Re: [ossec-list] Syslog forwarding doesn't work with custom_alert_output

2015-01-07 Thread Grant L
Great point. We do see the custom alert in alerts.log Should we put in a request or just modify csyslogd ourselves? Grant Leonard Castra Consulting, LLC 919-949-4002 On Wed, Jan 7, 2015 at 8:58 AM, dan (ddp) wrote: > On Wed, Jan 7, 2015 at 8:18 AM, wrote: >

Re: [ossec-list] Re: Windows Event ID 4625

2014-11-05 Thread Grant L
You do not have to tell the platform to use local_decoders, just make sure the permissions are the same I am upgrading to 2.8 this week across numerous platforms from 2.7.1 I already have the decoders in place and will begin making rules today or tomorrow for the events in the custom decoder file

Re: [ossec-list] Re: Windows agents not connecting to OSSEC server

2014-10-17 Thread Grant L
That file is definitely required, though I am not sure it has anything to do with the agent connecting in. You showed earlier connections on port 1514 from the devices in question right? Does the ossec.log note any issues with those devices? for what it is worth, here is a sender_counter file fr

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-14 Thread Grant L
Great point David Grant Leonard Castra Consulting, LLC 919-949-4002 On Tue, Oct 14, 2014 at 12:00 PM, Rick McClinton wrote: > David, > > I'm not confident that notepad, wordpad, or notepad++ wouldn't hide the > byte order marker at the start of a Unicode file.

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-14 Thread Grant L
miss something > when I typed it in? > > On Monday, October 13, 2014 7:43:23 PM UTC-5, Grant L wrote: >> >> I guessed at your eth interface >> >> the command is sound, I just dont know what your OS looks like >> >> SO >> >> tcpdump -i host

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Grant L
it on. > > > On Monday, October 13, 2014 6:18:08 PM UTC-5, Grant L wrote: >> >> Do this for about 5 non communicating servers at random. >> >> On the OSSEC-SERVER >> >> run 'tcpdump -i eth0 host port 1514' >> >> see if the connec

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Grant L
Do this for about 5 non communicating servers at random. On the OSSEC-SERVER run 'tcpdump -i eth0 host port 1514' see if the connection even makes it to the server Also, note that OSSEC has to be installed as local admin or domain admin, else UAC kind of kills the application. Grant Leonard C

Re: [ossec-list] Windows agents not connecting to OSSEC server

2014-10-13 Thread Grant L
That is kind of how it works for Windows, my company wrote a tool that will deploy them automatically for you. On Oct 13, 2014 12:20 PM, "David Masters" wrote: > The whole purpose of this exercise is to not have to go to each individual > machine to input the key and configuration. We have over

Re: [ossec-list] Re: local_rules question

2014-10-03 Thread Grant L
Level=0 makes no alert, as I am sure you are aware See what your decoder.xml reports about SSHD and SSH grep ssh /var/ossec/decoder.xml There are tons of paths to start there. Grant Leonard Castra Consulting, LLC 919-949-4002 On Fri, Oct 3, 2014 at 2:26 PM, Mar