Hi,
it is very interesting. Right now, Wazuh is able to extract dynamic fields
and use them in the rule description. Example for your log:
**Phase 1: Completed pre-decoding.
full event: '2017 Mar 02 04:04:22 WinEvtLog: Security:
AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing:
Hi Barry,
the AR queue is managed by process *ossec-remoted*. Please confirm that
it's up with:
/var/ossec/bin/ossec-control status
And take a look for the ossec.log file:
grep ossec-remoted /var/ossec/logs/ossec.log | tail -n 20
The *ossec-remoted* process dies if file
The ec2 instance that was running the ossec server died. I rebuilt the
instance, remounted the disk that had the ossec data files. The server is
up, and 'bin/agent_control -l' shows all the agents. But agents cannot
connect.
I have tried restarting agents. I have also updated the client.key.
This script works for me:
#!/bin/bash
#
# Functions
##
function extractSumFromLine(){
number=`sed -n ${2}p $1 | sed 's/.*= //'`
echo $number
}
function compare(){
if [ "$1" = "$2" ]
then
echo -n "."
else
echo -e "\nerror
On Mar 6, 2017 9:42 AM, "Eduardo Reichert Figueiredo" <
eduardo.reich...@hotmail.com> wrote:
Dear all,
my ossec dont list agentless servers with command "agent_control -l" and in
my ossec.log i have log below.
2017/03/06 11:27:54 ossec-logcollector: socketerr (not available).
2017/03/06 11:30:04
On Mar 6, 2017 9:51 AM, "Eduardo Reichert Figueiredo" <
eduardo.reich...@hotmail.com> wrote:
Hi all,
exist possiblity of write source ip address in eventos of integrity check?
For the alert display real IP?
There is no IP information in the syscheck log messages, so there is
nothing to print.
On Mar 6, 2017 11:16 AM, "Sam Gardner" wrote:
Once I turned on "alert_new_files" I started getting alerts - things appear
to be working now.
Is there any way to completely disable the logcollector daemon? We have
another process that does that job so no need to have that bit
Once I turned on "alert_new_files" I started getting alerts - things appear
to be working now.
Is there any way to completely disable the logcollector daemon? We have
another process that does that job so no need to have that bit running -
removing the "" section doesn't seem to do the trick.
Hi all,
exist possiblity of write source ip address in eventos of integrity check?
For the alert display real IP?
Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu:
>
> On Fri, Mar 3, 2017 at 3:04 AM, Casimiro
> wrote:
> > I solve my problem with
There were some unreported issues with 2.9, so I'm hoping to roll 2.9.1
real soon now.
Going forward, I'm going to work on a better test plan for releases. I've
been sloppy and need to improve that.
On Mar 6, 2017 9:01 AM, "Kat" wrote:
> Hi all,
>
> It seems to me that
Dear all,
my ossec dont list agentless servers with command "agent_control -l" and in
my ossec.log i have log below.
2017/03/06 11:27:54 ossec-logcollector: socketerr (not available).
2017/03/06 11:30:04 ossec-logcollector: socketerr (not available).
2017/03/06 11:32:14 ossec-logcollector:
Works for me
On Mon, Mar 6, 2017 at 11:36 AM, Eero Volotinen
wrote:
> Works fine from my browser.
>
> Eero
>
> 2017-03-06 9:58 GMT+02:00 :
>
>> I can't access https://www.atomicorp.com/downloads, the website return
>> this error:
>>
>>
i dont know, but good question...
Em segunda-feira, 6 de março de 2017 11:01:32 UTC-3, Kat escreveu:
>
> Hi all,
>
> It seems to me that 2.9.0 is released - at least no more RC# after the
> last one. My question is, is this the case, and if so, could the website be
> updated to reflect it?
Works fine from my browser.
Eero
2017-03-06 9:58 GMT+02:00 :
> I can't access https://www.atomicorp.com/downloads, the website return
> this error:
>
> Forbidden You do not have permission to access this document.
>
> --
> Web Server at
I have installed OSSEC with the Puppet module provided by Wazuh. With this
module I have set up a server with a couple of agents setup and I have
enabled MySQL support.
The problem is that the alert table is missing a lot of records after
running OSSEC for a few weeks. The tables category,
I can't access https://www.atomicorp.com/downloads, the website return this
error:
Forbidden You do not have permission to access this document.
--
Web Server at atomicorp.com
does anyone had this problems?
--
---
You received this message because you are
I can't access https://atomicorp.com/downloads, does anyone has this error:
Forbidden You do not have permission to access this document.
--
Web Server at atomicorp.com
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list"
Hi,
my problem is keys of agents, now are ok.
Thanks!!
Em sábado, 4 de março de 2017 18:33:43 UTC-3, dan (ddpbsd) escreveu:
>
> On Sat, Mar 4, 2017 at 2:36 PM, Eduardo Reichert Figueiredo
> wrote:
> > Hi All,
> > i killed de process and take command "ossec-control
Hi all,
It seems to me that 2.9.0 is released - at least no more RC# after the last
one. My question is, is this the case, and if so, could the website be
updated to reflect it? According t the github release is with 25 days ago,
but website still indicated 2.8.3?
Thanks
Kat
--
---
You
19 matches
Mail list logo