All,
I have hundreds of machines that are (supposed to be) all configured
exactly the same way via kickstarts and periodic Puppet runs. I've noticed
that sometimes a Puppet push will modify a file across all of our machines,
and the resulting syscheck notifications are a mixed bag - some have
p*
>
>
>
> Please test it and write back to us if this doesn't solve the problem. All
> feedback is welcome.
>
> Hope it helps.
> Best regards.
>
>
> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote:
>>
>>
>>
>>
ory.
>2. Clean the project: make -C src clean
>3. Compile and install again: make -C src TARGET=server install
>4. Create a default remote setting on /var/ossec/etc/ossec.conf:
>
>
>
>
> **
>*secure*
> * *
>
>
processes but "ossec-control start" doesn't run them.
>
> How did you install Wazuh? Please make sure that the file "
> /var/ossec/etc/ossec-init.conf" has the line:
>
> TYPE="server"
>
>
> Regards.
>
>
> On Friday, December 9, 201
0:33:50 AM UTC-5, dan (ddpbsd) wrote:
>
>
>
> On Dec 9, 2016 9:17 AM, "Chris Decker" > wrote:
>
> Victor,
>
> On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote:
>>
>> Hi,
>>
>> Agents should send a keepalive each 10 mi
Dave,
Thanks for your suggestions.
If I start remoted manually it doesn't complain that the port is already in
use. I am also starting it in debug mode and its starts cleanly AND works
when I start it manually.
I *do* have remoted configured to accept both tcp and udp logs on port 514,
but I
tart remoted by hand it starts, but then I see 3 remoted
processes. I've never come across this issue before. Do you know what
could be causing it?
>
> Please test it and write back to us if this doesn't solve the problem. All
> feedback is welcome.
>
> Hope it helps.
&
On Friday, December 9, 2016 at 12:30:08 AM UTC-5, dan (ddpbsd) wrote:
>
>
>
> On Dec 8, 2016 4:41 PM, "Chris Decker" > wrote:
>
> All,
>
> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned
> from GitHub) that has about 1k active hos
All,
I have an OSSEC instance (running the latest/greatest Wuzuh code cloned
from GitHub) that has about 1k active hosts. I've noticed recently that
hosts are flipping back and forth between *Active* and *Disconnected*.
I've also noticed that not all of the log messages from "*Active" *hosts
All,
I have a few Windows hosts that will periodically 'Disconnect' from the
OSSEC server. In some cases they randomly will reconnect later on, while
in others we have to go through and clear out the RIDS before the agent
will re-connect successfully.
What's the best way to troubleshoot this iss
th of data from this
particular server/log.
Anyone have any suggestions or experience with a similar issue?
Thanks,
Chris
On Tue, Feb 17, 2015 at 8:44 PM, Chris Decker
wrote:
> All,
>
> Many of my Windows machines write logs to c:\Logs\%COMPUTERNAME%.txt, and
> I have OSSEC mon
All,
Many of my Windows machines write logs to c:\Logs\%COMPUTERNAME%.txt, and I
have OSSEC monitoring that directory, e.g.
>
> %SYSTEMDRIVE%\Logs\%COMPUTERNAME%.txt
> syslog
>
We've noticed a few times now that on our busiest machine [1] OSSEC will
occasionally stop sending the
All,
I'm a long-time OSSEC user, but I rarely use OSSEC with Windows machines.
Recently I had the "opportunity" to monitor a significant number of Windows
machines, and I've been learning where security-relevant logs are stored on
the system.
In addition to the standard Application/Security/Syste
the folder /var/ossec/logs/ that excludes the OSSEC
> user?
>
> On Monday, January 12, 2015 at 12:43:55 PM UTC-6, Chris Decker wrote:
>>
>> Yes - I currently monitor a few log files for 'writes' using auditd and I
>> have OSSEC configured to generate alerts
January 12, 2015 at 10:52:25 AM UTC-6, Chris Decker wrote:
>>
>> You could configure *auditd* to monitor for reads/writes to
>> /var/ossec/logs and included a filter to exclude the OSSEC UID.
>>
>> On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) wrote:
>>
>>
You could configure *auditd* to monitor for reads/writes to /var/ossec/logs
and included a filter to exclude the OSSEC UID.
On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) wrote:
> On Mon, Jan 12, 2015 at 11:23 AM, wrote:
> > All other log files aggregate into OSSEC. The auditor wants these logs o
Good morning all,
I have about 2,000 (heavily active) OSSEC agents sending logs to a Manager.
On the Manager side I've noticed that *ossec-remoted* is hovering around
98% to 100% of a CPU.
I was under the impression that *ossec-remoted* is multi-threaded, but I
only ever see one process run
All,
I just recently started using Active Response.
My main use case right now is to perform a firewall-drop on my ‘login’ nodes
using defined-agent. This appears to be working fine
(after I realized that I couldn’t define more than 1 agent within an
stanza).
I run into issues when I restar
ng from dcid
I assume it works!
On Apr 8, 2013, at 11:12 AM, dan (ddp) wrote:
> On Mon, Apr 8, 2013 at 11:09 AM, Chris Decker wrote:
>> All,
>>
>> I have a decoder, and then a 'sub-decoder' that refers to the parent. I'd
>> like to have OSSEC rep
Mitchell,
When you deleted the agents, did you do it via manage_agents? I've run
into problems when I (stupidly) deleted agents from client.keys directly
and then authd tried to re-use those ids.
On Thu, Apr 11, 2013 at 3:29 PM, mitchella wrote:
> Hello,
> We are trying to deploy OSSEC wi
All,
I thought I'd share the OSSEC plist I threw in to /Library/LaunchDaemons so
that OSSEC starts on boot:
http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
Label
com.ossec.launch
ProgramArguments
/var/ossec/bin/ossec-control
start
All,
I have a decoder, and then a 'sub-decoder' that refers to the parent. I'd
like to have OSSEC report the 'sub-decoder's name rather than the parents.
I recall seeing something about this on the distro list awhile back but
can't locate it. I also couldn't find any mention of it on the Decode
eady received my 3 alerts for that file
is persisting across restarts, and isn't respecting my change of the
auto_ignore setting?
Thoughts?
Thanks,
Chris
On Wed, Mar 27, 2013 at 10:17 AM, Chris Decker wrote:
> All,
>
> I just did a fresh, fairly vanilla install of OSSEC 2.7 (
All,
I just did a fresh, fairly vanilla install of OSSEC 2.7 (official release).
I'm getting mixed results with realtime alerts - sometimes it works fine,
sometimes the 'diff' file doesn't reflect the change minutes after I have
made it, while other times the 'diff' file is showing the change but
All,
I'm trying to decode a log that is tab-delimited. When I paste my sample log
into logtest I'm seeing what appears to be a limitation in the number of fields
that can be extracted - notice how the field that should have went into
'extra_data' actually went into 'dstuser'.
Did I discover a
Is there away to log all alerts to alerts.log, but only insert alerts into a database which match a specified alert level (i.e. only write alerts with a level >=3 to my database)? I don't want to insert everything into a MySQL database due to the large number of low-level alerts, but still want to
Dan,
Thanks, that's what I thought based on the key/value references in the
documentation.
Sent from my iPhone
On Dec 12, 2011, at 3:08 PM, "dan (ddp)" wrote:
> On Sat, Dec 10, 2011 at 12:01 AM, vmpc vmpc wrote:
>> Whenever my rule triggers, I get three alerts sent to the OSSEC server. I am
>
As the subject suggests, is there a way to override a particular
decoder in decoder.xml? I have a few tweaks I want to make and
obviously want to make sure that future upgrades to smoothly (so I
want to keep everything in local_decoder.xml).
(Thanks in advance, Dan, for the response ;))
Sent f
All,
I'm been looking at the OSSEC documentation and can't get my head
around how to utilize the CDB feature.
I was hoping to create a mapping of the authorized usernames for each
IP/host. Upon a sid related to login, I want to verify the user is
authorized for that IP. If not, I want to genera
I'm interested in such a decoder as well, so any effort expended to help
Doug would also help me and countless others I'm sure.
On Wed, Nov 10, 2010 at 3:55 PM, dan (ddp) wrote:
> On Wed, Nov 10, 2010 at 3:12 PM, Doug Burks wrote:
> > Has anybody used OSSEC to monitor OpenLDAP logs? Specifical
esses:
>
> # /var/ossec/bin/ossec-remoted
> # /var/ossec/bin/ossec-syscheckd
> # /var/ossec/bin/ossec-logcollecotr
>
> When analysisd crashes, run "bt" and send us the output.
>
> Thanks!
>
>
>
> On Wed, Oct 6, 2010 at 11:24 AM, Chris Decker wrote:
> >
uld walk me through using the
debugger at night perhaps we could get some clues on the issue.
If you have any suggestions I'll give them a shot..I'm out of ideas!
Thanks,
Chris
On Wed, Oct 6, 2010 at 10:10 AM, Michael Starks <
ossec-l...@michaelstarks.com> wrote:
>
>
r the
/etc or C:program files directory, but not an individual file like
/etc/file.txt.". I knew this already, but tried my configuration with
realtime disabled and still experience this issue.
On Mon, Oct 4, 2010 at 9:22 PM, Chris Decker wrote:
> All,
>
> I've been experien
All,
I've been experiencing issues with the new report_changes feature of
syscheck since 2.5 was released. I was on IRC earlier and was told the bug
was known and that a fix was included in the latest snapshot, but I'm still
seeing the same issues. For what its worth I really find great value in
IGNED MESSAGE-
> Hash: SHA1
>
> On Sep 29, 2010, at 12:21 PM, Chris Decker wrote:
> > * We use Nagios to periodically log-in to our servers (using SSH)
> to retrieve status information on processes. Everytime this happens I get
> the successful SSH connection alert
All,
Is there an easy way to force the OSSEC server to immediately push out the
latest copy of the /etc/shared/agent.conf? Even after restarting the
OSSEC server and forcing a restart using agent_control it seems to take
forever.
Also, is there a good way to troubleshoot when the agent.conf does
went ahead
and modified the PHP for the WUI so it only shows alerts at level 4 or
higher, which has helped with the noise.
On Wed, Sep 29, 2010 at 2:26 PM, dan (ddp) wrote:
> On Wed, Sep 29, 2010 at 2:13 PM, Chris Decker wrote:
> > Dan,
> >
> > Thanks. The "local_i
of your help.
On Wed, Sep 29, 2010 at 12:52 PM, dan (ddp) wrote:
> On Wed, Sep 29, 2010 at 12:21 PM, Chris Decker
> wrote:
> > Ever helpful OSSEC list,
> >
> > I have three items I'm trying to figure out:
> >
> > How can I get the OSSEC server process to b
Ever helpful OSSEC list,
I have three items I'm trying to figure out:
1. How can I get the OSSEC server process to bind to a network interface
of my choosing? I'm guessing I can do something when compiling, but is
there a parameter that can be changed to make this happen? I found an
and the agent to see if there is
> traffic on port 1514.
>
> On Tue, Sep 28, 2010 at 12:03 PM, Chris Decker
> wrote:
> > All,
> >
> > I just set up an OSSEC 2.5 server/agent installation on my testbed. I'm
> > having difficulty getting my agent to successfull
All,
I just set up an OSSEC 2.5 server/agent installation on my testbed. *I'm
having difficulty getting my agent to successfully communicate with the
server*. My hunch is that my agent is having an issue talking Blowfish, but
I never had an issue with OSSEC 2.4 on these same machines.
*Amplify
41 matches
Mail list logo