Hi Victor,
Thanks for your reply. I did everything you told me, but the error persist.
I continuous receiving many logs as below:
ossec-agentd: Failed md5 for: shared/merged.mg -- deleting.
A new thing that I realized is that the file ar.conf is not present in
windows agent installation direc
Yes OSSEC mentioning about log files and says analyzing log file. I tried
with apache log format and without logformat settings and results is
same.What could be a workaround for that?
On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote:
>
> I added config below to etc/shared/agent.conf
I never used
it:
http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time
I think is the time when the event comes to the manager (not the original
time).
On Thursday, July 6, 2017 at 3:46:49 AM UTC+2, dan (ddpbsd) wrote:
>
> On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmer
Hi Ian,
Here you have the syntax of the OSSEC
regexs:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
Another difference I've discovered is that Perl's regex is greedy --
> it'll match all it can. It looks like this regex will only match the
> least
Hi Ian,
change the decoders could be a harmful process. Keep in mind that if you
change something in /var/ossec/rules, it will be overwritten during an
update.
Wazuh has created the *decoder_exclude* to simulate the *overwrite *option
existing in rules but not in decoders. Take a look at the
Hi Kazim,
- Review the ossec.log of your agent: is it monitoring the file? are
there errors?.
- The log file must exist before OSSEC is started.
- Try with the format "syslog".
- Copy some logs to /var/ossec/bin/ossec-logtest and check if an alert
would be generated.
Just som
Hi,
in the agent you must to enable active-response:
no
Then, restart the agent, generate the 100101 rule, and check out the
*active-response.log* of the agent.
I hope it helps.
On Tuesday, July 4, 2017 at 4:26:27 AM UTC+2, Tunguyen wrote:
>
> I've checked the ossec.conf on server side and
I have did all the configuration in ms-sccm.cfg [existing file in plugin
folder].
But still dont see anything in alerts.log.
On Saturday, July 1, 2017 at 1:37:04 AM UTC+4, dan (ddpbsd) wrote:
>
> On Thu, Jun 29, 2017 at 1:00 AM, Irshad Rahimbux
> > wrote:
> > Dear Team,
> >
> > I would like
I was interested to hear what people's favorite custom OSSEC rules are?
Thanks.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@goog
Hi Guys ,
Just wanted to check if anybody has an idea on how to throttle the events
in OSSEC . I have a situation where there are 20 duplicate alerts within a
second and I would want to raise only 1 alert for that . Is there any event
throttling mechanism in OSSEC where only 1 event can be rai
I'am a rookie in makefile.this is the problem I have.It has been boring me
for a day.please give me some advice.
this is my makefile
CC = g++
LINK = g++
CFLAGS = -Wall
INCLUDE_PATH = install/include
LIB_PATH = install/lib
LIBS = -lboost_thread -lboost_system -Llib #-ljsoncpp
SRC_DIR = .
VPATH
Hi,
try:
$(CC) server.cpp config.h $(CFLAGS) -c -o $@ $< -I./$(INCLUDE_PATH)
instead of:
$(CC) server.cpp config.h $(CFLAGS) -c $@ -I./$(INCLUDE_PATH)
Option -c tells the compiler that it shouldn't compile, but you have to use
"-o" in order to specify the output. $@=server.o. Then use $<
12 matches
Mail list logo
