If it hasn’t changed since I last looked at this, in the client.keys – on Win7
x64 that’s in C:\Program Files (x86)\ossec-agent
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Matthew Halder
Sent: Wedne
I believe you have to define the commands you’re going to call in the client
conf file.
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Brian Kellogg
Sent: Tuesday, March 17, 2015 5:40 PM
To: ossec-list
This was discussed a bunch of times on this list – search the history…
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Henry Collins
Sent: Wednesday, March 04, 2015 10:00 AM
To: ossec-list@googlegroups.c
You can just create your own client.keys file with the client key from the
OSSEC server. I have a script I use that autoinstalls OSSEC, and I’ve posted
them before to the list…
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegr
googlegroups.com] On
Behalf Of Mauricio Tavares
Sent: Wednesday, September 17, 2014 10:50 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] I want to get rid of OSSEC's Windows GUI. What do you
think?
On Wed, Sep 17, 2014 at 10:29 AM, James M. Pulver wrote:
> I’m perfectly happy
I’m perfectly happy to not have the GUI. I would like to keep the key file the
same so my wrapper install script can just drop in the key.
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of SoulAuctioneer
e better invested in other parts of OSSEC, because there
are already better solutions for reliable log shipping.
-artien
On 06/18/2014 03:21 PM, James M. Pulver wrote:
> I think OSSEC should be a good logging daemon. How do you generate alerts if
> you can't guarantee you get the l
sity
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Jeremy Rossi
Sent: Wednesday, June 18, 2014 8:49 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] logall
>
> * James M. Pulver [2014-06-18 12:03:15 +]:
>
Maybe I’m crazy, but I think OSSEC is like a log daemon +…
It’s cross platform, it includes encryption, it has built in filtering and can
do active response. Why would it make sense to duplicate log shipping if you
need it to do the security stuff? I.e. OSSEC ought to be a good log aggregator
to
sec-list@googlegroups.com>
[mailto:ossec-list@googlegroups.com] On Behalf Of James M. Pulver
Sent: Tuesday, March 25, 2014 10:44 AM
To: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>
Subject: RE: [ossec-list] Auto-register windows clients
You will indeed need the bash scri
sec-list@googlegroups.com>
[mailto:ossec-list@googlegroups.com] On Behalf Of James M. Pulver
Sent: Tuesday, March 25, 2014 8:05 AM
To: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>
Subject: RE: [ossec-list] Auto-register windows clients
I think if you search the list you
I think if you search the list you should find some options. I know I posted
generic versions of the two scripts I use to do this (one is AutoIT on Windows,
the other is on Linux in bash if I recall correctly and it needs a sudo
permission)…
--
James Pulver
CLASSE Computer Group
Cornell Univers
Wait, you're getting rid of the built in rules? That was the entire reason I
was using OSSEC, some auto classification. Otherwise I'd just have saved a lot
of pain and used syslog...
James Pulver
From: ossec-list@googlegroups.com on behalf of
dan (ddp)
It is extremely important that you don't define "Recent Versions of Linux" as
the last 2 versions of Ubuntu or Fedora. It should be more like the last 2
versions of Debian Stable or RHEL...
--
James Pulver
CLASSE Computer Group
Cornell University
-Original Message-
From: ossec-list@goo
Ossec is unlikely to help as it needs a Linux server to do anything.
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Prof
Sent: Tuesday, February 18, 2014 11:16 AM
To: ossec-list@googlegroups.com
Subject
I think I’ve posted before, but I wrote an autoit script to use plink to log in
to the ossec server and run a script there that passes the agent key for
install. I’d personally love to see authd on Windows, but I quickly got out of
my compiler knowledge trying to compile that for testing.
--
Ja
I'm going to take a look, but I also need to do this on Windows, and it looks
like this omits Windows completely for the agent...
--
James Pulver
CLASSE Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf
I would argue no, OSSEC should do what Fail2ban does and more.
--
James Pulver
CLASSE Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of fi...@linuxbsdos.com
Sent: Tuesday, December 24, 2013 5:19 AM
To
Very soon I should start getting logs from Server 2008R2 domain controller, and
will also have Windows 7 x64 clients reporting...
We have 500+ user accounts, with probably 300 active users.
I see this is a little newer than you were looking for, but would my collecting
these logs help?
--
Jam
Not really - you can recompile the server for a higher limit rather easily and
non-destructively for your configuration.
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Chris Lauritzen
Sent: Friday, Sep
s.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Michael Starks
Sent: Tuesday, September 24, 2013 11:48 AM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Client.keys
On 24.09.2013 09:54, James M. Pulver wrote:
> The problem is there is (as far as I can tell in 2.7.1 install) no
10:58 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Client.keys
On Tue, Sep 24, 2013 at 10:54 AM, James M. Pulver wrote:
> The problem is there is (as far as I can tell in 2.7.1 install) no
> agent-auth.exe ... so how do we test it?
>
Build it.
> --
> James
TC-5, Jared wrote:
>
> Chris,
>
> Agent / Client = 1 client.keys file with a single entry in it.
> C:\Program Files (x86)\ossec-agent\client.keys = 1 entry
>
> Server / Manager = 1 client.keys files with an entry for every agent that is
> registered.
> /var/ossec/etc/cli
The benefit of a mailing list is of course that you can find out if your issue
is actually a bug before submitting a ticket and having it closed immediately.
"Hit and run" reporting rarely gets your bug fixed I've found.
Maybe I'm an old "fuddy duddy", but signing up for a mailing list seems to
Yes, each client has a unique client.keys.
--
James Pulver
CLASSE Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Chris Lauritzen
Sent: Thursday, September 19, 2013 9:46 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-l
I have just tested an amalgation of AutoIT on the Windows side, with some help
from plink and some batch scripting on the linux side to log in and create the
appropriate key, extract it and put it in client.keys.
However, you do need sudo permissions for the login account you use from the
windo
I am far from an expert, but
1) It uses null routes I believe
3)It uses active response, but you probably need to turn it on.
4)Yes, that has to do with the rules definitions, or your own rules
--
James Pulver
LEPP Computer Group
Cornell University
From: ossec-list@googlegroups.com
In a limited pilot. I plan to deploy OSSEC widely, as soon as I have time (been
trying for a year lol)… There are no specific tweaks needed that I’ve seen.
--
James Pulver
LEPP Computer Group
Cornell University
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of
I use SEP12.1 and can’t say that it does anything like OSSEC as far as I can
tell. It doesn’t collect third party logs, it doesn’t have programmable
“active-response”. I suppose at the highest level, it does have an agent that
looks for behaviors, takes actions and reports back to a server – but
The last link seems to be 404...
--
James Pulver
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of techsupp...@ecsc.co.uk
Sent: Tuesday, May 15, 2012 4:55 AM
To: ossec-list
Subject: [ossec-list] A
The problem with Splunk to me is it isn't open source, and hence is or can be
expensive.
--
James Pulver
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of PS
Sent: Tuesday, February 28, 2012 10:
No, I was going to look into deploying Graylog2 for the log searching, but it
does seem inefficient vs the WUI...
--
James Pulver
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of PJG
Sent: Tues
mechanism could be used, a simple bash
script could generate the server side client.keys file, and all the
client side single entry files.
Scott
On Wed, Nov 16, 2011 at 3:36 PM, James M Pulver wrote:
>
> Sure. Autoit + plink + a script on the linux side.
>
> Linux bash script is osseclep
36 PM, James M Pulver wrote:
>
> Sure. Autoit + plink + a script on the linux side.
>
> Linux bash script is ossecleppadd.txt, when setting up on Linux remove the
> .txt or alter autoit script appropriately.
>
>
>
> Note, you'll need sudo to allow the user on linux
EW SECTION
password:**END SECTION
**NEW SECTION
password:**END SECTION
Thanks
Brad
On 11/16/11, James M Pulver wrote:
> Sure. Autoit + pli
list@googlegroups.com]<mailto:[mailto:ossec-list@googlegroups.com]>
On Behalf Of James M Pulver
Sent: Wednesday, November 16, 2011 2:36 PM
To: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>
Subject: RE: [ossec-list] Re: Unattended Agent Install
Sure. Autoit + plink + a scr
groups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of ninefofo
Sent: Wednesday, November 16, 2011 2:31 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Unattended Agent Install
Scripts for AutoIT? If so can you share?
On Wed, Nov 16, 2011 at 12:10 PM, James M Pulver
I assume you could modify the scripts I've created for 2.5 ... Maybe not very
much if the file formats haven't changed...
--
James Pulver
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Barnes,
I don't know if there are guidelines per se, but what I did is wrapped the
installer on Windows with an autoit script and provided a pre-filled ossec.conf
for the server IP. On Linux I have a script that wraps the ossecbatch perl
program that comes with it, and parses for the key to send over to
Well, not silently, it still pops up a command window for a second in my
experience.
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Mich
I'm new to OSSEC, so maybe I'm missing something, but one of the tips is to use
active response on Windows to restart the agents when ossec.conf changes. It
doesn't really explain however how to do that. If I just enable active
response, does Windows agents then automatically restart on changes
The biggest problem for me was the need to write scripts to deploy the agents,
specifically on Windows clients. I expect the new auth-d would work on Linux
but didn't seem to be supported on Windows.
The second thing for me is the difficulty of getting the logs viewable in some
web based method
It seems to work for me on Windows 7.
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Aleksey Lipatov
Sent: Wednesday, October 26, 2011 6:
The big issue I’ve had is that if I use the built in syslog generation, all the
events appear to come from the OSSEC server. So if it can fake the “location”
to be where it actually comes from, then I could indeed use any syslog frontend.
--
James Pulver
Information Technology Area Supervisor
LE
x27;s a waste of time and
resources. If you don't, you're more than welcome to work on it. If
you can't code, find someone who can.
Saying that other people devote time to it is silly.
On Fri, Oct 21, 2011 at 8:51 AM, James M Pulver wrote:
> Well, implementing OSSEC is a big enough
st@googlegroups.com [mailto:ossec-list@googlegroups.com] On
> Behalf Of dan (ddp)
> Sent: Thursday, October 20, 2011 3:12 PM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] ossec-wui BUG
>
> On Thu, Oct 20, 2011 at 2:47 PM, James M Pulver wrote:
>> Well the only
Other products do the "log viewing" bit much better than WUI ever
could, so working on that bit is silly. That pretty much leaves the
syscheck db stuff. Anything else?
On Thu, Oct 20, 2011 at 1:02 PM, James M Pulver wrote:
> Replying somewhat belatedly, I also would like to see the W
Replying somewhat belatedly, I also would like to see the WUI updated to work
with 2.6 line of OSSEC. I'm not a programmer really though so I don't know that
I would be able to do much... But there is interest I think.
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cor
I tried, and logstash web gui didn’t seem to work as well – i.e. it kept
crashing with out of memory errors. Plus I think it had to make a second copy
of all the logs. . . Maybe I’m confused though.
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University
Fr
I don't know about reports, but I've tried most of the OSS implementations of
search and basically decided to stick with 2.5.x and the ossec-web interface
and look into possibly updating it to work with 2.6 in the future.
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
The webinterface didn't seem to work for me with 2.6 though (maybe because it
was an upgrade from 2.5 and there were some posts about mysql issues?) and I
understand it isn't being updated, so I'm not sure it's worth getting used to .
. .
--
James Pulver
Information Technology Area Supervisor
L
c-list@googlegroups.com
Subject: Re: [ossec-list] Have OSSEC generated syslogs more "correct"
On Wed, 20 Jul 2011 14:51:43 -0400, James M Pulver wrote:
> I'm looking at using syslog from the OSSEC server to a web frontend
> of a sort, and I'm not sure they're the best f
ding OSSEC.. It makes
searching so much faster.
-Kat
On Jul 20, 1:51 pm, James M Pulver wrote:
> I'm looking at using syslog from the OSSEC server to a web frontend of a
> sort, and I'm not sure they're the best format they could be. That said, I
> also don't know
I'm looking at using syslog from the OSSEC server to a web frontend of a sort,
and I'm not sure they're the best format they could be. That said, I also don't
know if part of it is the syslog standard.
It seems to me that the source_host should be the OSSEC location, not the
server where OSSEC
Does this release support authd to Windows agents? It didn't seem to work with
the beta release...
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
In the beta, the authd didn't seem to work with Windows agents - does this work
in this final release?
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
56 matches
Mail list logo