Re: [ossec-list] Dynamic values in regex inside OSSEC rules?

Hi, it is very interesting. Right now, Wazuh is able to extract dynamic fields and use them in the rule description. Example for your log: **Phase 1: Completed pre-decoding. full event: '2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing:

[ossec-list] Re: Had to rebuild the server, now how to get agent to reconnect

Hi Barry, the AR queue is managed by process *ossec-remoted*. Please confirm that it's up with: /var/ossec/bin/ossec-control status And take a look for the ossec.log file: grep ossec-remoted /var/ossec/logs/ossec.log | tail -n 20 The *ossec-remoted* process dies if file

[ossec-list] Had to rebuild the server, now how to get agent to reconnect

The ec2 instance that was running the ossec server died. I rebuilt the instance, remounted the disk that had the ossec data files. The server is up, and 'bin/agent_control -l' shows all the agents. But agents cannot connect. I have tried restarting agents. I have also updated the client.key.

[ossec-list] Re: How to check that chained checksums are correct

This script works for me: #!/bin/bash # # Functions ## function extractSumFromLine(){ number=`sed -n ${2}p $1 | sed 's/.*= //'` echo $number } function compare(){ if [ "$1" = "$2" ] then echo -n "." else echo -e "\nerror

Re: [ossec-list] ossec-logcollector: socketerr (not available).

On Mar 6, 2017 9:42 AM, "Eduardo Reichert Figueiredo" < eduardo.reich...@hotmail.com> wrote: Dear all, my ossec dont list agentless servers with command "agent_control -l" and in my ossec.log i have log below. 2017/03/06 11:27:54 ossec-logcollector: socketerr (not available). 2017/03/06 11:30:04

Re: [ossec-list] Re: Windows override Audit Events. Decoder

On Mar 6, 2017 9:51 AM, "Eduardo Reichert Figueiredo" < eduardo.reich...@hotmail.com> wrote: Hi all, exist possiblity of write source ip address in eventos of integrity check? For the alert display real IP? There is no IP information in the syscheck log messages, so there is nothing to print.

Re: [ossec-list] Enable only syscheckd for FIM

On Mar 6, 2017 11:16 AM, "Sam Gardner" wrote: Once I turned on "alert_new_files" I started getting alerts - things appear to be working now. Is there any way to completely disable the logcollector daemon? We have another process that does that job so no need to have that bit

Re: [ossec-list] Enable only syscheckd for FIM

Once I turned on "alert_new_files" I started getting alerts - things appear to be working now. Is there any way to completely disable the logcollector daemon? We have another process that does that job so no need to have that bit running - removing the "" section doesn't seem to do the trick.

Re: [ossec-list] Re: Windows override Audit Events. Decoder

Hi all, exist possiblity of write source ip address in eventos of integrity check? For the alert display real IP? Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu: > > On Fri, Mar 3, 2017 at 3:04 AM, Casimiro > wrote: > > I solve my problem with

Re: [ossec-list] Is OSSEC 2.9.0 officially released?

There were some unreported issues with 2.9, so I'm hoping to roll 2.9.1 real soon now. Going forward, I'm going to work on a better test plan for releases. I've been sloppy and need to improve that. On Mar 6, 2017 9:01 AM, "Kat" wrote: > Hi all, > > It seems to me that

[ossec-list] ossec-logcollector: socketerr (not available).

Dear all, my ossec dont list agentless servers with command "agent_control -l" and in my ossec.log i have log below. 2017/03/06 11:27:54 ossec-logcollector: socketerr (not available). 2017/03/06 11:30:04 ossec-logcollector: socketerr (not available). 2017/03/06 11:32:14 ossec-logcollector:

Re: [ossec-list] can't access https://www.atomicorp.com/downloads

Works for me On Mon, Mar 6, 2017 at 11:36 AM, Eero Volotinen wrote: > Works fine from my browser. > > Eero > > 2017-03-06 9:58 GMT+02:00 : > >> I can't access https://www.atomicorp.com/downloads, the website return >> this error: >> >>

[ossec-list] Re: Is OSSEC 2.9.0 officially released?

i dont know, but good question... Em segunda-feira, 6 de março de 2017 11:01:32 UTC-3, Kat escreveu: > > Hi all, > > It seems to me that 2.9.0 is released - at least no more RC# after the > last one. My question is, is this the case, and if so, could the website be > updated to reflect it?

Re: [ossec-list] can't access https://www.atomicorp.com/downloads

Works fine from my browser. Eero 2017-03-06 9:58 GMT+02:00 : > I can't access https://www.atomicorp.com/downloads, the website return > this error: > > Forbidden You do not have permission to access this document. > > -- > Web Server at

[ossec-list] OSSEC - Alert table in MySQL is not getting all information

I have installed OSSEC with the Puppet module provided by Wazuh. With this module I have set up a server with a couple of agents setup and I have enabled MySQL support. The problem is that the alert table is missing a lot of records after running OSSEC for a few weeks. The tables category,

[ossec-list] can't access https://www.atomicorp.com/downloads

I can't access https://www.atomicorp.com/downloads, the website return this error: Forbidden You do not have permission to access this document. -- Web Server at atomicorp.com does anyone had this problems? -- --- You received this message because you are

[ossec-list] can't access https://atomicorp.com/downloads

I can't access https://atomicorp.com/downloads, does anyone has this error: Forbidden You do not have permission to access this document. -- Web Server at atomicorp.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list"

Re: [ossec-list] ossec-remoted not running

Hi, my problem is keys of agents, now are ok. Thanks!! Em sábado, 4 de março de 2017 18:33:43 UTC-3, dan (ddpbsd) escreveu: > > On Sat, Mar 4, 2017 at 2:36 PM, Eduardo Reichert Figueiredo > wrote: > > Hi All, > > i killed de process and take command "ossec-control

[ossec-list] Is OSSEC 2.9.0 officially released?

Hi all, It seems to me that 2.9.0 is released - at least no more RC# after the last one. My question is, is this the case, and if so, could the website be updated to reflect it? According t the github release is with 25 days ago, but website still indicated 2.8.3? Thanks Kat -- --- You