I get the feeling this never worked but that is just me. Also, I don't
think you have to put in a path if doing a slient install or anything and
it should just work.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this
If I had to guess, that thread and some of the others you might remember
seeing are about the installer setting permissions to the 'Administrators'
group. The problem is when Windows is set to use another language that
group isn't named the same. The proper way to do this is with well known
Are there errors in the OSSEC log after you create the tmp directory in the
OSSEC directory and restart everything?
Looks like the installer needs the following:
https://github.com/ossec/ossec-hids/blame/master/src/win32/ossec-installer.nsi#L146
Yeah, there was this:
https://github.com/awiddersheim/ossec-hids/commit/262630f63674c8e0e5928bf8a002d0a31114e2d6
Not sure that is the problem. Could be a number of things potentially. Is
there a tmp directory in the OSSEC directory? Maybe something stupid with
permissions? Might be worth using
Those bookmark failures shouldn't be happening so if you continue to see
those I think we will probably need to dig in a bit. Especially if the
OSSEC version I gave you (Josh) a few months ago isn't doing the same thing.
--
---
You received this message because you are subscribed to the
Might just need to add this line into error_messages.h in Dan's branch:
https://github.com/awiddersheim/ossec-hids/blob/master/src/error_messages/error_messages.h#L44
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this
That is my doing. When fixing CVE-2015-3222 I inadvertantly broke the
Windows builds with my backport to 2.8.2. I fixed in the master branch so
2.9 wouldn't have the problem but never felt the need to backport the fix
but since we are doing another 2.8.x release it seems like we should. You
Was talking to Dan today. Will try to put together some merge requests to
his branch and 2.8.3 that will hopefully fix these things. Hopefully will
find some time in the next few days to make that happen.
--
---
You received this message because you are subscribed to the Google Groups
Just researched this a bit more. Probably isn't supported at this time.
Pull requests welcome.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
The following pre-release has an already built binary that I beleive has
those changes that you can try:
https://github.com/ossec/ossec-hids/releases/tag/2.9.0-beta02
I'd test it out first. No promises that it works. Alternatives are to build
the binary yourself from master or to wait until we
You can try running the agent from the command line. Anything in the event
log? Outside of that, without any more troubleshooting data, there isn't a
whole lot of guidance I can give.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To
I'm not sure there is a configuration option to change how often the agents
report in. I think it is pretty long though. I think right now it is a hard
coded value but it might be in the internal_options file. When the agent
first starts it connects to the server immediately.
--
---
You
What version are you running? Anything of interest in the ossec.log?
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
Looks like you might be hitting the limitation of the OSSEC agent on
Windows where it has trouble seeing the registry on x64 machines. This is a
known issue and will hopefully be addressed in future versions. For now you
might find this workaround useful:
Are you using the syscheck FIM stuff at all?
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit
https://github.com/ossec/ossec-hids/releases/tag/2.8.2
Fix for CVE-2015-3222 which allows for root escalation via syscheck
Affected versions: 2.7 - 2.8.1
Beginning is OSSEC 2.7 (d88cf1c9) a feature was added to syscheck, which
is the daemon that monitors file changes on a system, called
They both can be vulnerable depending on whether or not you are running
syscheck on the server.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
The server isn't what you need, which is what you are building in these
screenshots. You'd need the updated version of the Windows agent which
isn't on the releases page for 2.9-beta03. I'm working on getting that
rectified and will post a download link once I have it.
--
---
You received
I created an issue to investigate this further:
https://github.com/ossec/ossec-hids/issues/568
From what you have showed it looks like it should work according to the
examples given in the documentation. I'll have to dig deeper to understand
more.
--
---
You received this message because
I confirmed in the code that the query is getting passed to EvtSubscribe()
and an error should get generated and show in the logs if the query is
malformed in anyway. There have been a large amount of changes to the
eventchannel code in 2.9 which is still beta. Let me find a download link
for
Really cool stuff. Thanks for sharing.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit
Are there any errors in the ossec.log? How are you generating those Login
Audit Failure messages? Can you try running the latest OSSEC beta? There
were a large number of fixes done to the eventchannel code that might fix
whatever problem you are having.
--
---
You received this message
So just so I completely understand, all events are getting sent but you
only want events that have the ID of 4625 and you are using version 2.8.1?
This is happening even with eventchannel?
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To
Were you able to test the latest beta version with another language yet?
Would love to get this bug tested/fixed before OSSEC 2.9 is released.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving
My first guess is the file is being rotated or changed in some way.
Anything that you know of that might be doing this? I don't believe OSSEC
(at least the Windows side) saves the last read position but I could be
wrong on that. I can say with confidence that it will save the last known
Just verified neither Windows or *NIX will store file positions of the
files they are reading. When OSSEC's logcollector starts up and begins
processing files it is configured for it will just seek to the end so yes,
things can be missed if something happens while OSSEC is reading the
file.
Great blog post. Just saw it the other day from twitter I think. Let me
know how your testing goes. Best way we can get things like this fixed is
to have good testing.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this
Not being able to read the logs or the files in the OSSEC directory on
Windows is normal. Even though you are an admin you still need to accept
UAC or whatever to escalate to a high enough privilege level to read those
files. The GUI does this for you when you open it which is why things work
This may be fixed in the upcoming release of OSSEC. Are any of you running
a different language other than English as the primary language for
Windows? Can you post the log entries (if any) that are in the ossec.log
file after this happens?
Would any of you be able to try the latest 2.9 beta?
It can probably be added. There are a few issues with the proper reporting
of 2012 and 2012R2 but they are pretty minimal. Everything else should work
though.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group
I just investigated this as I've been working on the eventchannel code
quite a bit. The eventchannel stuff will both bookmark the last location so
the agent can pick up again where it left off. Also, if the manager is down
and seen as disconnected by the agent than it will also behave the same
Awesome. Thanks for sharing. I look forward to seeing the rest of the
presentations when they get posted.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
I want to do a lot of work on the Windows agent to try and make it better.
One of the big changes I have planned is getting rid of the Windows GUI. In
my opinion the GUI doesn't provide enough value to make it worth
maintaining the fairly significant amount of code that it produces as well
as
Yes. The key file's format will stay the same so anything existing for that
will not need to change. You should be able to use manage_agents.exe to
import the key programatically now as well. The hope is to do that atleast.
If it isn't possible now it should be.
--
---
You received this
Don't get me wrong. I wouldn't mind keeping the GUI around. The problem is
the GUI creates a huge code base that isn't really well designed IMO and is
semi-buggy. There are enough problems on the Windows side already at the
core of what OSSEC does. I'd rather put the focus there than on some
How many times does someone actually need to fire up the GUI to configure
something? We are probably only asking someone to figure out some command
line arguments once when they first configure the agent. Our documentation
should be the thing that helps them.
Something like How to install
I will add it to my todo list as part of the work I'd like to do.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For
Good suggestion but I just think the GUI does more than it needs to.
Especially with the service management. Keeping that code around and
building it into the CLI just isnt' worth it to me. Easy enough to do with
mmc or existing CLI tools most Windows Administrators know and love.
If you take
Wish I could go. Hopefully they record so we can view later.
--
---
You received this message because you are subscribed to the Google Groups
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more
39 matches
Mail list logo