Re: [ossec-list] Setting Up High Availability Solution

The problem seems to have been a permissions issue. I noticed that although the UID and GID for ossec were the same on both servers, the UIDs for ossecm and ossecr were different. I re-ran the installation on the standby server with the correct UIDs, re-mirrored the data and (for the one agent I

Re: [ossec-list] Setting Up High Availability Solution

I believe that is the same discussion that I linked to when I started this topic. Active response is disabled.

Re: [ossec-list] Setting Up High Availability Solution

If you haven't tried this out, then who has? Does the error msg give any ideas as to what I can try apart from just waiting?

Re: [ossec-list] Setting Up High Availability Solution

Any idea how long that is likely to take?

[ossec-list] Setting Up High Availability Solution

Following on from the discussions in this topicI have attempted to set up a high availability solution. All servers are running RHEL 5 I had a working ossec master with /var/ossec on a separate filesystem. For the moment RIDS i

Re: [ossec-list] Re: high availability solution

Interesting, but not the method I had in mind. Your method would have the data split between two locations. I was thinking along the lines of: 1 server as master with a volume containing /var/ossec which is mirrored/copied to 2nd site. A second standby server with the mirrored disk mounted rea

Re: [ossec-list] Re: high availability solution

Has anyone set up a high-availability solution?

Re: [ossec-list] OSSEC in the Enterprise

On a different (but related) note, has anyone set up a a second OSSEC server, to provide enterprise-level resilience?

[ossec-list] Re: How do include a date/time check in a rule?

Thanks for that. This is what I was looking for On Dec 22, 7:20 pm, "dan (ddp)" wrote: > On Wed, Dec 22, 2010 at 8:19 AM, ItsMikeE wrote: > > I have seen an option to specify a time range in a rule (such as detecting > > logins during non-business hours). > > &

[ossec-list] How do include a date/time check in a rule?

I have seen an option to specify a time range in a rule (such as detecting logins during non-business hours). Is there a way to specify days? I want to skip reporting on syslogd re-starting if it is at a specified time and date (i.e. don't report if it starts between 4am and 4:30 am on a Sunday

[ossec-list] syscheck database

On the ossec master there is a syscheck database for each agent (in / var/ossec/queue/syscheck). If the syscheck database has not been updated for a while (i.e. longer than the interval between runs of the syscheck on the agent) does this indicate that 1) Nothing being monitored has changed so the

[ossec-list] Re: Ignoring Security Scanner

Page 134 Ignoring IP Address .. Common problem with scanners .. 4 192.168.2.1 Ignoring rule any level above 4 from ip x<.description> On Nov 15, 7:29 pm, "dan (ddp)" wrote: > > > I have set up an "ignore" along the lines of the description in the > > book (page 134), screening out the srcip. >

[ossec-list] Ignoring Security Scanner

There is a scanning device in my environment (we are running OSSEC 2.5.1 on RHEL 5). I have set up an "ignore" along the lines of the description in the book (page 134), screening out the srcip. That gets rid of most of the alerts, but ... This is an excerpt of /var/log/secure Nov 15 11:30:24 a

[ossec-list] Agent Classification

As I add more agents to ossec, I am beginning to see a need for classifying agents into groups. For example, it is more important to know about an alert to a live server than a development server. Similarly some applications are more high-profile than others. Is there a way to highlight that an a

[ossec-list] Re: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused' - on agent

Turned out to be caused by group ownership of etc/client.keys file. Somehow it had been set to root:root. Switched to root:ossec and OSSEC started up as normal. Thanks for your help On 25 Oct, 14:07, "dan (ddp)" wrote: > > What did you try? > > This is generally a misconfiguration somewhere on

[ossec-list] Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused' - on agent

I created an RPM package to install OSSEC agent 2.4.1 on RHEL 5, using files created with a standard installation from an OSSEC agent. Updated the original agent to 2.5.1, and then packaged up those files again. When I start the agent I get multiple var/ossec/queue/ossec/queue error messages, bot

[ossec-list] syscheck and internal_options

I have some servers with a large number of files to be monitored (syscheck takes about 4 hours to run). Currently running OSSEC 2.4.1 on RHEL 5. Upgrade to OSSEC 2.5.1 is imminent Currently I have left internal_options.conf with default values. Any recommendations on making changes to minimise th

[ossec-list] Re: Monitoring Overlapping Directories

Ran some tests, and the duplicate entries in the syscheck db does still cause problems (is there a wishlist for 2.6?) Will try creating a rule to ignore the stuff I don't want. Hopefully I can get away without alerting on new files. On Oct 14, 3:56 pm, "dan (ddp)" wrote: > I think it may still ha

[ossec-list] Re: Monitoring Overlapping Directories

Just re-read your original response, which I now realise I had misunderstood. Will test this out and report back. On Oct 14, 3:13 pm, "dan (ddp)" wrote: > > If I'm correct, then my original suggestion attempts to do this. I > still don't know if it will work. Trying to work around crazy rarely >

[ossec-list] Re: Monitoring Overlapping Directories

I don't see how I could set that up, unless I was sure that there would not be any new subdirectories under /application in the future.

[ossec-list] Re: Monitoring Overlapping Directories

Is there a way of making the restrictions in local rules? I could monitor from /application downwards with check_all Then in the local rule I would need to do some kind of match on where under /application it was. e.g. If /application then if progs then elseif spool then fi I know I can sp

[ossec-list] Re: Monitoring Overlapping Directories

I tried reversing the order of directories to be monitored /application/progs / application and received this alert Received From: server4->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/application/progs/progf

[ossec-list] Re: Monitoring Overlapping Directories

I am not in the office to see the exact wording but the "other issues" are that I am getting multiple alerts of the type: File /application/binaries/progname has changed (1st time) Size from 12345 to 0 Checksum from a1b2c3 to xxx File /application/binaries/progname has changed (2nd time) Size fro

[ossec-list] Monitoring Overlapping Directories

I have several situations where I need to monitor directories that overlap. As an example: I have an application in /application Data is in /application/data Programs are in /application/binaries and /application/scripts There is also /application/spool, /application/tmp and potentially other sub

[ossec-list] Re: OSSEC 2.5 Question

Is there an ETA on 2.5.1? On Oct 7, 7:25 pm, "dan (ddp)" wrote: > This was an oversight in the 2.5 source. 2.5.1 should be out "Real > Soon Now," and will have this corrected. >

[ossec-list] Re: problem with rule

That's news to me. Is there an alternative? or do most people not use a GUI front-end? On Oct 11, 9:31 pm, "dan (ddp)" wrote: > There's a bug in the php. ossec-wui is pretty much dead at this point, > no one is maintaining the code.

[ossec-list] Re: ossec agents disconnecting

Any news on this one. I have been watching this thread hoping it will explain why I am getting seemingly random disconnects. On 20 Sep, 04:05, bcube wrote: > On Sep 18, 12:36 am, Tate Hansen wrote: > > > Have you observed any ossec process sustaining 100% cpu usage? > > Unfortunately no. My CPU

[ossec-list] Re: Override of generic rule

Once I had broken it into 2 rules and started testing, I realised that there were other rules (5503, 5720, 2501, 25020) which kick in on multiple authentication failures. So I lowered the level of rules 1002 and 5716, and am using the default rules listed above. Thanks for your help On 23 Sep, 11

[ossec-list] Override of generic rule

There is a syslog rule (1002) which looks for any one of a list of "bad words". On my RHEL servers this is picking up any mis-typed passwords Received From: (server) 123.456.789.012->/var/log/secure Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Sep

[ossec-list] Re: error getting update info: tuple index out of range

yum seems unlikely in this situation, but at least I now know it is not OSSEC Thanks for the help On 13 Sep, 16:29, "dan (ddp)" wrote: > All of the google responses I got for the error message pointed at yum. >

[ossec-list] Re: error getting update info: tuple index out of range

:04 pm, "dan (ddp)" wrote: > On Sat, Sep 11, 2010 at 7:53 AM, ItsMikeE wrote: > > OSSEC is giving me an alert > > > "OSSEC HIDS Notification. > > 2010 Sep 11 12:43:23 > > > Received From: (server) 101.102.103.104->/var/log/messages > > Ru

[ossec-list] error getting update info: tuple index out of range

OSSEC is giving me an alert "OSSEC HIDS Notification. 2010 Sep 11 12:43:23 Received From: (server) 101.102.103.104->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Sep 11 12:43:15 server error getting update info: tuple index out

[ossec-list] Re: Agent to Master

10 at 4:28 AM, ItsMikeE wrote: > > Suppose I have a problem with my OSSEC master. > > > I have the agent software running on another server and decide to use > > that as a replacement master. > > What do I need to do to change an agent into a master? > > > I unde

[ossec-list] Agent to Master

Suppose I have a problem with my OSSEC master. I have the agent software running on another server and decide to use that as a replacement master. What do I need to do to change an agent into a master? I understand the different use of ossec/etc/client.keys on agents and the master, and that I wo

[ossec-list] Re: Ignoring Rules for Filesystems that may be unmounted

I split out the 'match' statements into separate rules, and it seems to be working now. On Aug 31, 1:31 pm, ItsMikeE wrote: > I have some servers with filesystems that may be unmounted and > remounted. > > I need to monitor changes to some files within these filesystems,

[ossec-list] Baselines for syscheck

When syscheck is run for the first time it creates a baseline of files to be monitored. In the event of some changes from that baseline an alert is produced. As I see it there are two main reasons why files may have changed 1) Acceptable change - We are content that this does not indicate a breach

[ossec-list] Re: Ignoring Rules for Filesystems that may be unmounted

is subsequently mounted, then is it checked by syscheck? or would you need to restart the agent when the filesystem is mounted for that to happen? On Aug 31, 1:59 pm, "dan (ddp)" wrote: > On Tue, Aug 31, 2010 at 8:31 AM, ItsMikeE wrote: > > I have some servers with fil

[ossec-list] Ignoring Rules for Filesystems that may be unmounted

I have some servers with filesystems that may be unmounted and remounted. I need to monitor changes to some files within these filesystems, but filter out when the files disappear and re-appear. I have an entry in local_rules along the lines of: ossec 554 /mountpoint1 /mo

[ossec-list] Re: Using OSSEC to monitor OSSEC

The problem has not recurred, so I cannot progress this issue. On Aug 15, 7:41 pm, "dan (ddp)" wrote: > On Sat, Aug 14, 2010 at 4:37 AM,ItsMikeE wrote: > > Nothing unusual in ossec.log > > I have a few days off now, so it will be a while before I can try the > > d

[ossec-list] Re: Using OSSEC to monitor OSSEC

Nothing unusual in ossec.log I have a few days off now, so it will be a while before I can try the debug mode On Aug 12, 4:26 pm, "dan (ddp)" wrote: > I'm monitoring my ossec directories > (/var/ossec/bin,/var/ossec/etc,/var/ossec/rules) and am not seeing > this problem. > Any interesting entries

[ossec-list] Re: Using OSSEC to monitor OSSEC

This is not just happening on files under /var/ossec. I am getting alerts on various files which go from size xyz to 0, then a second alert as they go from 0 to xyz. On Aug 12, 2:12 pm, ItsMikeE wrote: > I am running OSSEC version 2.4.1 on RHEL installed in the default /var/ > ossec dir

[ossec-list] Re: regex and ignore

It worked. That is: FixedFileName where the directory varies, and the filenames are of the format FixedFileNameRandomChars Thanks for your help Dan On Aug 10, 3:34 pm, "dan (ddp)" wrote: > On Tue, Aug 10, 2010 at 8:01 AM, ItsMikeE wrote: > > Tried it on a simplified tes

[ossec-list] Using OSSEC to monitor OSSEC

I am running OSSEC version 2.4.1 on RHEL installed in the default /var/ ossec directory In my ossec.conf and agent.conf files I am monitoring ossec itself /var/ossec/bin /var/ossec/etc / var/ossec For both the server and the agents I am getting integrity checksum alerts such that vari

[ossec-list] Re: regex and ignore

Tried it on a simplified test system, and it is working. I will add to the actual systems and report back. On Aug 9, 10:03 pm, "dan (ddp)" wrote: > What about just FixedFileName? > > On Mon, Aug 9, 2010 at 4:25 AM, ItsMikeE wrote: > > Tried option 1, and that did n

[ossec-list] syscheck and filesystems which may or may not be mounted

I have an NFS filesystem which might be mounted on one or more servers. 1) How can I ensure that ossec only runs the syscheck tests once? 2) How can I avoid getting loads of alerts if the NFS is unmounted? e.g. I want to monitor files under /NFSmount/directory If /NFSmount is unmounted I get aler

[ossec-list] Re: regex and ignore

:48 pm, "dan (ddp)" wrote: > Have you tried ^FixedFilename > Or just: > ^/Monitored Directory1/FixedFilenameRandomChars > > It doesn't look like the sregex stuff includes > globbing:http://www.ossec.net/wiki/Know_How:Regex_Readme > > On Fri, Jul 30, 2010 at 3:

[ossec-list] Re: File integrity checking ignore syntax

I posted a similar question about 'regex and ignore' recently. I still have not got it to work. I suspect that I might need to write a local rule to provide an override for rule ids 550, 551, 552, 553 and 554. This seems rather kludgey to me (probably not a real word, but I am sure most of you wil

[ossec-list] Re: Using OSSEC to integrity check a clustered service

Thanks for the response Dave This if for Linux (RHEL) only. I don't have a setup to test (yet) but I am thinking along these lines. There are 3 servers in a cluster. There may be more than one clustered service, and they would not all move together, so I would not want ossec agent to be a cluster

[ossec-list] regex and ignore

I am trying to get syscheck to ignore certain files in monitored directories. The filenames always start with the same characters, but end with effectively random characters (including pid number). So the files to ignore are:- /Monitored Directory1/FixedFilenameRandomChars /MonitoredDirectory2/Fi

[ossec-list] Using OSSEC to integrity check a clustered service

I have an application which will be running as a clustered service. I want to run standard integrity checks on this application. It could be on any one of three servers, and will move between these servers. I could not find any OSSEC documentation that relates to clusters I cannot monitor the clu

[ossec-list] Re: UID and GID of ossec

Can anyone confirm / deny that they have the same UID / GID on their ossec installation?

[ossec-list] UID and GID of ossec

I have done one server installation and one agent installation of ossec. In both cases the user ossec was created with a uid of 5626 and group ossec with a gid of 4067. Are these values fixed / hard-coded? I am now looking at installing further agents using the "Install Once Copy Everywhere" metho

[ossec-list] Re: ossec.conf on server and on clients

Thanks for this. Really useful. I cannot find centralized management in the book. It seems to have been written when 1.4 was the current version and this was introduced in 2.1 Some parts of the book are easier to understand than the site. On Jul 20, 2:52 pm, Jason 'XenoPhage' Frisvold wrote: > Fo

[ossec-list] ossec.conf on server and on clients

There is an ossec.conf file on both the server and the clients. Obviously on the client there is a section that details the server IP. For the syscheck section I am unclear on what is taken from the client and what is taken from the server. Suppose I want to monitor an additional directory /usr/

[ossec-list] Re: Why are file integrity checks not working / not taking place

Thanks for your response. I don't think realtime will be necessary, I just needed to understand what was going on.

[ossec-list] Different File Integrity Checks for files in the same directory

In the default ossec.conf (Unix/Linux 2.4) the directory /etc is monitored with all checks, then some files (such as /etc/mtab and /etc/ hosts.deny) are excluded by using the tag. Can I modify this so that although most of /etc has all checks, there are specified files that can be monitored for c

[ossec-list] Re: Why are file integrity checks not working / not taking place

OSSEC has now identified the file changes, but not on the first run of syscheck. Could there be some kind of initial processing, like the setting up of a database of files to be monitored, that has to complete before the checks can run?

[ossec-list] Why are file integrity checks not working / not taking place

I have done a server installation on RHEL5. There are no agents yet. I am carrying out some basic testing and not seeing any file integrity checking. I have changed frequency to 90 seconds I have tried using both one of the standard directories (/usr/sbin) and a custom one (/var/ossec-test). The l

[ossec-list] Monitoring the OSSEC Server

Newbie question I have just run a server installation on RHEL5. I have not yet installed any agents. I realise that if the server is breached, then the whole HIDS system is suspect, but I want to monitor the OSSEC server itself Should this work out-of-the-box (using agent 000)? Is the server ins