All,
I have hundreds of machines that are (supposed to be) all configured
exactly the same way via kickstarts and periodic Puppet runs. I've noticed
that sometimes a Puppet push will modify a file across all of our machines,
and the resulting syscheck notifications are a mixed bag - some have
ect: make -C src clean
>3. Compile and install again: make -C src TARGET=server install
>4. Create a default remote setting on /var/ossec/etc/ossec.conf:
>
>
>
>
> **
>*secure*
>* *
>
>
>
>
>
quot;ossec-control start" doesn't run them.
>
> How did you install Wazuh? Please make sure that the file "
> /var/ossec/etc/ossec-init.conf" has the line:
>
> TYPE="server"
>
>
> Regards.
>
>
> On Friday, December 9, 2016 at 5:24:38 PM UTC+
5, dan (ddpbsd) wrote:
>
>
>
> On Dec 9, 2016 9:17 AM, "Chris Decker" <ch...@chris-decker.com
> > wrote:
>
> Victor,
>
> On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote:
>>
>> Hi,
>>
>> Agents should send
Dave,
Thanks for your suggestions.
If I start remoted manually it doesn't complain that the port is already in
use. I am also starting it in debug mode and its starts cleanly AND works
when I start it manually.
I *do* have remoted configured to accept both tcp and udp logs on port 514,
but
rts, but then I see 3 remoted
processes. I've never come across this issue before. Do you know what
could be causing it?
>
> Please test it and write back to us if this doesn't solve the problem. All
> feedback is welcome.
>
> Hope it helps.
> Best regards.
>
>
> On
All,
I have an OSSEC instance (running the latest/greatest Wuzuh code cloned
from GitHub) that has about 1k active hosts. I've noticed recently that
hosts are flipping back and forth between *Active* and *Disconnected*.
I've also noticed that not all of the log messages from "*Active" *hosts
All,
I have a few Windows hosts that will periodically 'Disconnect' from the
OSSEC server. In some cases they randomly will reconnect later on, while
in others we have to go through and clear out the RIDS before the agent
will re-connect successfully.
What's the best way to troubleshoot this
this
particular server/log.
Anyone have any suggestions or experience with a similar issue?
Thanks,
Chris
On Tue, Feb 17, 2015 at 8:44 PM, Chris Decker ch...@chris-decker.com
wrote:
All,
Many of my Windows machines write logs to c:\Logs\%COMPUTERNAME%.txt, and
I have OSSEC monitoring
All,
Many of my Windows machines write logs to c:\Logs\%COMPUTERNAME%.txt, and I
have OSSEC monitoring that directory, e.g.
localfile
location%SYSTEMDRIVE%\Logs\%COMPUTERNAME%.txt/location
log_formatsyslog/log_format
/localfile
We've noticed a few times now that on our busiest
All,
I'm a long-time OSSEC user, but I rarely use OSSEC with Windows machines.
Recently I had the opportunity to monitor a significant number of Windows
machines, and I've been learning where security-relevant logs are stored on
the system.
In addition to the standard Application/Security/System
be for the folder /var/ossec/logs/ that excludes the OSSEC
user?
On Monday, January 12, 2015 at 12:43:55 PM UTC-6, Chris Decker wrote:
Yes - I currently monitor a few log files for 'writes' using auditd and I
have OSSEC configured to generate alerts. Be aware, though, that the
auditd logs
You could configure *auditd* to monitor for reads/writes to /var/ossec/logs
and included a filter to exclude the OSSEC UID.
On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Jan 12, 2015 at 11:23 AM, ch...@rhris.com wrote:
All other log files aggregate into OSSEC.
at 10:52:25 AM UTC-6, Chris Decker wrote:
You could configure *auditd* to monitor for reads/writes to
/var/ossec/logs and included a filter to exclude the OSSEC UID.
On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Jan 12, 2015 at 11:23 AM, ch...@rhris.com wrote
Good morning all,
I have about 2,000 (heavily active) OSSEC agents sending logs to a Manager.
On the Manager side I've noticed that *ossec-remoted* is hovering around
98% to 100% of a CPU.
I was under the impression that *ossec-remoted* is multi-threaded, but I
only ever see one process
All,
I just recently started using Active Response.
My main use case right now is to perform a firewall-drop on my ‘login’ nodes
using locationdefined-agent/location. This appears to be working fine
(after I realized that I couldn’t define more than 1 agent within an
active-response stanza).
dcid
I assume it works!
On Apr 8, 2013, at 11:12 AM, dan (ddp) ddp...@gmail.com wrote:
On Mon, Apr 8, 2013 at 11:09 AM, Chris Decker ch...@chris-decker.com wrote:
All,
I have a decoder, and then a 'sub-decoder' that refers to the parent. I'd
like to have OSSEC report the 'sub-decoder's
All,
I have a decoder, and then a 'sub-decoder' that refers to the parent. I'd
like to have OSSEC report the 'sub-decoder's name rather than the parents.
I recall seeing something about this on the distro list awhile back but
can't locate it. I also couldn't find any mention of it on the
All,
I just did a fresh, fairly vanilla install of OSSEC 2.7 (official release).
I'm getting mixed results with realtime alerts - sometimes it works fine,
sometimes the 'diff' file doesn't reflect the change minutes after I have
made it, while other times the 'diff' file is showing the change
for that file
is persisting across restarts, and isn't respecting my change of the
auto_ignore setting?
Thoughts?
Thanks,
Chris
On Wed, Mar 27, 2013 at 10:17 AM, Chris Decker ch...@chris-decker.comwrote:
All,
I just did a fresh, fairly vanilla install of OSSEC 2.7 (official
release). I'm
All,
I'm trying to decode a log that is tab-delimited. When I paste my sample log
into logtest I'm seeing what appears to be a limitation in the number of fields
that can be extracted - notice how the field that should have went into
'extra_data' actually went into 'dstuser'.
Did I discover
Is there away to log all alerts to alerts.log, but only insert alerts into a database which match a specified alert level (i.e. only write alerts with a level =3 to my database)? I don't want to insert everything into a MySQL database due to the large number of low-level alerts, but still want to
As the subject suggests, is there a way to override a particular
decoder in decoder.xml? I have a few tweaks I want to make and
obviously want to make sure that future upgrades to smoothly (so I
want to keep everything in local_decoder.xml).
(Thanks in advance, Dan, for the response ;))
Sent
Dan,
Thanks, that's what I thought based on the key/value references in the
documentation.
Sent from my iPhone
On Dec 12, 2011, at 3:08 PM, dan (ddp) ddp...@gmail.com wrote:
On Sat, Dec 10, 2011 at 12:01 AM, vmpc vmpc packetst...@gmail.com wrote:
Whenever my rule triggers, I get three alerts
I'm interested in such a decoder as well, so any effort expended to help
Doug would also help me and countless others I'm sure.
On Wed, Nov 10, 2010 at 3:55 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Nov 10, 2010 at 3:12 PM, Doug Burks doug.bu...@gmail.com wrote:
Has anybody used OSSEC to
/ossec/bin/ossec-syscheckd
# /var/ossec/bin/ossec-logcollecotr
When analysisd crashes, run bt and send us the output.
Thanks!
On Wed, Oct 6, 2010 at 11:24 AM, Chris Decker deckmo...@gmail.com wrote:
Michael,
Thank you for replying...
I used a fresh install of 2.5 for the manager
or C:program files directory, but not an individual file like
/etc/file.txt.. I knew this already, but tried my configuration with
realtime disabled and still experience this issue.
On Mon, Oct 4, 2010 at 9:22 PM, Chris Decker deckmo...@gmail.com wrote:
All,
I've been experiencing issues
PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 29, 2010, at 12:21 PM, Chris Decker wrote:
* We use Nagios to periodically log-in to our servers (using SSH)
to retrieve status information on processes. Everytime this happens I get
the successful SSH connection alert and 2 additional alerts
at 12:52 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Sep 29, 2010 at 12:21 PM, Chris Decker deckmo...@gmail.com
wrote:
Ever helpful OSSEC list,
I have three items I'm trying to figure out:
How can I get the OSSEC server process to bind to a network interface of
my
choosing? I'm
and modified the PHP for the WUI so it only shows alerts at level 4 or
higher, which has helped with the noise.
On Wed, Sep 29, 2010 at 2:26 PM, dan (ddp) ddp...@gmail.com wrote:
On Wed, Sep 29, 2010 at 2:13 PM, Chris Decker deckmo...@gmail.com wrote:
Dan,
Thanks. The local_ip setting
30 matches
Mail list logo
