Hi, I run a minor website http://socct.org, unfortunately the acronym
coincides with https://www.wikileaks.org/wiki/SOCCT_(military). For the
last two days the site is taking a multiple site brute force attacks. Apart
from changing our name, any suggestions? I have added an extension rule to
uez
wrote:
> Hello Martin
>
> If you are referring to include the archive logs (system log files,
> program log files, etc) you only need to monitor an empty file with Ossec,
> and then add all contents of your file inside this file: i.e. cat
> old_log_file.log >> empty_file.log
hat's possible.
Thanks
Martin.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more
Hello,
I'm getting a bit lost with the port opening for ossec.
Let's say I have 3 machines running on ubuntu 16.04. I do a fresh install
of OSSEC manager on the machine A and a fresh install of ossec agent on
both B & C.
Now I want to register my machines B & C using ossec-authd;
I have th
Hello,
Thank you for your answers !
This is finaly working, what I had to do was to allow the traffic through
1514 with the following ;
*On the agent :*
- sudo iptables -D INPUT -j DROP
- iptables -A INPUT -p UDP --dport 1514 -s 10.0.0.1 -j ACCEPT
- iptables -A INPUT -p UDP --dport
Even after 1 hour my agents won't connect to the second manager.
Here are the step that i've done so far;
- Having my two managers with the same ossec.conf, local_decoder,
local_rules, client, client.keys
- Opening the port 1514 on all the agents and the manager.
- Specify the manag
Hello Victor,
I tried to run a second manager and I've the same file
/var/ossec/etc/client.keys
on it and on the first manager. I've copied the local_rules, ossec.conf,
local_decoder as well.
And I've specified on the agents to listen on him as you told me ;
10.0.0.1 10.0.0.2
My first man
Is it possible to deploy them (agents) easily via chef ?
THank you again for your answers!
Best regards.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to o
I know it is possible with "Unattended Source Installation" but i'd still
have to add manually these agents on the manager or is there another way :)
?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop
Hi Victor,
Now that I know it is possible to have a second manager in case the first
one stop running. I'm wondering, is there a proper way to copy the first
manager to duplicate it ? Like that i won't have to configure the second
manager as I did with the first one.
And I was looking aswell
Hello everyone,
I was wondering, what happen if the "manager" bug / shutdown ?
It might sounds stupid but what behavior will the agents have ? Will they
make my server bug, consume too much cpu/ram or trying to send message all
the time etc ?
Is there a way to have a second manager as a backu
Hello everyone,
I was wondering, what happen if the "manager" bug / shutdown ?
It might sounds stupid but what behavior will the agents have ? Will they
make my server bug, consume too much cpu/ram or trying to send message all
the time etc ?
Is there a way to have a second manager as a backu
Indeed it was evaluated first because the level of the rule 2501 (5) is
higher than my rule.
Thank you for your answer !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
Oh ok thank you, you made it clear for me !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit
Hello,
I've those kind of log comming from a custom app
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
I'm trying to block an ip with to much authentication failure.
So I did a custom decoder which is working ;
^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p
Hello,
I've those kind of log comming from a custom app
>
> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
> [] []
I'm trying to block an ip with to much authentication failure.
So I did a custom decoder which is working ;
^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p
Ok the problem was that I thought that all as stated
in the doc would execute the command everywhere (meaning on all the agents
& the server).
But "all" means all the agents except the server.
In order to execute the command on all the agents and the server, I had to
duplicate the active-resp
Hello,
It is working now, i've re install my set-up. And after having modify the
files, i did : */var/ossec/bin/ossec-control restart* on the server and all
the agents. Before, I was doing this on the server only and
*/var/ossec/bin/agent_control
-R* for the agents (but maybe my files were wro
ter 6 attempts ..
Le mercredi 15 mars 2017 19:01:37 UTC+1, dan (ddpbsd) a écrit :
>
> On Wed, Mar 15, 2017 at 7:25 AM, Martin >
> wrote:
> > Hello,
> >
> > First, i'm sorry if the question has already been asked.
> >
> > So what i'm trying
Hello,
First, i'm sorry if the question has already been asked.
So what i'm trying to achieve is this ;
If someone fail to log in, too many time on one of my agent, I want this ip
to be drop on all others agents and the server.
Same goes the other way around if someone try on the server i want
Hello,
i have this problem, you could say. I need Ossec to crunch modified logs
(syslogs). Our syslog message is as follows.
*Example message:*
[syslog-1] Mar 13 06:25:16 my-server-1 syslog-ng[1012]: EOF on control
channel, closing connection;
*Format:*
[TAG] syslog_timestamp syslog_host syslo
Nevermind, i see i need to run version *v2.9.0beta05*.
Thanks !
On Monday, August 15, 2016 at 5:35:20 PM UTC+2, Martin Dulovič wrote:
>
> Thanks for a quick response!
>
> Today I installed the latest version (2.8.3) and alert still look like
> this:
>
>
> <132&g
su[12372]: + /dev/pts/3 root:root
On Monday, August 15, 2016 at 4:30:45 PM UTC+2, dan (ddpbsd) wrote:
>
> On Mon, Aug 15, 2016 at 8:34 AM, Martin Dulovič
> > wrote:
> > Hi,
> >
> > I need to modify csyslogd in a way that it will send alerts with
> &qu
Hi,
I need to modify csyslogd in a way that it will send alerts with "decoder
name" or group "rule group name".
Original alert:
Alert Level: 3; Rule: 5715 - SSHD authentication success.; Location: (jul)
192.168.2.0->/var/log/messages; srcip: 192.168.2.190; user: root; Jul 25
13:26:24 slacker
Thanks for a quick response and help !
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit htt
Hi,
so iam working on decoder for sophos UTM. I have written part of decoder,
it passes ossec-regex but fail ossec-logtest.
Here is log that iam tying to parse:
May 13 15:30:37 10.169.200.70 2016:05:13-15:30:38 sophos-dc-1 httpproxy[6896
]: id="0001" severity="info" sys="SecureWeb" sub="http"
yes
2015-05-08 20:39 GMT+02:00 dan (ddp) :
> On Fri, May 8, 2015 at 2:36 PM, pmartin2b wrote:
> > Hi,
> > I used this configuration in ossec.conf to receive email from ossec
> >
> >
> > 1
> > 6
> >
> >
> > but I already received alert from level 2.
> > how can I change the ossec.conf
On Friday, 20 February 2015 04:59:28 UTC-7, dan (ddpbsd) wrote:
>
> On Thu, Feb 19, 2015 at 10:25 PM, Martin G > wrote:
> > Hi,
> >
> > I'm new to Ossec and I have it configured and setup using the 2.8.1
> virtual
> > appliance. Everythig is worki
aking
any difference.
Is there some master switch to turn active response on?
What am I missing in order to get this working?
Thanks for the help
Martin
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from
Ok, I understand it now. I thought size/permission changes would be a
different rule, not 550.
Thanks!
On Thu, Jan 15, 2015 at 4:27 PM, dan (ddp) wrote:
> On Thu, Jan 15, 2015 at 9:45 AM, Martin Kvocka wrote:
> > Yes, here are two:
> >
> > ** Alert 1421201008.92848: m
1d79ffb191f86e52'
New md5sum is : '02bae5f0b36acaa39b894111efabb0f3'
Old sha1sum was: '3a02dc803999a7e66304c0bf7d501ed3dad03f75'
New sha1sum is : '99eb652ad7dd9e2c782c5599d1eaa5e3dc2078fb'
On Thursday, January 15, 2015 at 2:19:26 PM UTC+1, dan (ddpbsd) wrote:
>
> On Thu, Jan 15, 2015 a
.
Thanks for your help dan.
On Wed, Jan 14, 2015 at 3:52 PM, dan (ddp) wrote:
> On Wed, Jan 14, 2015 at 4:56 AM, Martin Kvocka wrote:
> > Hi,
> >
> > I managed to get the samples. In manager syscheck queue I found the
> > following:
> >
> >
> #++0:
ust realized that the .xel file seems to be a log file and may change
often - may this be the cause?
Thanks,
MK
On Tuesday, January 13, 2015 at 3:43:21 PM UTC+1, dan (ddpbsd) wrote:
>
> On Tue, Jan 13, 2015 at 9:40 AM, Martin Kvocka > wrote:
> > Hi,
> >
> > we have Osse
Hi,
I'll try to simulate this tomorrow in virtual machines, as I don't have the
necessary access to the environment (I only receive the logs from syslog).
I'll post the results.
MK
On Tuesday, January 13, 2015 at 3:40:26 PM UTC+1, Martin Kvocka wrote:
>
> Hi,
>
>
Hi,
we have Ossec server/agents (2.7.0) for monitoring file integrity. Both
include check_all="yes" in their syscheck configurations. The agents work
perfectly and report file changes including their old/current MD5 and SHA1
hashes. However, logs from the Ossec server machine report only file
Okay, thanks for the clarification. Is there a point at which old entries
are then purged from the file (or do they remain in there forever)?
On 28 October 2014 08:47, dan (ddp) wrote:
> On Tue, Oct 28, 2014 at 9:42 AM, Andrew Martin
> wrote:
> > I am also interested in this to
I am also interested in this topic. If I am understanding it correctly,
each time OSSEC scans a client, it essentially creates a list of metadata
for each matching file (including filesize, modification time, md5sum,
sha1sum, filename, etc). From what I can see, this data is stored in
/var/osse
Removing the sections did the trick. Thanks!
On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
>
> I recently installed OSSEC 2.8 and have been adding rules to
> local_rules.xml with no problems until today.
>
> When I add the following rule:
>
>
>
Thanks all. I've attached a sanitized local_rules.xml file that exhibits
the problem. On my system, if I uncomment the last rule in the file and
restart OSSEC, it throws the errors.
Cheers!
On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
>
> I recently inst
If I delete another rule, the one in question can be added with no errors.
I guess we can only have 17 rules. :-)
Cheers!
On Thursday, September 18, 2014 5:10:13 PM UTC-7, Dave Martin wrote:
>
> I recently installed OSSEC 2.8 and have been adding rules to
> local_rules.xml with no
I recently installed OSSEC 2.8 and have been adding rules to
local_rules.xml with no problems until today.
When I add the following rule:
syslog
%ASA-3-305006: regular translation creation failed for
icmp
Ignore Cisco ASA error 305006
I see the following errors on restart:
2
Not for me, but apparently it does for others.
On Tuesday, March 12, 2013 11:56:56 AM UTC-4, dan (ddpbsd) wrote:
>
>
> On Mar 12, 2013 11:40 AM, "Martin Gottlieb"
> >
> wrote:
> >
> >
> > Hello,
> >
> > I have added the repeated_of
hanks.
Martin
PS. Sorry if this is a duplicate posting, I tried posting through the
web interface and it didn't show up.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails fr
doing that.
Am I missing something?
Thanks.
Martin
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
F
web server; adding a firewall rule
to block the X-Forwarded-For IP wouldn't have any effect.
Thanks.
On 23 May 2011 19:52, Martin Gottlieb <mailto:mar...@axion-it.net>> wrote:
Are the active responses getting the ELB IP addresses from your
Apache access/error log
, you might want to look into mod_rpaf, which
replaces the proxy IP addresses
with the actual client IPs. This solution relies on the proxy servers
(or load-balancers in your case)
adding a header ( X-Forwarded-For ) to the request that gets passed on
to Apache.
Hope this helps.
Martin
On 5
On 5/4/2011 10:26 PM, Michael Starks wrote:
On 05/04/2011 08:32 PM, Martin Gottlieb wrote:
When I ran the command: sed -n 16741p
logs/alerts/2011/May/ossec-alerts-04.log | bin/ossec-logtest
from within /var/ossec, the decoder did not extract the user and srcip
fields. I then ran:
sed -n 16741p
spaces, not any white-space
character. So I changed my regex to this:
User\s+Name:\s*(\w+)\s+\.*Source Network
Address:\s+(\d+.\d+.\d+.\d+)\s+
and it now works.
Thanks to everyone who offered suggestions, especially Andy who pointed
me to ossec-logtest.
Martin
On 4/23/2011 5:26 PM, Andy
groups.com
[mailto:ossec-list@googlegroups.com] *On Behalf Of *Martin Gottlieb
*Sent:* Thursday, 28 April 2011 7:36 a.m.
*To:* ossec-list@googlegroups.com
*Subject:* Re: [ossec-list] Re: Active Response on Windows events
good point, I should not be expecting email alerts on the level 5
rule. But sinc
o get access to
the system.
authentication_failures,
So my original question remains, why is it not able to extract the SrcIP
address using the decoder that I created
and verified using ossec-logtest?
Thanks.
Martin
On 4/27/2011 3:27 PM, Andy Cockroft (andic) wrote:
Hi
This is trigger
"?
Here's the winevt decoder:
^WinEvtLog:\s*Security:\s*AUDIT_FAILURE\(\d+\):\s*Security\.*
Logon Failure:
User Name:\s+(\w+) \.* Source Network
Address:\s+(\d+.\d+.\d+.\d+)
user,srcip
I did make a few minor changes since my previous posts, mainly replacing
spaces with "\s*"
believe I have found that the issue boils down to
the decoders. I think I
have a fix i place now and will be posting a "RESOLVED" message once I
have verified this (just waiting
for someone to attack the server).
Thanks again to everyone who offered help on this.
Martin
On 4/25/201
authentication_failed,
User authentication failure.
I think this should to the trick. Thanks again for your help.
Martin
On 4/23/2011 5:26 PM, Andy Cockroft (andic) wrote:
Hi
I didn't have that much success with a Regex similar to the one you
wrote, I ended up having to specify everything in a very
.\d+.\d+.\d+)
user,srcip
Thanks.
Martin
On 4/22/2011 7:28 PM, AndiC wrote:
The problem I found was that the Windows decoder in the server /dev/
ossec/etc/decoder.xml does not extract the "srcip", so you have
nothing to work with to block
Now this is what I replaced mine with:
Thanks! I'll give that a try. Sorry if I wasn't entirely clear about this.
Martin
On 4/22/2011 5:12 PM, dan (ddp) wrote:
Hi Martin,
On Fri, Apr 22, 2011 at 5:08 PM, Martin Gottlieb wrote:
Shouldn't this block from the config on the OSSEC server:
firewa
d anything to run on the Windows
agent if I can get the firewall drop script to run on the server.
Thanks.
Martin
On 4/22/2011 4:58 PM, dan (ddp) wrote:
Hi Martin,
On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottlieb wrote:
I guess what I'm trying to understand is this:
When an event is tri
anks again.
Martin
On 4/22/2011 4:24 PM, dan (ddp) wrote:
Hi Tanishk,
The active response scripts should exist on the systems (agents and
servers) they need to be run on.
On Fri, Apr 22, 2011 at 4:17 PM, Tanishk Lakhaani wrote:
Hey martin,
See, the active response related scripts will be pla
ed on the server side as happens with
Linux agents?
Thanks.
Martin
On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote:
Hey martin,
All these default active response scripts are written for a specific event.
Read these scripts to understand these scripts.
For the event of ur interest -- multiple
n failures and another
for SQL Server log-in failures.
I added the null_cmd command mentioned in the docs, but I'd be happy if
it just triggered the firewall drop script.
Am I missing something in the configuration?
thanks.
Martin
http://blogs.zdnet.com/security/?p=6123&tag=nl.e589
:-(
Martin West
--
To unsubscribe, reply using "remove me" as the subject.
List,
It´s posible to set a time to run the rootcheck process? like syscheck ?
something like...
1:00
...but with
Thanks
--
Martin Tartarelli
Linux User #476492
http://owasp.org/index.php/Argentina
--
--
To unsubscribe, reply using "remove me" as the subject.
List,
It´s posible to set a time to run the rootcheck process? like syscheck ?
something like...
1:00
...but with
Thanks
--
Martin Tartarelli
Linux User #476492
--
--
To unsubscribe, reply using "remove me" as the subject.
List,
It´s posible to set a time to run the rootcheck process? like syscheck ?
something like...
1:00
...but with
Thanks
--
Martin Tartarelli
Linux User #476492
--
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
>
>
> This also happens within my setup if I happen to restart the ossec
> server all the agents appear as disconnected. Restarting every agent
> is the only way to bring them back up on the server.
>
> I am interested to find out what could be causing this?
>
> Cheers,
&g
nto diff-checks.
restart ossec
/var/ossec/bin/ossec-control restart
Main script /var/ossec/active-response/bin/diff-alert.sh
#!/bin/bash
# E-mails an alert - showing diff of selected files
#
# Author: Martin West based on Daniel Cids mail-test.sh
# Set to root and use /etc/aliases to redirect
Thanks, thats a good lead, Ill investigate and if I get anywhere Ill
post the results
Martin West
skype:amartinwest
On 7 Nov 2009, at 12:46, dan (ddp) wrote:
>
> I basically setup an active respose in the server's ossec.conf to fire
> on the file integrity rules.
> The sc
Updated fine on
Ubuntu 2.6.24-24-generic #1 SMP Tue Aug 18 16:22:17 UTC 2009 x86_64
GNU/Linux
Martin West
skype:amartinwest
On 26 Aug 2009, at 19:38, Daniel Cid wrote:
>
> Hi list,
>
> OSSEC v2.2 will be released soon and we need help beta testing it. The
> code is pretty
ddp,
2009/7/28 ddp :
>
> What operating systems/architectures? Did you restart the ossec server
> processes after adding the agents?
>
Linux and Window OS
Yes, I restart the server processes
> On Fri, Jul 24, 2009 at 10:41 AM, Martin
> Tartarelli wrote:
>>
>> Lis
formate
message from'172. Xxx.
2009/07/24 11:51:53 ossec-remote (1407): ERROR: Duplicated counter for 'SRV1.
I tested removing the counters in /var/ossec/queue/rids/ on both sides
but still the same.
suggestions will be appreciated
Thank you
--
Martin Tartarelli
Linux User #476492
--
server for windows xp or
>> windows 2003. I can see windows agent but i havent seen server.
>>
>> Is there a way to install OSSEC server on windows system.
>> Thanks & Regards,
>>
>> Manoj Bavikati.
>>
>>
>
>
--
Martin Tomasek
List,
The md5 hash generated by OSSEC are not the same for any other
application that generates md5 hash of Windows (For example Windows
API).
Does anyone know why?
Thanks
--
Martin
Luciano Mannucci napsal(a):
> On Tue, 16 Jun 2009 16:20:47 +0200
> Martin Tomasek wrote:
>
>
>> you can disable particular rule. look for reported rule number, place it
>> in rule_id attribute here:
>>
>>
>> Your description here
>>
&g
ttribute here:
Your description here
and add rule you created to your local rules.
> Cheers to everybody,
>
> luciano.
>
--
Martin Tomasek
be possible to include the results of ps -flp on the process
to see what was running.
Thanks
Martin West
skype:amartinwest
On 4 Jun 2009, at 14:55, c...@libero.it wrote:
>
> Hi,
>
> I have recently received the alert "Process 'X' hidden from /proc.
> Possibl
matthias,
2009/4/15 matthias platzer :
>
> On Apr 15, 6:57 pm, Martin Tartarelli
> wrote:
>
>> Fatal error: Maximum execution time of 90 seconds exceeded in
>> /var/www/htdocs/ossec-wui-0.3/lib/os_lib_alerts.php on line 123
>>
>> Can I modified the time e
When I execute a custom search in OSSEC WUI, the application give me an error:
Fatal error: Maximum execution time of 90 seconds exceeded in
/var/www/htdocs/ossec-wui-0.3/lib/os_lib_alerts.php on line 123
Can I modified the time exceeded?
--
Martin Tartarelli
Linux User #476492
http
Any ideas?
-- Forwarded message --
From: Martin Tartarelli
Date: 2009/3/31
Subject: Alert search options in scheduled job
To: ossec-list@googlegroups.com
List,
Can I put searches of the ossec-wui in a scheduled job?
...Or can I perform detailed searches of ossec-wui from the
List,
Can I put searches of the ossec-wui in a scheduled job?
...Or can I perform detailed searches of ossec-wui from the command line?
Thanks
--
Martin Tartarelli
Linux User #476492
--
Matthias,
2009/3/23 matthias platzer :
>
>
>
> On Mar 20, 3:27 pm, Martin Tartarelli
> wrote:
>
>> Now I have another questionHow can I export reports with ossec?
>> because using # ossec-reportd .xx... > reportfile.txt is not
>> workingthe fi
matthias/Daniel,
2009/3/16 matthias platzer :
>
> On Mar 16, 7:06 pm, Martin Tartarelli
> wrote:
>
>> > What version of ossec are you using? It comes by default on v2.0.
>>
>> I Have v.1.6.1. In that version.can i use this features?
>
> No, it is a new
Daniel,
2009/3/16 Daniel Cid :
>
> Hi Martin,
>
> What version of ossec are you using? It comes by default on v2.0.
>
I Have v.1.6.1. In that version.can i use this features?
Can I install v2.0 in OSSEC Server with Agent 1.6.1 in the rest of the LAN?
> Thanks,
>
Th
Hi list,
How to install ossec-reportd? because I don´t have this file [1] on my server.
[1] http://www.ossec.net/main/manual/manual-reporting-tool/
Thank´s
Cheers,
--
Martin Tartarelli
Linux User #476492
--
Nice!
Thank´s
2009/2/24 Reggie Griffin :
>
> Aurora,
>
> That is exactly what I was thinking. Good to know it's possible.
>
> -Reggie
>
> Aurora Mazzone wrote:
>> Hi Martin, Reggie,
>>
>> Reggie Griffin ha scritto:
>>
>>> It
Reggie,
2009/2/23 Reggie Griffin :
>
> Martin,
>
> I see. In that case, it would be nice to insert a variable in the
> tag. Then
> you could define groups of systems into one nice entry.
>
=) Interesting...How can i do that?
> -Reggie
>
> Martin Tartarelli
Reggie,
2009/2/20 Reggie Griffin :
>
> Martin,
>
> I use the parameter to accomplish this within my
> local_rules.xml file.
> Default location is /var/ossec/rules/local_rules.xml.
>
> Here is an example:
>
>
>30112
>server2
>Rule
Any idea?
-- Forwarded message --
From: Martin Tartarelli
Date: 2009/2/13
Subject: OSSEC with one or more Instance
To: ossec-list@googlegroups.com
List, I need your helps...
OSSEC has the ability to discriminate critical alerts using the Alert
Level. Now, what happens when I
other).
Can create multiple Instance on the same server? in practice, how can
one discriminate xml (with rules) for different servers? Can i do
that? (maybe with more instance on the ossec server)
Thank´s
--
Martin Tartarelli
Linux User #476492
--
hich for the Snort
> logs would only start at "[122:3:0 ..".
>
> To look at the other parts of the message, you need to use
> "program_name", "srcip" or "hostname", etc.
>
> Josh
>
> On Fri, Feb 6, 2009 at 2:36 PM, Martin Tartarelli
Authentication Package: NTLM
Workstation Name: W2K1
It´s like this...
18152
SRV1
DOMAIN1
Events ignored
Thank´s
--
Martin Tartarelli
Linux User #476492
--
If you run a maven repository you often get multiple 404s. This rule
ignores them ...
31151
maven2
Ignore 404s on the maven repository
--
regards
Martin West
The core of the problem seems to be . If you don't have an
in the section, ossec can not send email to
anyone. And as soon as I add an entry with to the global
section, my start working.
I.e. you can not use unless you have an in
the section.
Cheers
/Martin
On Jan 8, 10:30 am, "
Thanks
Even though you have email_alers, you have an email_to in the global
section. After adding a mail_to entry in the global section, the
mail_alerts started to work. I guess this is a bug.
Thank you for helping demystifying the issue. Time to figure out what
the section does...
Cheers
Martin
erver
My email address
5
I.e. Standard email setup in the global section works, but not using
granular configuration with .
Any ideas?
Cheers
Martin
On Jan 7, 11:09 am, "McClinton, Rick"
wrote:
> Your telnet test is from the same server as ossec, right? Sorry, just
> chec
ued mail for delivery
quit
221 2.0.0 hostname Service closing transmission channel
Connection closed by foreign host.
Does anyone have any idea why ossec may be shutting down the
connection in the middle of the email delivery? Is anyone else able to
send direclty to an exchange server?
Cheers
/Martin
/pipe file on the ram disk halved the cpu load.
Cheers
On Dec 23 2008, 6:15 am, "Daniel Cid" wrote:
> Hi Martin,
>
> Which version of ossec are you using? We added support for pipes in
> v1.6...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
&
List, I have a litle question...
I can read directory permissions with rootcheck policies?
Thank´s
--
Martin Tartarelli
Linux User #476492
--
Is it possible to combine them, such as
/var/log/*/logfile-%U.log
Cheers
Martin
result.
Can someone please assist me or forward me additional documentation?
Thanks,
Rachel Martin
Computer Support Analyst, IT
World Book, Inc.
233 North Michigan Ave., Suite 2000
Chicago, Illinois 60601
Phone: (312) 819-8996
Email: rmar...@worldbook.com
This message (including any
: INFO: Started (pid: 9864).
2008/12/22 15:52:14 ossec-logcollector(1904): INFO: File not
available, ignoring it: '/root/syslog/syslog_fifo'.
Can ossec read named pipes files? If so, what should I do?
Cheers
Martin
make ossec detect new log files
in the directories it is suppose to monitor?
Best Regards
Martin
1 - 100 of 158 matches
Mail list logo