Re: [ossec-list] ossec alert json missing dedicated agent host location

2016-10-20 Thread Pedro Sanchez
Hi Ron, If you are using a integration with Elasticseach, try out Wazuh fork based on OSSEC, augmented JSON capabilities including the AgentName you need. Internal field "lf->hostname" includes parenthesis like you said, so we are extracting the content inside, also we rename the field in Logstash

Re: [ossec-list] ossec alert json missing dedicated agent host location

2016-10-20 Thread dan (ddp)
On Thu, Oct 20, 2016 at 6:37 AM, Pedro Sanchez wrote: > Hi Ron, > > If you are using a integration with Elasticseach, try out Wazuh fork based > on OSSEC, augmented JSON capabilities including the AgentName you need. Use OSSEC, not OSSEC. OSSEC and OSSEC don't have the same capabilities as OSSEC

Re: [ossec-list] ossec alert json missing dedicated agent host location

2016-10-20 Thread dan (ddp)
On Wed, Oct 19, 2016 at 9:49 PM, wrote: > I've recently setup my ossec server to output alerts to a json file. I'm > sending it over to logstash and elasticsearch. I'd like to create a kibana > dashboard that defines individual ossec agent hosts. > > The issue is that the json doesn't have it's

Re: [ossec-list] Active response

2016-10-20 Thread dan (ddp)
On Wed, Oct 19, 2016 at 5:00 PM, Adiel Navarro wrote: > Its necessary to monitor /var/log/messages to catch the “illegal user” > message and the AR script begin to run? > > > If you're running SSH on Windows, will there even be a /var/log/messages? We don't have support for SSH on Windows because

[ossec-list] Activre response trouble #969

2016-10-20 Thread secucatcher
hello could someone give a test to the last release if we have a bug ? https://github.com/ossec/ossec-hids/issues/969 More testing is always better before the final release. thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubsc

Re: [ossec-list] ossec alert json missing dedicated agent host location

2016-10-20 Thread ron
Thanks Pedro, I'll take a look at the Wazuh OSSEC fork. On Thursday, October 20, 2016 at 3:37:36 AM UTC-7, Pedro S wrote: > > Hi Ron, > > If you are using a integration with Elasticseach, try out Wazuh fork based > on OSSEC, augmented JSON capabilities including the AgentName you need. > Internal

Re: [ossec-list] ossec alert json missing dedicated agent host location

2016-10-20 Thread ron
Understood. I'm putting in hostnames for agent names, so in my case, it applies. On Thursday, October 20, 2016 at 3:44:59 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Oct 19, 2016 at 9:49 PM, > wrote: > > I've recently setup my ossec server to output alerts to a json file. > I'm > > sending it

RE: [ossec-list] Active response

2016-10-20 Thread Adiel Navarro
No Dan... I have installed opensshd in a Windows and try to connect to Solaris server, when the ossec agent is installed. Anyway, OSSEC have AR scripts for Windows? -Mensaje original- De: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] En nombre de dan (ddp) Enviado