Jacob,
I've got two VMs in an HA setup with 4 VCPUs and 16GB of memory supporting
almost 2K servers. Your mileage may vary depending on how much data your
agents are sending the servers.
--Josh
On Wed, Aug 20, 2014 at 3:27 PM, Jacob W wrote:
> Glad I found this group. I am new to the securit
If I remember correctly, it's the max size of the data structure that
stores the values of client.keys. That gets read each time an agent
connects so as long as the current line count on that file is <= 1000, you
should be fine.
--Josh
On Tue, Aug 19, 2014 at 7:38 AM, dan (ddp) wrote:
> On Mo
We are running a few thousand servers with the OSSEC agents feeding data
into two servers. At times Active Response will be blocking upwards of 500
ips. One problem that I've encountered is when restarting ossec on the
agents, it will trigger a script run of host-deny.sh and firewall-drop.sh
for
ave: Iogstash doesn't create any index in
> Elasticsearch cluster and I don't know why. Have you met this issue?
> However, Elasticsearch instance détectes logstash instance. And when I
> configure in logstash's file config, to send output in stdout, I get
> something, the r
question,
> where exactly is it safe to put the repeat offenders code? Which file?
> local_rules.xml? last time I played with local_rules and ossec.conf I got
> configuration errors that I couldn't recover from.
>
>
> On Thursday, May 22, 2014 5:34:01 PM UTC-4, Joshua Gar
1. The repeat offenders setting works really well for me, here are my
settings for the firewall-drop
firewall-drop
all
6
900
30,60,720,1440,2880
2. If they are attacking you from a shared address you could lose viewers.
If the percentage is low enough you may not car
I'm pretty sure OSSEC agent/servers send ACK messages when they receive a
message and also have a counter associated with what messages they've
sent/received. I've had network issues between my agent and servers and
once the connection is restored I see a large spike of messages as the
server catc
Sercan,
There are a few ways you can handle this. 2GB a day seems a little on the
high side for 200+ clients, so you may want to look at creating rules for
noisy non-security related messages as severity 0, which essentially
/dev/nulls the messages. The other option is to use the log_alert_level
a loop. What have I done wrong?
>
> Sercan
>
> On Tuesday, 8 April 2014 05:24:36 UTC+1, Joshua Garnett wrote:
>
>> Hi Sercan,
>>
>>- Kibana/Elasticsearch uses lucene syntax by default. To filter
>>Alert Level 5 or above use: severity:[5 TO *]
>>-
field. It'd be easy to add in if you prefer it.
--Josh
On Mon, Apr 7, 2014 at 1:31 PM, sercan acar wrote:
> Thank you Joshua Garnett. I've switched from syslog to localhost to
> reading the log file directly.
>
> Few questions:
>
>- Is there are way to filter wit
oes just what you're looking for.
>
> https://github.com/deadpoint/ossec
> --
> Later,
> Darin
>
>
> On Sun, Apr 6, 2014 at 1:14 PM, Joshua Garnett
> wrote:
> > All,
> >
> > I'm looking for best practices for rolling out OSSEC to cloud b
All,
I'm looking for best practices for rolling out OSSEC to cloud based
environments such as AWS. One of the biggest problems I'd like to address
is developer environments that may be constantly going up and down.
Ideally I'd be able to put together a prebaked AMI that has an OSSEC agent
alread
"type":"string",
"index":"not_analyzed"
},
"geoip":{
"type" : "object",
"dynamic": true,
"path": "full",
"propert
All,
I'm getting this alert also in 2.7.1. I tried writing a rule to filter
them, but it caused remoted to not want to work properly. I'd welcome a
hack at this point, if not a proper fix.
--Josh
On Thu, Mar 13, 2014 at 4:37 AM, Bib Kam wrote:
> Hello,
>
> I'm using OSSEC 2.7 but i get stil
Aaron,
Almost all of the pre-existing rules are built around the analyzing of
syslog or similar formatted lines. To support JSON input would be a
sizable undertaking. Assuming you had the right JSON format, you'd
probably want to skip phase 1 of the log analysis. All of that said, I've
found th
All,
I'll probably write a blog post on this, but I wanted to share some work
I've done today.
http://vichargrave.com/ossec-log-management-with-elasticsearch/ shows how
to use OSSEC's syslog output to route messages to Elasticsearch. The
problem with this method is it uses UDP. Even when sending
t comes in
> (in my original message) it never decodes it. I'll triple check that the
> syslog event from the SWG is in fact what I'm testing against.
>
>
>
> *From:* ossec-list@googlegroups.com
> [mailto:ossec-list@googlegroups.com]
> *On Behalf Of *Joshua Garnett
Correct me if I'm wrong, but I don't believe you need to setup the match
statements for the date and hostname. I think that should just become..
^M86 SWG Web Event
- Action: (\w+);
action
--Josh
On Fri, Feb 28, 2014 at 9:47 PM, Nathaniel Bentzinger <
nbentzin...@archer-group.com>
I actually ran into this issue this week. After restarting a cluster a few
instances didn't want to start the OSSEC agent. It was eventually
determined that the /var/ossec permissions had gotten messed up. The
puppet module we were using was creating ossec, ossecr, and ossecm on the
agents and a
I've done this on a rule by rule basis. For instance, if your monitoring
system scans the ssh ports of your servers, it's useful to downgrade that
alert.
5706
10.1.2.3
Monitoring server scanning SSH port
--Josh
On Friday, February 7, 2014 2:17:33 AM UTC-5, Dolph Rocks wrote:
Hi,
https://groups.google.com/forum/#!topic/ossec-list/iauQG7DrSM8 has some
good hints on how to do this.
Main points:
* Spin up your other OSSEC server
* Add additional server_ip to your agent configuration
* In agent & server internal_options.conf files, set remoted.verify_msg_id=0
* Keep cli
21 matches
Mail list logo