Hi,
you should create decoders and rules for that event. Check out the
documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/analysis.html
Also. you can use the binary /var/ossec/bin/ossec-logtest to test your own
decoders/rules.
On Monday, January 30, 2017 at 7:04:34 AM UTC-8, Eli
On Tue, Jan 31, 2017 at 11:15 AM, SternData
wrote:
> I'm getting hammered by probes for non-existent PHP files.
>
> Received From: sugaree->/var/log/httpd/xxx.c om_error_log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the
I'm getting hammered by probes for non-existent PHP files.
Received From: sugaree->/var/log/httpd/xxx.c om_error_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
[Tue Jan 31 09:57:35.809951 2017] [proxy_fcgi:error] [pid 25770] [client
On Tue, Jan 31, 2017 at 7:06 AM, Abhijit Tikekar
wrote:
> Hi,
>
> I am unable to make work on our OSSEC instance for few
> directories which are set for Real Time monitoring. OSSEC Agent version is
> 2.8.3 and server is currently on 2.8.1.
>
Start by correcting this
On Fri, Jan 27, 2017 at 11:00 AM, Daniel B. wrote:
>
> Yes, via ./ossec-control -r
>
root@ossec-test:/var/ossec/etc# /var/ossec/bin/ossec-control -r
Usage: /var/ossec/bin/ossec-control {start|stop|restart|status|enable|disable}
Try `/var/ossec/bin/ossec-control
On Mon, Jan 30, 2017 at 9:54 AM, Eli Tunkel wrote:
> Hi Guys
>
>
> I am looking to create a new custom ossec rult to capture specific phrase in
> a log.
> I have added the required directory to the ossec.conf
> monitoring.
>
> LOG Sample:
>
> 2016-07-24 11:43:22,707 INFO
On Mon, Jan 30, 2017 at 10:46 AM, Bertrand Danos wrote:
> Hello,
>
> I still have some problems with my customes rules.
> How to generate 3 differents alerts depending on the messages.
>
>
> Here are my steps :
>
> 1) Add log file to monitor
> * Edit the file etc/ossec.conf
On Sun, Jan 29, 2017 at 2:54 PM, wrote:
> My web servers logs are being decoded as 'pure-transfer' instead of as an
> apache log due to the time format, which includes a dash '-". If I remove
> the dash, then the logs are decoded as apache logs. I believe I have to
>
On Mon, Jan 30, 2017 at 9:14 AM, Tibor Luth wrote:
> Hi all!
>
> I have a few datasources sending remote syslog to an OSSIM appliance running
> Rsyslog (udp or tcp/514) and OSSEC server and local agent. First I would
> like to generate alerts or see in logs if a datasource
I'm using 2.8.3.
I managed to add agent key using the command below:
echo y | "D:\Program Files (x86)\ossec-agent\manage_agents.exe" -i
As for server IP, I used the following PowerShell snippet (it would be nice
if manage_agents.exe handled that as well):
$ossec_config_file =
Hi,
I am unable to make work on our OSSEC instance for few
directories which are set for Real Time monitoring. OSSEC Agent version is
2.8.3 and server is currently on 2.8.1.
I have tried to set no on both server and the
agent, but OSSEC still keeps ignoring the checksum change after 3rd time.
hi
Wazuh has rules update and a nice integration of PCI DSS compliance.
More and more Wazuh is different from ossec, but i think they contribute on it
too.
I still using ossec with our ELK, but ELK is a pain in the ass to upgrade, so i
think graylog
is better for searching logs.
there is
12 matches
Mail list logo