ng that root, Alberto, but then I realized I need to
> build the package in local mode. I can write a bit about it if the
> community is interested.
>
> I just opted to build the OSSEC package from source using a bash script
> piped into my fleet via AWS systems manager (for AWS Lin
. Maybe you can adapt the script in order to build
ossec and make your own packages with your desired configuration, this
cloud be a second option.
Please, let me know if I can help you with this.
Regards,
Alberto R
On Wednesday, July 8, 2020 at 8:53:24 PM UTC+2
m
Hello Julia
Sorry for the late response. Did you consider the possibility of
configuring Auditd? This module will allow you to determine the owner,
permissions, etc of the desired files and you can get the logs with Ossec
by reading the syslog log file of the OS.
Hope it helps
Best regards
Hello Jared
Did you try to configure Oracle logs in JSON format? I think it's the
easier way to ingest the logs due to automatic JSON decoding of Wazuh. Do
you have this option?
Best regards,
On Saturday, May 5, 2018 at 9:27:38 PM UTC+2, Jared wrote:
>
> Hello,
>
> I am looking for guidanc
Hello
As we discussed
here: https://groups.google.com/forum/#!topic/wazuh/vdKsdOQX0QE
Sysmon provides the information that you need.
Hope it help.
Best regards,
Alberto R.
On Wednesday, April 25, 2018 at 7:28:01 PM UTC+2, Aj Navarro wrote:
>
> Hi everibody…
>
>
>
>
Hello Richard
You could be able to forward this event channel by XPATH query like this:
USB
eventchannel
\
\
\*\
\
\
But, unfortunately, Ossec doesn't allow to scape some characters. This is
fixed in this commit:
https://git
Hello
Using the following rule:
31101
.jpg?\d+
Ignored extensions on 400 error codes.
it works for me, so I think that you need to review the compiled rule if
you want to still use it.
Hope it help
Best regards,
Alberto R.
On Saturday, May 5, 2018 at 12:20:43 PM
Hello
Did you tried to use the regex like that?
31101
.jpg?\d+
is_simple_http_request
Ignored extensions on 400 error codes.
Documentation:
http://ossec-docs.readthedocs.io/en/latest/syntax/regex.html?highlight=\d+
Hope it help
Best regards,
Alberto R
On Friday, May
Best Regards,
Alberto R.
On Tuesday, April 24, 2018 at 11:49:58 AM UTC+2, Chinmay Pandya wrote:
>
> I created 2 custom rules. Rule id 12 and 13.
>
> Rule id 12 is with alert level1 and 13 with alert level 8.
>
> Rule 13 is based on frequency of alert
the tag json in the
configuration and replace the script in */var/ossec/integrations*
Best regards,
Alberto Marin
On Thursday, March 15, 2018 at 5:33:02 PM UTC-7, Mark W. wrote:
>
> Hey Guys a couple of things
>
> 1. I've configured a test instance of the Wazuh fork with 2 ag
this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
cribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
*Wazuh Inc* | Alberto Rodríguez | IT Security Developer | Cell: +1 408 610
0385 <+1%408%610%0385>
Hello Stephen
I do not know if I understood well, but if you want to disable this
alert, you only need to add the following block to your file local_rules.xml
5100
Promiscuous mode enabled|
device \S+ entered promiscuous mode
Interface entered in promiscuous(sniffing) mode.
ocumentation:
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html
Example:
https://blog.wazuh.com/report-windows-firewall-status-event-channel/
Hope it heps
Best Regards,
Alberto R.
On Thursday, October 26, 2017 at 7:19:50 AM UTC-7, Sylvain Crouet wrot
s a "strange" format
consider to configure the software for changing the format or
configure ossec for reading DHCP server logs directly from Event Log Viewer
of Windows.
Hope it helps.
Best regards,
Alberto R
On Tuesday, September 19, 2017 at 11:46:46 AM UTC-7,
ce...@castraconsul
ome modification. The main modifications must be change the
dynamic fields (Ossec doesn't support dynamic fields).
If you have any doubt let us know.
Best regards,
Alberto R.
PS: Here <https://blog.wazuh.com/using-wazuh-to-monitor-sysmon-events/> I
explain how to build a little
ome modification. The main modifications must be change the
dynamic fields (Ossec doesn't support dynamic fields).
If you have any doubt let us know.
Best regards,
Alberto R.
PS: Here <https://blog.wazuh.com/using-wazuh-to-monitor-sysmon-events/> I
explain how to build a little
2.90, and everything works nicely.
> Now to convince Alienvault to update their product...
>
> On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil > wrote:
>
>> Thanks Alberto, I did try using eventchannel, multi-line (with location
>> of microsoft-windows-sysmon/operat
Hello Kevin
Following this document
http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/ you'll be
able to read the multiple lines of sysmon events.
*Allowed:* multi-line: NUMBER
Hope it helps,
Best regards,
Alberto R.
--
---
You received this message because yo
Yes, here you'll find a guide with all daemons
descriptions:
https://documentation.wazuh.com/current/user-manual/reference/daemons/index.html
Please, let us know if you have any doubt.
Best regards,
On Monday, July 17, 2017 at 9:19:04 AM UTC+2, Kazim Koybasi wrote:
>
> Thanks for quick reply.
_all" to yes in ossec.conf of the manager, this
option allow the manager to register ALL events received from all agent to
the "archives.log".
Hope it helps.
Best regards,
Alberto Rodríguez
--
---
You received this message because you are subscribed to the Google Groups
&quo
ot;/var/ossec" still appearing? If
yes, you could remove it by "rm -rf /var/ossec/".
Best regards,
Alberto R.
On Tuesday, July 11, 2017 at 1:55:15 AM UTC+2, pRose wrote:
>
> i am attempting to purge and start from scratch with my ossec install.
>
> i have uninstalled previous
Hello Irshad
I think I have replied this on the other thread, isn't it?
https://groups.google.com/forum/#!topic/ossec-list/mDueDPTDFTw
Best regards,
On Thursday, June 15, 2017 at 9:14:32 AM UTC+2, Irshad Rahimbux wrote:
>
> The logs are being pushed to archives.log and not ossec.log
>
> On
Hello Irshad
You have configurated your manager in order to recorder all events in
archives.log. In this file, you have all the events and there is the event
you want to see on the GUI. But, an event could be or not an alert. And if
you want to see it on the GUI must be an alert. This is the
Hello Akash Munjan
In this link: https://documentation.wazuh.com/current/index.html you will
find all the information related of Wazuh (an Ossec fork) and ELK
integration.
Let us know if you have any question.
Best regards,
On Thursday, May 18, 2017 at 5:22:39 PM UTC+2, Akash Munjal wrote:
Hi Tahir,
Wazuh can help you with your project. Wazuh provides professional services,
such as, health-checks, tuning, deployment and configuration and annual
support. You can find more information at Wazuh's website: www.wazuh.com
Best regards,
Alberto
On Friday, June 10, 2016 at 6:29:
Hi Daniel,
This is great! I don't have time right now for testing but I have a
suggestion: the next step should be the integration with RT and RTIR.
Thank you for this work.
Best regards,
Alberto Mijares
On Wed, Jan 27, 2016 at 2:27 PM, Daniel Cid wrote:
> I have been workin
You can use syslog. Tell syslogd to write a specific file and ossec
agent to read that file.
Read about syslog format and protocol, and the man page of the syslog
server in your OS.
Regards
Alberto Mijares
On Thu, Dec 31, 2015 at 5:34 AM, Joao T. wrote:
> Hello,
>
> I would like t
o it can work out-of-the-box, like Vic
said.
A rules repo is a great idea. It just must be seen like an add-on, not
a requirement.
Alberto Mijares
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group
ined READ me that
> identifies the rule ID ranges and what they do.
>
Time to move to ISO OID's namespace?
Just an idea.
Best regards,
Alberto Mijares
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe fro
30 matches
Mail list logo
