Hi,
I've created a new rule for monitoring logon actions on SQL Server 2008. OS is
Windows Server 2008. I'm using OSSEC server/agent 2.3
Here is rule:
18104
^33205
MS SQL Server 2008 Logon Success.
authentication_success,
Problem occurs when log is process
Hi all,
I have fresh instalation of ossec server 2.5.1 on AIX server. I didn't modify
anything yet in decoder or rules, but when i try to run ossec-logtest i get
following error:
2011/03/21 12:03:36 ossec-analysisd(1226): ERROR: Error reading XML file
'etc/decoder.xml': XML ERR: Element
Subject: Re: [ossec-list] ossec-logtest error
>
> Try:
>
> ^20\d\d\d\d\d\d\p;\p
> ^\d+\p;\p\S+\p;\p(\d+)\p;
> id
>
>
>
> 2011/3/21 Branimir Pačar :
> > Hi all,
> >
> >
> >
> > I have fresh instalation of ossec server 2.5.1 on AI
HI,
I had some problems with alerting on Win server 2008 R2. i was constantly
getting alerts that windows station is shutting down. Since that wasn't case,
i've investigated it little and foun that problem was in rule 18117 and
matching of id 513. since 2008 has events that begin with 513
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
> Behalf Of joshua.gruber
> Sent: Friday, April 01, 2011 6:14 AM
> To: ossec-list
> Subject: [ossec-list] ossec-logtest is performing differently from running
> ossec
>
> Okay, per microsoft, w
Hi all,
Is possible to define whole network segment in rule as source ip?
Currently i know for tag but i would like to define i.e. 192.168.1.0/28
and trigger rule for all those addresses without need to define each address in
that segment using .
Regards,
Branimir
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
> Behalf Of dan (ddp)
> Sent: Tuesday, February 02, 2010 4:39 PM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] Emails Notification Alert Levels
>
> On Mon, Feb 1, 2010 at 10:16
Maybe you could write your rule like this:
...
snort01
snort02
...
I'm not sure if it is going to work, but it doesn't hurt to try.
Best regards,
Branimir
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
Behalf O
Hi,,
When I try to start OSSEC with your rules, in first rule error occures because
of second backslash in match tag:
\system32\
If I remove it, OSSEC reports no errors.
In second rule there may be error with level option and quotation marks.
Try to write it like this
level