2015, at 21:06, ri...@amcoonline.net wrote:
@Michiel did you ever get this set up? If so do you have any tips you can
share?
On Tuesday, February 18, 2014 at 2:30:34 AM UTC-8, Michiel van Es wrote:
I found something interesting at
http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec
Hello,
We see that OSSEC does some CIS checks for Red Hat 5 and older.
Is it possible to update the CIS checks in OSSEC to do CIS checks for RHEL
6 etc?
(http://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.120)
This helps with PCI-DSS v3 compliance (2.2).
Or is it easy to add
Op donderdag 6 maart 2014 04:06:03 UTC+1 schreef mad...@gmail.com:
Hi guys,
My company has recently made a commitment to using OSSEC as our HIDS
solution, under the assumption that Trend Micro still provide their limited
commercial support contracts - I even emailed
Hi,
Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if so is
willing to share its decoder and local_rules.xml config? (i am not trying
to reinvent the wheel here and google has nothing on it expect Vic
Hargrave's blog but I can not post on it because of technical issues at
Hello,
I am looking at the email alerting option.
I've looked at the thread
at https://groups.google.com/forum/#!topic/ossec-list/Q55ZGg6tfj0 but I am
not sure how to fix the following:
- send all alerts from level =15
- send to u...@domain.com
All other alerts should not be mailed.
As I
Op woensdag 19 februari 2014 13:50:47 UTC+1 schreef dan (ddpbsd):
On Wed, Feb 19, 2014 at 7:21 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
I am looking at the email alerting option.
I've looked at the thread at
https://groups.google.com/forum/#!topic
with the syslog output? send the alerts you're
interested in to syslog on the nagios host and tail the logs from that?
Might allow you to be a bit more selective, too.
On Wednesday, February 5, 2014 1:53:38 PM UTC, Michiel van Es wrote:
To be more precise: this is the most valuable link I
Hello,
I was wondering if someone already used the OSSEC and Nagios to generate
alerts ?
I have the following idea in my head: alert of level 11+ will be seen by a
monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log logfile
and generates an alert/trigger and sends it to Nagios.
you asked Google?
--
Later,
Darin
On Wed, Feb 5, 2014 at 6:47 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
I was wondering if someone already used the OSSEC and Nagios to generate
alerts ?
I have the following idea in my head: alert of level 11
To be more precise: this is the most valuable link I
found: http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html
I am still interested in other peoples' implementations.
Op woensdag 5 februari 2014 14:45:26 UTC+1 schreef Michiel van Es:
Yes, First 3 hits about mail scripts (nagios
Hi,
Is anyone using OSSEC = syslog = Logstash = Kibana for their setup?
We found out that the netstat -tan diff ran by syscheck gives only the
first line of the diff:
132Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533 -
Listened ports status (netstat)
changed (new port
Hi,
is it possible to remove entries in client.keys via an automated script/way
(for example a call from racktables). ?
We reinstall machines from time to time (can be batches of 30+ machines) if
so, then it would be nice if we can remove the entry from the client.keys
entry and recreate the
Op vrijdag 13 december 2013 14:33:20 UTC+1 schreef dan (ddpbsd):
On Fri, Dec 13, 2013 at 8:12 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hi,
is it possible to remove entries in client.keys via an automated
script/way
(for example a call from racktables). ?
We
2013/12/3 dan (ddp) ddp...@gmail.com
On Tue, Dec 3, 2013 at 10:37 AM, Michiel van Es vanesmich...@gmail.com
wrote:
Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd):
On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es vanesm...@gmail.com
wrote:
Hello,
i have some
Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd):
On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
i have some basic questions about OSSEC server - agent model:
- is it correct that the agents ossec.conf can
Does anyone have a rpm or src rpm for the OSSEC package that has the
default 256 agents limit removed?
Why is this limit in there?
Will OSSEC perform bad when this limit in there and running with 25
servers? (loss of resources etc)
We want to run it in on 500+ servers and are mainly using
Hello,
i have some basic questions about OSSEC server - agent model:
- is it correct that the agents ossec.conf can be as small as:
ossec_config
client
server-hostnameOSSEC-SERVERNAME/server-hostname
/client
/ossec_config
- I push all checks on the server via
Op woensdag 20 november 2013 02:14:39 UTC+1 schreef 89be...@gmail.com:
Hi,
I checked and the only thing I can find is that every second this messages
appear:
2013/11/19 21:12:05 ossec-authd: INFO: New connection from x.y.c.10
2013/11/19 21:12:06 ossec-authd: ERROR: SSL read error (-1)
as a cluster service?
Im looking for a similar solution.
Thanks,
Juan
On Friday, November 1, 2013 11:35:45 AM UTC-3, Michiel van Es wrote:
Hi Chris,
I am not worried about the loadbalancer with a virtual ip, we'll use F5's
for that matter or heartbeat.
Perhaps I should just test it first
to overcome?
Any pointers or help would be usefull.
Michiel
Op donderdag 31 oktober 2013 15:19:40 UTC+1 schreef Michiel van Es:
Hello,
I am planning to setup OSSEC 2.7 for my company for about 500+ servers and
some appliances.
It will be running on Red Hat 5 + 6 agents mainly
Hello,
I was wondering what people use for their management of the alerts in OSSEC?
I used Splunk with the OSSEC app a lot but seeing that Splunk is costing
money (a lot for a lot of data) we are looking at other options like
Kibana/Logsearch.
Does anyone have expierence with this setup or with
like rsync to keep the secondary server up to date?
Chris
On Thursday, October 31, 2013 2:19:40 PM UTC, Michiel van Es wrote:
Hello,
I am planning to setup OSSEC 2.7 for my company for about 500+ servers
and some appliances.
It will be running on Red Hat 5 + 6 agents mainly
Hello,
I am planning to setup OSSEC 2.7 for my company for about 500+ servers and
some appliances.
It will be running on Red Hat 5 + 6 agents mainly.
There is a company policy that one server is the same a no server at all
(redundancy is a must in my company).
Is it possible to create a
Op donderdag 3 oktober 2013 15:44:49 UTC+2 schreef dan (ddpbsd):
On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es vanesm
Is my ossec.conf on the agents correct?
tested again today after some days:
added an entry to /etc/hosts, nothing is detected and alerted directly..
Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es:
Hello, I have the following setup :
1 manager - OSSEC 2.7 64 bit tar.gz
Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd):
On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Is my ossec.conf on the agents correct?
tested again today after some days:
As far as I can tell it seems ok.
added an entry
But it is correct that I add the syscheck and realtime options to the agent
own ossec.conf and NOT on the server right?
2013/10/3 dan (ddp) ddp...@gmail.com
On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es vanesmich...@gmail.com
wrote:
Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef
Ok, clear for me.
I want this to be on the agents so I have to create a template for all
agents with this settings.
Thanks!
2013/10/3 dan (ddp) ddp...@gmail.com
On Thu, Oct 3, 2013 at 9:50 AM, Michiel van Es vanesmich...@gmail.com
wrote:
But it is correct that I add the syscheck
Hello, I have the following setup :
1 manager - OSSEC 2.7 64 bit tar.gz manager install via script
2 agents - OSSEC 2.7 64 bit Atomic repo install
I have changes de syscheck in /var/ossec/etc/ossec.conf to the following
on the manager:
syscheck
!-- Frequency that syscheck is executed -
Sorry forgot to mention:
Servers running RHEL6 64 bit
Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es:
Hello, I have the following setup :
1 manager - OSSEC 2.7 64 bit tar.gz manager install via script
2 agents - OSSEC 2.7 64 bit Atomic repo install
I have changes de
schreef Michiel van Es:
Hello, I have the following setup :
1 manager - OSSEC 2.7 64 bit tar.gz manager install via script
2 agents - OSSEC 2.7 64 bit Atomic repo install
I have changes de syscheck in /var/ossec/etc/ossec.conf to the following
on the manager:
syscheck
!-- Frequency
Op vrijdag 19 april 2013 17:01:53 UTC+2 schreef dan (ddpbsd) het volgende:
On Fri, Apr 19, 2013 at 10:49 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Op vrijdag 19 april 2013 16:47:34 UTC+2 schreef dan (ddpbsd) het
volgende:
On Thu, Apr 18, 2013 at 7:27 AM
Hello,
We have found out that we had an Apache webserver showing its has reached
the MaxClients settings.
We could not find the message back in our Splunk interface so I copy/paste
the message into /var/ossec/bin/ossec-logtest and found out that it is
being silenced by the apache_rules.xml
Op donderdag 18 april 2013 15:59:42 UTC+2 schreef Michiel van Es het
volgende:
Op donderdag 18 april 2013 14:45:58 UTC+2 schreef Dmitry het volgende:
Try make the following on ossec server:
agent_control -r -u id
agent_control -i id
I had 2 Windows XP hosts that was in Never connected
Op vrijdag 19 april 2013 16:47:34 UTC+2 schreef dan (ddpbsd) het volgende:
On Thu, Apr 18, 2013 at 7:27 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het
volgende:
Is the file recreated? What
Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het volgende:
On Wed, Apr 17, 2013 at 11:46 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het
volgende:
On Wed, Apr 17, 2013 at 10:39 AM
:39 ossec-syscheckd: INFO: Ending syscheck scan.
2013/04/18 11:18:55 ossec-remoted: INFO: Event count after '2':
1324382-1442808 (108%)
Still never connected state.
2013/4/18 Michiel van Es vanesm...@gmail.com javascript:
Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd
Hello,
We have installed OSSEC 2.7 on a CentOS machine which is working fine with
several Windows and Linux agents.
We are trying to install the OSSEC 2.7 agent package on a Windows 2008
server which goes well but at end, after the manual agent config (ip and
secret) and restarting of the
:* ossec...@googlegroups.com javascript: [mailto:
ossec...@googlegroups.com javascript:] *On Behalf Of *Michiel van Es
*Sent:* Wednesday, April 17, 2013 6:28 AM
*To:* ossec...@googlegroups.com javascript:
*Subject:* [ossec-list] OSSEC 2.7 and Windows 2008 server: never connected
Hello
Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het volgende:
On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
We have installed OSSEC 2.7 on a CentOS machine which is working fine
with
several Windows and Linux agents
Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het volgende:
On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het
volgende:
Op woensdag 17 april 2013
Hello,
I've read a lot of theads about 'the netstat issue' and OSSECs' rootkit
check.
How can I disable the netstat check on a running 2.6 server (RHEL 6,
install from source) without recompiling?
Or do I have to disable rootkit checks completely?
Is this issue fixed in 2.7?
Kind regards,
this check.
Michiel
Op woensdag 27 februari 2013 15:14:11 UTC+1 schreef dan (ddpbsd) het
volgende:
On Wed, Feb 27, 2013 at 9:02 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
I've read a lot of theads about 'the netstat issue' and OSSECs' rootkit
check.
How can I
Hello,
We want to firewall-drop failed logins with SSH after 3 failed passwords.
We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) for
the commands and active responses:
command
namehost-deny/name
executablehost-deny.sh/executable
expectsrcip/expect
Op maandag 14 januari 2013 15:36:05 UTC+1 schreef dan (ddpbsd) het volgende:
On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
We want to firewall-drop failed logins with SSH after 3 failed
passwords.
We have the following config
could tie it into OSSEC with the full_command option.
If all you need to t o determine the Admin account status, then use a
PowerShell command in full_command.
Scott
On Nov 27, 2012, at 4:02 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hi,
We want to check
Hi,
We want to check for hardening and one of our Windows hardening rules is to
rename the Administrator account and create a decoy Administrator account,
not part of any group and disabled.
One of the things we want to check is to see if the Administrator account
is enabled on Windows
2012/11/19 dan (ddp) ddp...@gmail.com
snip
The decoder is clavister, not clavister-alert.
Before changing the decoder name:
**Phase 1: Completed pre-decoding.
full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08]
EFW: RULE: prio=6 id=0651 rev=1
To respond to my own question:
It is fixed! I had to restart ossec-hids on the client/agent and voila: it
works!
Thanks again for all the help!
Michiel
2012/11/20 Michiel van Es vanesmich...@gmail.com
2012/11/19 dan (ddp) ddp...@gmail.com
snip
The decoder is clavister, not clavister
Op woensdag 14 november 2012 17:02:47 UTC+1 schreef dan (ddpbsd) het
volgende:
On Wed, Nov 14, 2012 at 9:49 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
I am trying to set up a local_decoder.xml entry to decode our Clavister
log
entries.
The clavister
Hello,
I am trying to set up a local_decoder.xml entry to decode our Clavister log
entries.
The clavister logfiles show only outgoing dropped traffic, for example:
Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] EFW: RULE: prio=6
id=0651 rev=1 event=ruleset_drop_packet action=drop
Hello,
I was wondering if it is possible to filter on non RFC-1918 ip-adresses
which login successful and unsuccessful ?
We want to monitor extra on SSH and RDP logins from public ip-adresses (aka
over the internet).
Does anyone know if you can easily create a local_rule.xml entry for this?
We want to create a rule to see who is successful logged in our systems
(SSH,RDP) but are coming from the outside (aka not the private range
addresses ).
Is there an easy way to set this up with 1 rule defined in local_rules.xml
? Is it possible to use something with a rfc1918 exclude rule and
Op vrijdag 5 oktober 2012 15:00:16 UTC+2 schreef (onbekend) het volgende:
Hi everybody
happy user for some years with ossec, i need to make report by month
of activity, top source ip and some data from ossec alerts.
Reportd is interessesting but i need something more professional for a
24, 2012 at 9:40 AM, Michiel van Es vanesm...@gmail.com
wrote:
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 9:27 AM, Michiel van Es vanesm...@gmail.com
wrote:
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es
Hello,
I am using OSSEC 2.6, we are using syscheck to check for our hardening
policy.
Like:
# Apache checks
[SDN Security Policy Linux - HTTPD - ServerSignature is enabled] [any] []
f:$httpd.conf - r:^ServerSignature On;
[SDN Security Policy Linux - HTTPD - ServerTokens is fully enabled] [any]
van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
I am using OSSEC 2.6, we are using syscheck to check for our hardening
policy.
Like:
# Apache checks
[SDN Security Policy Linux - HTTPD - ServerSignature is enabled] [any]
[]
f:$httpd.conf - r:^ServerSignature
Hello,
I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the tar.gz +
./install.sh
I choose the local install since it has to run on 1 server ( a VPS).
I have noticed after 3 days
that system_audit/var/ossec/etc/shared/system_audit_rcl.txt/system_audit
has never run when syscheck and
Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het
volgende:
On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es
vanesm...@gmail.comjavascript:
wrote:
Hello,
I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the tar.gz +
./install.sh
I choose
2012/9/27 dan (ddp) ddp...@gmail.com
On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es vanesmich...@gmail.com
wrote:
Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het
volgende:
On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es vanesm...@gmail.com
wrote:
Hello
2012/9/27 Michiel van Es vanesmich...@gmail.com
2012/9/27 dan (ddp) ddp...@gmail.com
On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es vanesmich...@gmail.com
wrote:
Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het
volgende:
On Thu, Sep 27, 2012 at 9:49 AM
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es vanesmich...@gmail.com
wrote:
Hello,
We are using OSSEC for a PoC and we want to show only some alerts
initially
and expand the alert list.
We are using OSSEC 2.6 mixed Windows and Linux agents.
1
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es vanesmich...@gmail.com
wrote:
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es vanesmich...@gmail.com
wrote:
Hello,
We are using OSSEC for a PoC and we
2012/9/24 Michiel van Es vanesmich...@gmail.com
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es vanesmich...@gmail.com
wrote:
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 2:41 AM, Michiel van Es
vanesmich...@gmail.com
wrote
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 9:27 AM, Michiel van Es vanesmich...@gmail.com
wrote:
2012/9/24 dan (ddp) ddp...@gmail.com
On Mon, Sep 24, 2012 at 9:21 AM, Michiel van Es vanesmich...@gmail.com
wrote:
2012/9/24 dan (ddp) ddp...@gmail.com
65 matches
Mail list logo
