In my ossec, active-responses.log contains the ip's blocked, but I am
not able to find the reason why active response was raised. I know
there are a lot of rules associated with it, it will be good if the
corresponding rule which triggered active-response is also added in
the log.Is there any way t
In my ossec.conf, the alert element has email_alert_level set to 7 and
the log_alert_level set to 1 and I have enabled emailing during
setup.
The problem is I'm getting email alerts for levels which are less than
7 also. Is there any additional configuration which we need to pass ?
I went through t
In my ossec.conf, the alert element has email_alert_level set to 7 and
the log_alert_level set to 1 and I have enabled emailing during
setup.
The problem is I'm getting email alerts for levels which are less than
7 also. Is there any additional configuration which we need to pass ?
I went through t
n
> to always send emails.
> On Sep 28, 2011 4:32 AM, "AlgoBoy" wrote:
>
>
>
>
>
>
>
> > In my ossec.conf, the alert element has email_alert_level set to 7 and
> > the log_alert_level set to 1 and I have enabled emailing during
> > setup.
> &
rule id="1002", I'm getting at least 10 emails per day regarding this.
But the service seemed to work fine.
On Sep 28, 1:51 pm, "dan (ddp)" wrote:
> It should be (assuming the rules are less than level 7). Out of curiosity,
> which rules are annoying you?
>
it some potential
problem.
On Sep 28, 2:09 pm, "dan (ddp)" wrote:
> I kinda thought that would be the rule you want to ignore. Why not just
> write rules to ignore the log messages causing the 1002s? I think that's why
> half of the ossec rules were written.
> On Sep
alse positive. You have to
> look at the actual log message to determine that.
> On Sep 28, 2011 5:35 AM, "AlgoBoy" wrote:
>
>
>
>
>
>
>
> > Thanks for the advice.
> > This rule is triggered on the following.
>
> > core_dumped|failure|erro
I found in my /etc/passwd file that there are three "extra" users that
cannot login but are listed.
ossec
ossecm
ossecr
What are these for? I know they are attached to the Ossec HIDs
software but can anyone explain what these users are for? I think they
might be the reason I keep getting checksum
be48b9b5a38b60fe'
New md5sum is : 'c7bafef836545ad7dd22420ef72426dd'
Old sha1sum was: '6ad7cfd6e6d4e3e0240703656ba76562cc404318'
New sha1sum is : 'b5a6bae623ecf99e140de7550d15b62f59c2fd7c'
On Sep 28, 5:28 pm, "dan (ddp)" wrote:
> On Wed, Sep 28,
My bad, I think these integrity errors mainly happen because I'm not
restarting ossec i.e. ossec-control stop and start.
On Sep 28, 5:59 pm, AlgoBoy wrote:
> OSSEC HIDS Notification.
> 2011 Sep 22 09:15:57
>
> Received From: ip-10-251-134-240->syscheck
> Rule: 551 fired
Hi all,
I ran the below command, but ossec doesn't seem to start.
./bin/ossec-control start
Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
2011/10/03 09:16:23 ossec-testrule: INFO: Reading local decoder file.
Deleting PID file '/var/ossec/var/run/ossec-logcollector-16071.pid'
not used...
De
t;
> Let me know if that helps .
>
> Cheers
>
>
>
>
>
>
>
> On Mon, Oct 3, 2011 at 12:36 PM, AlgoBoy wrote:
> > Hi all,
>
> > I ran the below command, but ossec doesn't seem to start.
>
> > ./bin/ossec-control start
>
> > Starting O
12 matches
Mail list logo
