Good afternoon,
there's every chance I'm missing something obvious, if so a mild beating
with the cluebat woul be welcomed.
I'm trying to get an alert raised from the output of a script (a simple
test Windows batch file in this case). The batch file is:
echo off
echo date_test:
date /t
I hav
>
>
> All right, now run this through ossec-logtest:
>
> ossec: output: 'C\\ossec_logtest\date_test.bat': C:\Program
> Files\ossec-agent>echo off
>
OK, done. I kicked off ossec-logtest:
ossec: output: 'C\\ossec_logtest\date_test.bat': C:\Program
Files\ossec-agent>echo off
Which caused the rule to
Good afternoon (or whatever),
I've got a couple of questions which I hope aren't FAQs.
FIrstly, I've got one applicaiton that creates new log files on the
fly. An event will happen (in this case a video conference) and a log
filoe is written covering that event. One video conference = one new
l
On 9 August 2012 14:37, dan (ddp) wrote:
>
> Normal rollovers work just fine. It's when people do absolutely
> strange things with these logs (like creating a separate logfile for
> every event or include random information in the logfile name) that
> there are problems.
>
Colour me stupid (you w
Okey-do, thanks for that.
I ran through the following test scenario:
First ensure logall is set to yes.
1. Start OSSEC manager on Linux VM
2. Start OSSEC agent on Windows host
3. Verify messages received (tail -f /var/ossec/log/archives/archive.log)
4. Create new directory on Windows host (C:\de
Ahem. It turns out I'm an idiot who can't spot a typo or for that
matter read a log file). I'd set the localfile to be
C:\detection_test whilst the directory was in fact named
C:\detetion_test.
Once that was corrected everything worked as expected.
Regards,
Nick
Good afternoon,
I'm after a bit of advice on custom rule debugging as I've got as far
as I can along the path and think I should be seeing an alert but I'm
not.
I have a log file whose content is being collected via a powershell
script. The log file uses xml to delimit entries and I need to get
>
> Did you remove the header from the entry in archives.log?
Almost definately not. Which part of the archive.log entry
constitutes the header?
Regards,
Nick
>
> archives.log message:
> 2012 Sep 17 00:00:01 ix->/var/log/messages Sep 17 00:00:01 ix syslogd: restart
>
> Header:
> 2012 Sep 17 00:00:01 ix->/var/log/messages
>
> Log message without header:
> Sep 17 00:00:01 ix syslogd: restart
I have:
2012 Sep 17 16:54:28 )agent_name) apent_id->powershell -
> Having never seen your logs, my guess would be: "> 2012 Sep 17
> 16:54:28 )agent_name) apent_id->powershell -File
>> C\/OSSEC-Test/OSSEC/ossec_read_new_xml_logs.ps1 [script parameters]"
>
> But, since you do know what your logs are supposed to look like, maybe
> you should be telling me?
>
Fair
Good morning,
I'm attempting to set the maxsize attribute of a rule to the largest
the documentation says is permissable (9) but there seems to be a
lower, undocumented, limit.
When I set maxlength to 43099 the rule fires and everything is as
expected. When I set the maxlength to 43100 the r
> 530 is one example. It should provide enough information on how to
> alert on your log messages.
Thank you Dan, helpful as ever.
Regards,
Nick
Reposting as the original doesn't appear to have made it through yet...
Good morning,
I'm attempting to set the maxsize attribute of a rule to the largest
the documentation says is permissable (9) but there seems to be a
lower, undocumented, limit.
When I set maxlength to 43099 the rule fire
This appears to be a bit of a FAQ but I can't find anywhere that it's been
answered.
I want to monitor additional Windows events logs, specifically the Windows
print operational log.
I've added a new localfile directive:
Microsoft-Windows-PrintService Operational
eventlog
But don't
e needed (
http://msdn.microsoft.com/en-gb/library/windows/desktop/aa385447%28v=vs.85%29.aspx)
to cope with the newer event logs.
Are there any plans to add this to OSSEC? I would try myself but I'm a
read-only 'C' coder.
Regards,
Nick
On 22 November 2012 13:28, Nick Davies wrote:
> This
Or maybe I could just read the release notes
http://www.ossec.net/?p=577
Regards,
Nick
On 22 November 2012 15:38, Nick Davies wrote:
> Talking to myself a little it looks like the problem could be due to
> read_win_el.c using OpenEventLog (line 56) which is the pre-Vista flavour.
gards,
Nick
On 22 November 2012 15:42, Nick Davies wrote:
> Or maybe I could just read the release notes
> http://www.ossec.net/?p=577
>
> Regards,
>
> Nick
>
>
>
> On 22 November 2012 15:38, Nick Davies wrote:
>
>> Talking to myself a litt
I'm contemplating it but my C is rusty to say the least, I haven't needed
to use it for over a decade. I'll have a hack and see what turns up.
Regards,
Nick
On 23 November 2012 13:15, dan (ddp) wrote:
> On Thu, Nov 22, 2012 at 11:30 AM, Nick Davies
> wrote:
&g
On Friday 28 Dec 2012 15:39:25 Joe Gedeon wrote:
It looks like the gen_win.sh script isn't creating the ossec-agent.exe so
when you run the make.sh it fails with
"File: "ossec-agent.exe" -> no files found.
It's also possible that there wasa a problem that prevented the exe from
compiling. Try
Good morning,
am I missing something glaringly obvious or is there no option to configure
how oftern the archive and alert logs are rotated?
Regards,
Nick
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and
21 matches
Mail list logo
