Re: [ossec-list] agentless monitoring and cisco ios switches

2016-11-17 Thread dan (ddp)
On Thu, Nov 17, 2016 at 11:39 AM, Kevin COUSIN wrote: > Hi list, > > I try to use agentless on cisco ios switches. I add in ossec.conf > > > ssh_pixconfig_diff > 300 > user@switch > periodic_diff > > > I have ossec-agentlessd: INFO: Test passed for

[ossec-list] agentless monitoring and cisco ios switches

2016-11-17 Thread Kevin COUSIN
Hi list, I try to use agentless on cisco ios switches. I add in ossec.conf ssh_pixconfig_diff 300 user@switch periodic_diff I have ossec-agentlessd: INFO: Test passed for 'ssh_pixconfig_diff'. in log file but I don't know if it connect to my switch. How can I test ?

Re: [ossec-list] Re: Don't see the intrusion logs

2016-11-17 Thread dan (ddp)
Did you restart the ossec processes after adding the new localfile entry? Try running the logs through ossec-logtest. On Thu, Nov 17, 2016 at 5:39 AM, Arthur Hidalgo wrote: > In the file "/var/log/secure" : > > Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]:

[ossec-list] Re: Don't see the intrusion logs

2016-11-17 Thread Arthur Hidalgo
In the file "/var/log/secure" : Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_sss(sshd:auth): authentication success; logname=

[ossec-list] Re: Don't see the intrusion logs

2016-11-17 Thread Arthur Hidalgo
no. I don't see other alerts. Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit : > > Hi! > > I have installed OSSEC agents on RedHat VM.But I have not see the > intrusion alerts on the Web. On RedHat VM, the intrusion logs are in the > file :"../var/log/secure"". > This is the

Re: [ossec-list] Re: Don't see the intrusion logs

2016-11-17 Thread Pedro Sanchez
Can you see other alerts coming from your agent on the WUI? Try to grep your agent name in /var/ossec/logs/alerts/alerts.log. Remember to Add your web server user (apache, www or nobody) to the ossec group. On Thu, Nov 17, 2016 at 10:55 AM, Arthur Hidalgo wrote: >

[ossec-list] Re: Don't see the intrusion logs

2016-11-17 Thread Arthur Hidalgo
yes, OSSEC WUI. The agent is connected. So, if I go on the VM, the agent would have to detect on intrusion of me. Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit : > > Hi! > > I have installed OSSEC agents on RedHat VM.But I have not see the > intrusion alerts on the Web. On

Re: [ossec-list] Don't see the intrusion logs

2016-11-17 Thread Pedro Sanchez
Hi Arthur, What do you mean by "on the Web?" OSSEC WUI? Your configuration looks right, is your agent connected? You can check the status with: */var/ossec/bin/agent_control -l* Once the agent is connected, it should report log/secure events to the Manager. Best regards, Pedro S. On Thu,