The problem is fixed it just takes average amount of time to pull the
integrity changes.
On Saturday, May 18, 2013 4:12:44 PM UTC+5, Ali man wrote:
>
> Well the logs are fine, i fixed the problem by setting the time on agent
> side (2 min) lower then server time (5 min), still it take
>From ossec server to Q1radar(siem) Its sending log as
<132>May 17 13:32:08 ubuntu ossec: Alert Level: 5; Rule: 31101 - Web server
400 error code.; Location: (webserver)
w.x.y.z->/usr/local/apache2/logs/access_log; srcip: a.b.c.d; a.b.c.d - -
[18/May/2013:18:23:06 +0500] "GET /images/steps.swf
Well the logs are fine, i fixed the problem by setting the time on agent
side (2 min) lower then server time (5 min), still it takes forever for the
syscheck to update itself.
On Saturday, May 18, 2013 12:14:15 AM UTC+5, Ali man wrote:
>
> uI;m sorry Dan I'm away from my computer,
to 20
hours)
On Friday, May 17, 2013 12:00:09 PM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, May 17, 2013 at 2:57 PM, Ali man >
> wrote:
> > You said that time thing has to be changed on agent, but it won't change
> > anything outside default 20 hours limit, i tried chan
that correct.?and tell it do it real-time.
On Friday, May 17, 2013 11:15:50 AM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, May 17, 2013 at 1:59 PM, Ali man >
> wrote:
> > Thanks for the update. I have checked in the dir and you are right there
> is
> > listed all the fi
, 2013 8:46:10 PM UTC+5, dan (ddpbsd) wrote:
>
> On Fri, May 17, 2013 at 11:08 AM, Ali man >
> wrote:
> >
> > For e.g Under the ossec.conf at agent side,
> > %WINDIR%/win.ini
> >
> > I just for testing purposes edit the win.ini file and add content to it
For e.g Under the ossec.conf at agent side,
%WINDIR%/win.ini
I just for testing purposes edit the win.ini file and add content to it,
but the ossec server doesn't not trigger any alert for this change. At the
server end the is at default, do i have to make any changes ,
like tell the folder o
Thanks the problem was solved, i run the commands at /bin
at ./ossec-csyslogd
./ ossec-remoted
and is working all fine now
On Thursday, May 16, 2013 11:42:14 PM UTC+5, Ali man wrote:
>
> In my environment , I'm using OSSEC server running on ubuntu to send logs
> to Qradar (sie
./ossec-remoted output is
2013/05/17 07:42:08 ossec-remoted(1206): ERROR: Unable to Bind port '1514'
2013/05/17 07:42:08 ossec-remoted(1501): ERROR: No IP or network allowed in
the access list for syslog. No reason for running it. Exiting
On Friday, May 17, 2013 7:26:17 PM UTC+5, Ali
07:22:22 ossec-csyslogd: INFO: Forwarding alerts via syslog to:
'10.10.71.12:514'
On Friday, May 17, 2013 7:15:47 PM UTC+5, dan (ddpbsd) wrote:
>
> On Fri, May 17, 2013 at 10:10 AM, Ali man >
> wrote:
> > The version I'm using is
> >
> > Unix/Linux Version 2.
The version I'm using is
Unix/Linux Version 2.7.1 Alpha-1. I have checked on csyslog service and
started it multiple times it doesn't seem to give any error.
On Friday, May 17, 2013 6:41:51 AM UTC+5, dan (ddpbsd) wrote:
>
> On Thu, May 16, 2013 at 4:48 PM, Ali man >
> wr
Thu, May 16, 2013 at 2:42 PM, Ali man >
> wrote:
> > In my environment , I'm using OSSEC server running on ubuntu to send
> logs to
> > Qradar (siem), the server is currently monitoring events / logs from two
> > agents (1 windows , 1 linux machine).
> >
In my environment , I'm using OSSEC server running on ubuntu to send logs
to Qradar (siem), the server is currently monitoring events / logs from two
agents (1 windows , 1 linux machine).
Unknown to me, the ossec server has suddenly stopped sending logs to
Qradar. In the ossec.conf at server en
Thank you for the clarification.:)
On Tuesday, May 7, 2013 10:00:40 AM UTC-7, dan (ddpbsd) wrote:
>
> On Tue, May 7, 2013 at 12:16 PM, Ali man >
> wrote:
> > I'm testing ossec active respone, by way of detecting scan attempts on
> > webserver (e.g 404).
> >
Can someone explain how does ossec agent in an active response config
detects or responds to events (e.g scan attempt on web-server 404 status
code).
I know that the below xml block at the server ends fire up the response on
agent end. But all the rules are kept in /root dir not the usual
inst
I'm testing ossec active respone, by way of detecting scan attempts on
webserver (e.g 404).
My active response ossec.conf is
route-null
local
31151
600
One thing I'm not sure about , how does ossec agent detects this behavior
beside it has
Hey,
I'm using ossec configuration on a web-server matching which is hosting a
very critical application for my organization. I want to know how can i use
ossec to monitor changes to the system?
I'm new to ossec use, but common sense says if I'm monitoring each and
every file (e.g hosts, nets
17 matches
Mail list logo