён С wrote:
> Hi
>
> I'm trying install agent to Windows XP (Professional version 2002, SP3) on
> VirtalBox hd. User already in "Administrators" group. Installation was
> successful, server ip and and key are saved. But when I run agent, the
> following message a
Hi
I'm trying install agent to Windows XP (Professional version 2002, SP3) on
VirtalBox hd. User already in "Administrators" group. Installation was
successful, server ip and and key are saved. But when I run agent, the
following
message appears:
Unable to start agent (check config)
ossec.log
>
> Ossec-logtest is stripping “2016 Jul 29 22:32:24 WinEvtLog:” before
> processing it against the decoders. It isn’t supposed to be doing this. At
> least, this was not the behavior under 2.8.3...
ossec-logtest should not cut the "headers". I'll take a look at the new
ossec version.
Also,
Hi Craig,
did you try to use the new decoders?. I think it could be work.
Steps:
- Create a backup of your decoder.xml
- Replace "windows decoder" copying from line 174 to 417 of this file
(https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoder
14 matches
Mail list logo