Re: [ossec-list] Regular OSSEC vs OSSEC Wazuh

Hi, Philip, Wazuh still supports CEF format, it integrates all the functionality from OSSEC 2.8.3 and 2.9beta, I am pretty sure you will be able to integrate Wazuh with your current Graylog instance, same way you can do it with OSSEC. Regarding to the ruleset, last version from Wazuh rules is

[ossec-list] Re: Simultaneous Events at 25 EPS, but Missing Alerts

Hi Jon, This is an interesting test, I think we can get a lot of useful information from here. On my experience probably the bottleneck is on remoted socket/buffer or logcollector speed performance to read each log line. For Remoted, try to enable debug mode at the agent, internal_options.conf

Re: [ossec-list] ossec-authd: Unable to connect

Ethernet), capture >> size 65535 bytes >> >>>> 01:20:11.033864 IP (tos 0x0, ttl 128, id 22397, offset 0, flags >> [DF], proto TCP (6), length 52) >> >>>> 192.168.1.30.57495 > 192.168.1.10.1515: Flags [S], cksum 0x4748 >> (correct), seq 232653

[ossec-list] Re: Agents not connecting, traffic visible in tcpdump

al) and remove duplicated entries, the agent will fail to connect if there is more than one entry with the same IP. Hope it helps, best regards, Pedro S. On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote: > > Hi all, > > Been debugging an issue for a few hours, thought I&#

[ossec-list] Re: Monitoring windoews eventlog kibana

channel (these are OSSEC lists :D) Best regards, Pedro S: On Friday, June 17, 2016 at 9:19:03 AM UTC-7, sant...@gmail.com wrote: > > Hello. > I installed ossec-wazzuh with kibana on linux server > i want to monitoring winddows eventlog from 2 active directory servers. > I have co

[ossec-list] Re: Quickest way to test an updated local_rules.xml

Hi Tahir, I don't think OSSEC has a tool for do that, the option you have is remove previous/old alerts files, remove alerts.log file and restart OSSEC, another possibility is to create a intermediate script to search for all the occurrences of the alerts and remove them from every past alerts

[ossec-list] Re: reindexing logs

Hi Maxim, How are you forwarding the alerts/archives to Kibana? I think you will need the archives JSON output setting, if you are using Wazuh , edit *ossec.conf *and add the following setting: > *yes* > Once you do it, you will find new archives.json events fil

Re: [ossec-list] Re: Duplicated counter

ing again OSSEC, if does not work, try to grant permissions to group "Administrators". Best regards, Pedro S. On Monday, May 16, 2016 at 2:07:57 PM UTC+2, Abdulvehhab Agin wrote: > > Hi Pedro, > > > My ossec.conf and internal_options.conf is attached. > > > I s

[ossec-list] Re: Windows Defender Decoder ?

tps://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L350>could be for example: Win source, Parent Image, Protocol, Signature, Start function... Best regards, Pedro S. On Tuesday, May 17, 2016 at 5:32:25 PM UTC+2, Rob B wrote: > > Thanks Brent

Re: [ossec-list] Re: Duplicated counter

Just to be sure, the variable I was talking about is: # Verify msg id (set to 0 to disable it) > remoted.verify_msg_id=1 At /var/ossec/etc/internal_options.conf Best regards, Pedro S. On Friday, May 13, 2016 at 3:53:20 PM UTC+2, Pedro S wrote: > > Hi, > > I don't think

Re: [ossec-list] ossec category/group - syslog remote

; *"groups": [ "pam", "syslog", "authentication_success" > ],* > "level": 3, > "sidid": 5501 > }, > "timestamp": "2016 May 13 04:30:22" > } Kibana example: <https://lh3.goog

[ossec-list] Re: Duplicated counter

open file etc/internal_options.conf (Manager & Agent) and set verify_msg_id=0. Regards, Pedro S. On Wednesday, May 11, 2016 at 10:33:00 PM UTC+2, Abdulvehhab Agin wrote: > > Hi, > > > > Sometimes ossec server says *"ERROR: Duplicated counter for"* errors. &

[ossec-list] Re: Prerrequisites Instalation OSSEC

platform, Redhat/Debian. Maybe someone can bring us some light here, but those will be the requirements on my opinion! Best regards, Pedro S. On Tuesday, April 26, 2016 at 1:08:15 AM UTC+2, Adiel Navarro wrote: > > > > What are the hardware prerrequisites to install OSSEC? >

[ossec-list] Re: UTF-8/16 support

Didn't hear about that before. According to the error maybe is because the UTF-8/16 like you said, we can find in logcollector read_multiline log or at syslog collector <

[ossec-list] Re: netstat part of syscheck not seeing all ports on initial read

Previous output: ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': tcp0 0 *0.0.0.0: * 0.0.0.0:* LISTEN tcp6 0 0 ::1:25 :::*LISTEN tcp6 0 0 :::22 :::*

Re: [ossec-list] RootCheck disableing

I have reproduced your configuration on my labs, rootcheck is not starting again. Could you re-verify that agent.conf file is right on your agent? On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: > > 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). > 2016/04/14

[ossec-list] Re: Windows Agent Compilation

nstall gcc-c++ gcc scons mingw32-gcc mingw64-gcc zlib-devel bzip2 unzip Debian: $ apt-get install gcc-mingw-w64 $ apt-get install nsis $ apt-get install make Regards, Pedro S. On Thursday, April 14, 2016 at 3:06:16 PM UTC+2, Kumar Mg wrote: > > Thank you Victor. > > > We trie

[ossec-list] Re: Email notification for adding new users, new packages, triggering hours later

l time does not work if syscheck scan is running, I mean, if the scan is running realtime option won't work until syscheck finishes the scan. Regards, Pedro S. On Thursday, April 14, 2016 at 8:51:20 PM UTC+2, thak wrote: > > So after some investigating it seems what's ACTUALLY ha

[ossec-list] Re: netstat part of syscheck not seeing all ports on initial read

ed ports status (netstat) changed (new port opened or closed). pci_dss_10.2.7,pci_dss_10.6.1, Regards, Pedro S. On Thursday, April 14, 2016 at 10:38:59 PM UTC+2, Noway2 wrote: > > I have been using Ossec on a couple of my servers for several years now. > I recently updated one

[ossec-list] Re: Disk usage monitor not working in RHEL5

Thanks! nice work-around. On Friday, April 15, 2016 at 11:15:30 AM UTC+2, Robert Micallef wrote: > > For anyone who encounters this issue where disk usage alerts are not > working on Redhat 5, the issue is that in RHEL5 'df -h' output is > multiline. > > You can easily fix it by modifying the o

[ossec-list] Re: When new ossec build is planning ?

/proftpd_rules.xml: 11200 unable to open incoming connection Couldn't open the incoming connection. Check log message for reason. Regards, Pedro S. On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, ba...@x-cart.com wrote: > > Hello! > I very interested in this commit for s

Re: [ossec-list] OSSEC agents show as Active even after the OSSEC Process on server is stopped

Jesus is totally right. The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by default is 600 seconds. Check the last modification file date on every agent-info/* file and wait until that time be more than 30'30''. Best regards, Pedro S. On Thursday, Apr

[ossec-list] Re: new files does not creating alert at all

Hi, That decoder is hardcoded <https://github.com/wazuh/ossec-wazuh/blob/5441889d963ce6d8ee3fae0e9f273e701b6c89eb/src/analysisd/rules.h#L231>into OSSEC code, so you won't find any decoder called like that. Best regards, Pedro S. On Monday, April 4, 2016 at 8:06:58 PM UT

[ossec-list] Re: How are the best test to ossec rules

Testing OSSEC installation or OSSEC Rules? I am with Dan, define "test" hehe, what do you want exactly. On Tuesday, April 5, 2016 at 4:58:46 PM UTC+2, tchello2008br wrote: > > Hi all > I want to test my installation , what is the best method ? > > Tks > -- --- You received this message bec

Re: [ossec-list] Emails are not going

You can set up on OSSEC any SMTP server and it will use it to send the emails, BUT OSSEC is not able to use SMTP authentication. Amazon SES works with TLS authentication so.. I don't think OSSEC out-the-box can use Amazon SES. Instead of that you can probably configure Amazon SES SMTP account i

Re: [ossec-list] How to ignore log ?

Did you run ossec-logtest to verify that your log triggers the rule just created? Try to run it and paste the log, if the rule 81 is not being fired something went wrong with the rule creation. On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote: > > Hi Dan, > > Thanks for the d

[ossec-list] Re: id "|" or "," ??

a previous match of 4000 or 4001. I don't know any other approach to solve this. Maybe we can use active response to execute an script which store the info and at some point triggers an alert. I hope someone can bring us some light here. Regards, Pedro S. On Tuesday, March 29, 2016 at 4

[ossec-list] Re: id "|" or "," ??

last one will work, and the following one WON'T work: > 18105 > ^529$,^530$,^531$,^532$,^533$ > Windows Logon Failure. > win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, > Regards, Pedro S. On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B

[ossec-list] Re: Change ossec.conf globaly

I can't imagine a way to change ossec.conf on every agent if you are not using some deployment software (like Puppet). One solution for further installations is to change default ossec.conf file in order to include your EventID exception. Regards, Pedro S. On Monday, March 7, 2016 at 3:

[ossec-list] Re: Help needed with Ossec implementation

ite => true } } If everything goes well, you should see on Kibana every log collect by your OSSEC agents. Be careful, archives option collect *everything *so archives.json/log and elasticsearch indexes will be huge if you have a large deployment. Regards, Pedro S. On Thursday, March 3, 2

[ossec-list] Re: Decoding long messages - multiple regex statements

You asked about using another "regex" line in the same decoder, it will work too, like this: Checkpoint (\w+) \p\w+ \w+ src:\s(\d+.\d+.\d+.\d+);\sdst:\s(\d+.\d+.\d+.\d+) *\.*resource: (\.*);\.*product: (\.*);* action,srcip,dstip, url, extra_data Best regards, Pedro S. On Wedne

[ossec-list] Re: help me phase pre-decode

azuh/blob/master/src/analysisd/cleanevent.c#L77> Regards, Pedro S. On Sunday, February 28, 2016 at 2:43:09 PM UTC+1, luan vo wrote: > > Hello everyone , I began to learn OSSEC . Can tell me *pre - decod*e > stage can tweak it? thank for all > -- --- You received this message be

[ossec-list] Re: Log rotation by ossec-monitord

l next day. Regards, Pedro S. On Friday, February 26, 2016 at 2:14:30 PM UTC+1, Openshaw, Dave wrote: > > Hello > > > > Please tell me, how can I change settings for log rotation by > ossec-monitord? I see only options that change compression and signing. > &

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Activate new rootchecks by adding for example, */var/ossec/etc/shared/cis_debian_linux_rcl.txt* on ossec.conf file. By the way, using: /var/ossec/bin/rootcheck_control -i AGENTID You can check outstanding rootcheck events. Regards, Pedro S. On Friday, February 26, 2016 at 4:40:08

Re: [ossec-list] Re: DNS caching for ?

The proxy server will be a good external solution of course, About OSSEC, maybe we need something like "reload", NOT restart, reload could allow OSSEC to read again all the configuration files and refresh internal structures, sure it won't be easy but.. just thinking. On Thursday, February 25,

Re: [ossec-list] List of OSSEC rules?

sure. > > On Thursday, February 25, 2016 at 1:53:36 PM UTC-5, Pedro S wrote: >> >> You are welcome! I'll upload it into some website or repository folder. >> >> It is some simple but works, in the future I will extract too the PCI >> compliance re

[ossec-list] Re: Server not responding to agent messages (1218/4101)

Hi, Stupid question, acording to your logs: 2016/02/25 21:16:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: ''. Is server IP setting on the Agent set correctly? Seems like OSSEC is reading "" as the remote IP or did you change it on purpose on the post? Like Dan

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

Hi, I am not familiar with *cis-ubuntu-ansible* but you can try to debug OSSEC log to inspect what exactly is blocking the contact. Open internal_options.conf and set: remoted.debug=2 syscheck.debug=2 analysisd.debug=2 logcollector.debug=2 # Unix agentd agent.debug=2 Restart and review what is

Re: [ossec-list] List of OSSEC rules?

tory): for filename in filenames: if filename[-4:] == ".xml": GetRulesList(os.path.join(root,filename), filename) Hope it help, regards, Pedro S. On Monday, February 22, 2016 at 4:38:43 PM UTC+1, thak wrote: > > Thanks! > > On Monday, February

[ossec-list] Re: DNS caching for ?

c4a56599/src/config/client-config.c#L73> setting, *OS_GetHost *function is called to get the IP Address, that function won't be called again until you restart OSSEC. Regards, Pedro S. On Thursday, February 25, 2016 at 10:57:14 AM UTC+1, Barry Kaplan wrote: > > I have a situati

[ossec-list] Re: Alert message on the subject

"OSSEC Notification - %s - Alert level %d" #define MAIL_SUBJECT_FULL "OSSEC Alert - %s - Level %d - %s" And use them at os_maild_client.c <https://github.com/wazuh/ossec-wazuh/blob/master/src/os_maild/os_maild_client.c#L138> I hope it helps! Regards, Pedro S. On Tuesd

Re: [ossec-list] Re: Active responce is not working

g/auth.log - mar feb 23 08:54:05 PST 2016 /var/ossec/active-response/bin/test.sh add - - 1456246445.15632 5501 /var/log/auth.log - I hope it helps, Try to use a basic example like this and see if it is working. Regards, Pedro S. On Tuesday, February 23, 2016 at 5:52:41 PM UTC+1, Pedro S wrote

Re: [ossec-list] Re: Active responce is not working

9,1 0 >8651749 /var/ossec/queue/fts/ig-queue > > 2016-02-23 16:20 GMT+03:00 Pedro S >: > > I have been trying to replicate your situation, you can install either > local > > or server installation, it is working on both. > > > >

[ossec-list] Re: Active responce is not working

rigger your active response. Remember to set groups and permissions to your *script.sh* If you need to extract srcip don't forget to set *expect *on command section: testar srcip testar.sh Regards, Pedro S. On Tuesday, February 23, 2016 at 1:39:31 PM UTC+1, ba...@x-cart.com wro

[ossec-list] Re: Active responce is not working

and check for line: 2016/02/23 11:40:57 ossec-analysisd: DEBUG: Active response initialized ... The scripts should be placed on /var/ossec/active-response/bin with execution permissions. Regards, Pedro S. On Tuesday, February 23, 2016 at 11:21:13 AM UTC+1, ba...@x-cart.com wrote: >

Re: [ossec-list] Removing agent by deleting line in client.keys?

Hi Barry, You can run manage_agents with option "-r" and it will remove an agent, so you can create some scripts to automatize the process. /var/ossec/bin/manage_agents -r AGENTID OSSEC has internally a hash table with client.keys table, removing manually from client.keys or using manage_agen

[ossec-list] Re: clamav?

operly, you can test the current decoders and rules using logtest: /var/ossec/bin/ossec-logtest Feel free to improve them or paste here some log example so we can figure out how to improve them. Regards, Pedro S. On Monday, February 22, 2016 at 5:07:48 PM UTC+1, Barry Kaplan wrote: >

[ossec-list] Re: How to group Syscheck notifications

ot; function to add the event to a queue which ossec-analysisd will read. 515 rule has no errors, every rootcheck alerts depends on 510 rule (general rootcheck alert) which depend on 509 (rootcheck event). Regards, Pedro S. On Monday, February 22, 2016 at 5:39:09 PM UTC+1, ba...@x-cart.com wro

[ossec-list] Re: How to group Syscheck notifications

> 3. On "Ending syscheck scan" event send file to a customer. > > Is it good solution, or there is better way. > > Thank you for your answers, Pedro! > > Pedro S: >> >> Hi, >> >> Let me know if I understood right, do you want OSSEC to only send

[ossec-list] Re: How to group Syscheck notifications

t you mean with rule 515 and "Ending rootcheck scan", please be more specific. Regards, Pedro S. On Monday, February 22, 2016 at 3:37:18 PM UTC+1, ba...@x-cart.com wrote: > > Hello! > I want to send only changed filenames, like it in email(see below) ? > > Is there'

[ossec-list] Re: Centralized agent configuration - multiple matches

the configuration which match name, os or profile, it does not matter if you have several different . I hope i explained myself, like you notice English is not my mother language. On Thursday, February 11, 2016 at 2:30:56 PM UTC+1, Pedro S wrote: > > Hi again James, > > I just teste

[ossec-list] Re: Centralized agent configuration - multiple matches

Hi again James, I just tested and I can see how both configurations are pushed to the agent, OSSEC always push agent.conf entire file to all the agents, you can open the file on your agent to check if everything is already received: *OSSEC file "/var/ossec/etc/shared/merged.mg" * If you enable

[ossec-list] Re: Don't send all windows event logs in client side

eventchannel > Event/System[EventID != 2003 && EventID != 2004 && EventID != > 2005 && EventID != 2006] > Regards, Pedro S. On Tuesday, February 9, 2016 at 12:52:41 PM UTC+1, Idan Spencer wrote: > > Hello , > I'm trying to make the H

Re: [ossec-list] Re: Process defunct firewall-drop.sh and host-deny.sh

onday, February 8, 2016 at 12:33:11 PM UTC+1, Pedro S wrote: > > OFC it is not a solution, I thought you were not sure what active-response > is and you were complaining about those scripts. > > Regarding to your problem, I am not sure why this processes remain in > Zombie status,

Re: [ossec-list] Re: Process defunct firewall-drop.sh and host-deny.sh

using this > feature'.. > > :-) > > > > 2016-02-08 11:36 GMT+01:00 Pedro S >: > >> Hi, >> >> Are you using active response? Those file are regarding to OSSEC >> active-response, if you are not using it you can disable it editing >> ossec.con

Re: [ossec-list] Re: Windows Active Response Default Settings

/master/src/win32/ossec.conf#L133 I think OSSEC use that file to compile windows binary, if you change that line and compile the agent, it will have active-response active by default. On Monday, February 8, 2016 at 11:44:43 AM UTC+1, dan (ddpbsd) wrote: > > > On Feb 8, 2016 5:39 AM,

[ossec-list] Re: Windows Active Response Default Settings

ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html Regards, Pedro S. On Thursday, February 4, 2016 at 7:55:42 AM UTC+1, Abdulvehhab Agin wrote: > > Hi > > Ossec setup which is prepared Windows install ossec.conf file with active > response yes at Default > &

[ossec-list] Re: Process defunct firewall-drop.sh and host-deny.sh

Hi, Are you using active response? Those file are regarding to OSSEC active-response, if you are not using it you can disable it editing ossec.conf file: yes Best regards, Pedro S. On Friday, February 5, 2016 at 9:17:48 AM UTC+1, Giorgio Biondi wrote: > > Hi at all > >

[ossec-list] Re: Can one agent report to two masters?

I think the server block listed twice won't do the trick. Probably is better to have two agents. On Tuesday, February 2, 2016 at 3:04:04 AM UTC+1, James Dough wrote: > > I think it's possible, you just have to have the server block listed > twice, and use the same key on both servers. > - Untes

Re: [ossec-list] Invalidate all old clients

Hi, ossec-remoted should start by itself, if not, usually is because you don't have any agents added. Try to run bin/manage_agents, add an example agent, restart OSSEC and remoted should start. Check client.keys to verify if this "example agent" was added. Check permissions of folders etc/ and

Re: [ossec-list] ERROR: Incorrectly formated message

Hi, Try to add the agent with "any" parameter on IP field (./manage_agents), when "ip" question prompt, write "any", just for testing, maybe the agent IP when reaching OSSEC it is not the IP you are writting. On Wednesday, February 3, 2016 at 8:10:45 AM UTC+1, Robert wrote: > > Hi Jose, > > Yes

Re: [ossec-list] What does Courier Fetch x of xxx shards failed mean?

Hi, When are you getting this error exactly? when opening a dashboard? at "Discover" tab? It is a very generic error, there are different approaches to solve this: - What specs have your machine? - Are you creating a daily index? how many index have your cluster now? - How many shards per index?

Re: [ossec-list] strange in 'full_command' output

That would be really cool, OSSEC needs SSL support, I am sure it won't be easy! On Tuesday, February 2, 2016 at 10:51:08 PM UTC+1, Santiago Bassett wrote: > > That would be more than awesome! > > On Tue, Feb 2, 2016 at 1:27 PM, Daniel Cid > wrote: > >> Our major limitation is the size of the UDP

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Hi Daniel, sorry for late response. I don't know for real what is happening with your alerts but i'll keep giving you some advices, we'll see if we can make this work. Maild read directly from alerts.log, search for "mail" flag and if it is present send the email, that means if your alerts is p

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Okay try this: Temporaly remove "alert_by_email" from rule 1002 on syslog_rules.xml. Now add "alert_by_email" in your custom rule. Restart OSSEC and generate the alert. What im trying here is to stop OSSEC from sending 1002 rule email, i think that "alert_by_email" option force OSSEC to send an

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

ading the rule properly. El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) escribió: > > On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. > > wrote: > > Hi Daniel, > > > > The alerts you changed to level 0 it isn't the same that you write some > &

Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Hi Daniel, The alerts you changed to level 0 it isn't the same that you write some lines before, isn't it? You turn to 0 rule SID 15 but the alert you show us has SID 1002. For testing purposes try to deactivate (change to level 0) rule 1002 and check if it is still generating these alerts.