Re: [ossec-list] Re: Monitoring /var/log/messages

On Fri, Oct 7, 2016 at 12:21 PM, Yousif Johny wrote: > Okay, I'll re-enable it and try to write a rule but, > > For now I'd like to know why after commenting it out it's still looking at > this file. > > I made the change in ossec.conf under the local files portion to not look

Re: [ossec-list] Re: Monitoring /var/log/messages

On Fri, Oct 7, 2016 at 12:08 PM, Yousif Johny wrote: > Just to add, > > The messages are: > > Level: > 2 - Unknown problem somewhere in the system. > Rule Id: > 1002 > You can write rules to eliminate those issues. In fact, that's my preferred method to get rid of 1002s. > >

[ossec-list] Re: Monitoring /var/log/messages

Just to add, The messages are: Level: 2 - Unknown problem somewhere in the system. Rule Id: 1002 On Friday, October 7, 2016 at 5:01:44 PM UTC+1, Yousif Johny wrote: > > Hi, > > I notice in the Web Interface that a device monitored with an

[ossec-list] Solved: Re: ossec-analysisd out of memory

Am Donnerstag, 24. September 2015 16:45:11 UTC+2 schrieb Thomas Unger: > > Hello, > > i run ossec 2.8.1 compiled from source on a centos (el6 x64) 8GB Box quite > stable for over 2 years (incl prev. ossec versions). > Last week suddenly there was no processing of alerst. It turned out that >

[ossec-list] Re: ossec-analysisd out of memory

Solved! To come back to that problem... It turned out, that one of the lists i use to store filehashes was buggy. There were multiple colons ":" and some backslashes in one line. After cleaning each line having only one colon to separate key value and replacing blackslash by slash, the problem

[ossec-list] Re: Correct way to overwrite a "chained" rule

Hi Christina, 1) I think you could create a child rule of 5503 (if_sid) with level 0. Then, use regex to match a user with backslash. In this way, you are ignoring alert 5503 if the user contains a backslash (or anything you put in the regex). You could do the same with alert 5551. 2) is