Dennis Borkhus-Veto
Systems Administrator
MEE Material Handling L.L.C
My system is setup this way. If still interested let me know and I will send
details tommorow.
Dennis
- Original Message -
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent: Thu Nov 15 09:30:10 2007
Subject: [ossec-list] Re: ossec as syslog server
I have another
I have received the following error on a win 2003 svr with exchange 2003 how
should I go about checking this.
rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
NTFS Alternate data stream found: 'C:\/Program Files/Exchsrvr/Mailroot/vsi
Yes this is in Ossec now, but the windows audit file affects all of the
Windows agents. I want to watch processes that are not on all of the
machines so now if I watch say IIS it has to be running on all of the
windows agents or I will get alerts on it.
Sincerly
Dennis Borkhus-Veto
Systems
Is there a way to audit for a process running if it is only running on
one or two agents? Right now when I set it up I get alerats from the
agents that don't have the process installed so of course it will alert
for the process not running.
Sincerly
Dennis Borkhus-Veto
Systems Administ
In the new version windows audits have been added the problem I have is that
what ever I set up to audit has to be on all of the agents. I want to monitor
a couple of processes but they are not on all of the agents. So I get alerts
for the agents that don't have the processes.
Dennis
<>
I know it is something I may have missed but the local rule to ignore a
false positive alert that I created is not working.
Here is the rule and the alert from my alert log.
My rule
5711
1.1.1.1
Example of rule that will ignore sshd
failed logins from IP 1.1.1.1
I have a central log server that is also my Ossec server, the log directory is
as follows.
/Log/syslog-ng/hostname/syslog.log
And a couple like
/Log/syslog-ng/IP address/syslog.log
When I followed the instructions from the wiki the log collector Died
For the log location I had
/Log/syslog-
I have what some may call a stupid question. When installing ossec-wui v0.2
The setup.sh asks for a user name and pw what should it be? I am not sure if
it should be root, ossec, or the apache user.
Dennis
What about using an htaccess file?
Dennis
- Original Message -
From: ossec-list@googlegroups.com
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Cc: Daniel Cid <[EMAIL PROTECTED]>
Sent: Mon Apr 02 23:47:25 2007
Subject: [ossec-list] Authentication of Users using WebUI
***
Sincerely
Dennis Borkhus-Veto
Systems Administrator
MEE Material Handling L.L.C
[EMAIL PROTECTED]
-Original Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On Behalf Of Daniel Cid
Sent: Sunday, March 25, 2007 5:46 PM
To: ossec-list@googlegroups.com
Subject: [ossec-list
I appologize if I am sking something already addressed. I am building a new
server that will be my central syslog and ossec server and would like to know
if I copy the ossec directory from the old to the new server and change the
server address on the agents to have the agents go to the new ser
Could you tell me what format I should list for the routing and remote
access logs?
Sincerely
Dennis Borkhus-Veto
Systems Administrator
MEE Material Handling L.L.C
[EMAIL PROTECTED]
I only have a limited knowledge of IP cop and am planning to deploy it. Could
this not be out as a add on module for IP cop?
I would be very interested in the details on how you did this.
Dennis
- Original Message -
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent
I have run into this on two agents and on one Ii regenerated the key and addred
it to the agent. On the second one I had to go as far as removing the agent
from the server-re adding the agent then regenerate the key and add it to the
server.
Dennis
- Original Message -
From: ossec-list
I am trying to install the agent on a Suse 10.1 computer and I am
receiving the following error.
Dennis
5- Installing the system
- Running the Makefile
*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
make[1]: Entering directory
`/ossec-hids-0.9-3/ossec-hids-0.9-3/src/external/zli
b-
I have ossec installed and agents on Xp, 2000 srv and 2003 srv all seem to work
fine. The problem is I have now setup an agent on Suse 10. But it does not
seem to communicate with the server. I have all the correct ports open and
tcpdump shows traffic coming from the agent. I also have the ag
The first beta version of
oswui (ossec web ui) was just released.
The code is very simple and
does not require a database or anything special running in the server. You just
need to have Apache with php and ossec.
I followed the instructions and I found that on SUSE 10.1
that the comma
Rule: 5104 fired (level 8) I did use the tcpdump command. It was all Daniels
fault he posted how to use. It.
I really noticed the message because my agents don't seem to be sending alerts
to the server.
Dennis
cause the same output.
Meir Michanie wrote:
> that could be related to snort, it is not related to nagios for sure.
>
>
> On 10/13/06, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote:
>>
>> I have been working on setting up a program called nagios on the same
>>
Borkhus-Veto <[EMAIL PROTECTED] > wrote:
I have been working on setting up a program called nagios on the same server as
ossec and now I recdieved the folllowing error and am not sure if it is
related.
OSSEC HIDS Notification.
2006 Oct 12 11:58:27
Received From: HULK->/Raid/Log/mess
Is there any support or planned support for xp or srv 2003 or other windows
firewalls?
Dennis
I have been working on setting up a program called nagios on the same server as
ossec and now I recdieved the folllowing error and am not sure if it is related.
OSSEC HIDS Notification.
2006 Oct 12 11:58:27
Received From: HULK->/Raid/Log/messages
Rule: 5104 fired (level 8) -> "Interface entered
>
>
> Looks like OSSEC doesn't grok IIS SMTP logs and has interpreted "500" as the
> HTTP error code 500.
>
> Rick
>
>
>
>
>
>
> From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On
> Behalf Of
MEE-PDC 192.168.X.X 0 - +hupylaw.hupy.local 500
0 32 23 0 SMTP - - - -
Sincerely
Dennis Borkhus-Veto
Systems
Administrator
MEE Material Handling L.L.C
[EMAIL PROTECTED]
Do you have your local ossec conf set to monitor IIS logs?
Dennis
-Original Message-
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent: Wed Oct 04 06:30:55 2006
Subject: [ossec-list] Re: IIS Log Analyzing
I've checked all other agents with IIS and notice the same p
future.
On 9/22/06, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote:
I was working on getting my Pix and syslog working and when I went to change
the ossec config I found that I have a /var/ossec directory and a
/var/ossec/ossec and /var/ossec/ossec/ossec directorys .
I have just the
problem except I don’t know which one to
configure.
Second is there a way to have the Ossec log files on the
server go to a different location?
Sincerely
Dennis Borkhus-Veto
Systems
Administrator
MEE Material Handling L.L.C
[EMAIL PROTECTED]
na test a client/agent and report back.
./vcorreia
Dennis Borkhus-Veto wrote:
I think the problem may be in your syslog? Try having one of
your clients use the agent to send to the server. I think the default syslog
has a setting like
source
local {
unix-stream("/dev/log");
internal
ng
hello Dennis,
i'm sending to the syslog. any info/logs/whatnot just ask.
thanks,
./vcorreia
Dennis Borkhus-Veto wrote:
A question are you using the agents to send the alerts to the server or are you sending to the syslog?Dennis -Original Message-From: ossec-list@googleg
A question are you using the agents to send the alerts to the server or are you
sending to the syslog?
Dennis
-Original Message-
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent: Mon Sep 11 05:28:40 2006
Subject: [ossec-list] Re: ip being reported as 0.0.0.0 & time
PROTECTED] On
Behalf Of Dennis Borkhus-Veto
Sent: Friday, September 01, 2006 3:06 PM
To: ossec-list@googlegroups.com
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
Isint the folder suppose to be windows for 2000 and 2003 instead of winnt
Dennis
-Original Message
Isint the folder suppose to be windows for 2000 and 2003 instead of winnt
Dennis
-Original Message-
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent: Fri Sep 01 00:13:43 2006
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
---
Could you change
dbhost=localhost
To the actual IP address to atleast see if that is where its coming from.
Dennis
-Original Message-
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent: Fri Sep 01 04:23:25 2006
Subject: [ossec-list] OSSEC2MYSQL - Agents being reporte
Also check your windows rule file. The events in it that were set to trigger
alerts where not ones that appear in my event logs. But I did see them in my
ossec server log.
Dennis
-Original Message-
From: ossec-list@googlegroups.com
To: ossec-list@googlegroups.com
Sent: Thu Aug 31 21:
How can I have my Pix send messages to my ossec server?
Sincerely
Dennis Borkhus-Veto
Systems
Administrator
MEE Material Handling L.L.C
[EMAIL PROTECTED]
36 matches
Mail list logo
