Hello Folks,
Our OSSEC server is running on 2.1, while our OSSEC agents run on
anywhere from 2.1 to 2.4. We have activated active response. Our OSSEC
server serves about 100 OSSEC agent hosts.
[1] Our problem is that the file /var/ossec/etc/ar.conf is not being
replicated from the OSSEC server to
er should be the latest version in use, and should not
> lag behind the agents.
>
>
>
> On Fri, Aug 27, 2010 at 9:33 AM, blacklight wrote:
> > Hello Folks,
>
> > Our OSSEC server is running on 2.1, while our OSSEC agents run on
> > anywhere from 2.1 to 2.4. We
force the replication of the /var/
ossec/etc/shared directory?
Restarting the OSSEC server alone does not seem to do the job.
On Aug 27, 10:49 am, "dan (ddp)" wrote:
> On Fri, Aug 27, 2010 at 10:24 AM, blacklight wrote:
> > Will updating the OSSEC server to 2.4 solve anythi
on't seem to be
getting any closer at this point to understanding why ar.conf is not
being replicated and what I can do about it.
On Aug 27, 12:51 pm, "dan (ddp)" wrote:
> On Fri, Aug 27, 2010 at 11:59 AM, blacklight wrote:
> >> Are any of the agents getting upd
ap it on the agent.
On Aug 27, 2:08 pm, "dan (ddp)" wrote:
> On Fri, Aug 27, 2010 at 1:37 PM, blacklight wrote:
> > Anything I can do about this limitation? In fact, I don't mind it as
> > long at it does not interfere with the contents of "merged.mg" being
restart-ossec0 - restart-ossec.cmd - 0
firewall-drop600 - firewall-drop.sh - 600
firewall-drop3600 - firewall-drop.sh - 3600
win_nullroute600 - route-null.cmd - 600
On Aug 27, 1:51 pm, "dan (ddp)" wrote:
> On Fri, Aug 27, 2010 at 1:37 PM, blacklight wrote:
> >>
ing the
> server and the agent. It eventually came back. Not sure if all of that
> was necessary, I just didn't feel like waiting.
>
>
>
> On Fri, Aug 27, 2010 at 2:15 PM, blacklight wrote:
> > Letting you know that I moved the ar.conf file out of the shared
> >
00 pm, "dan (ddp)" wrote:
> Give it a shot. I don't think it'll hurt anything.
>
>
>
> On Fri, Aug 27, 2010 at 2:56 PM, blacklight wrote:
> > My ar.conf file has yet to appear after close to one hour. Do you want
> > me to try with your method below?
It does seem to take for ever for the update to take place. I really
would like to send you my merged.mg file for you to test.
On Aug 27, 3:46 pm, blacklight wrote:
> I restarted the OSSEC server and the OSSEC agent 45 min ago.
>
> Here is the current listing for the shared directo
Cool. To what mailing address should I send the merged.mg file?
On Aug 27, 4:37 pm, "dan (ddp)" wrote:
> Send it, I'll give it a shot later. Probably tonight.
>
>
>
> On Fri, Aug 27, 2010 at 4:24 PM, blacklight wrote:
> > It does seem to take for ever fo
back in
> place on that agent, I'll update if anything happens.
>
> On Fri, Aug 27, 2010 at 4:47 PM, blacklight wrote:
> > Cool. To what mailing address should I send the merged.mg file?
>
> > On Aug 27, 4:37 pm, "dan (ddp)" wrote:
> >> Send it,
and
> restarted the agent, only to find all of the files back in place. Not
> sure why it worked so quickly on that try.
>
> Anyways, I'm guessing this isn't going to work. I put the file back in
> place on that agent, I'll update if anything happens.
>
> On Fri,
I just sent you in a zipped file a copy of the shared directory of our
OSSEC server, which includes all the contents of said directory
including the hidden .svn file.
It hope that this makes it easier for you to reproduce our problem.
On Aug 28, 8:10 am, blacklight wrote:
> Another alternat
Windows agents. What can I
do about it?
Vietnhi Phuvan
On Aug 30, 12:37 pm, "dan (ddp)" wrote:
> On Mon, Aug 30, 2010 at 10:04 AM, blacklight wrote:
> > I just sent you in a zipped file a copy of the shared directory of our
> > OSSEC server, which includes all the cont
agent.conf's dates are out sync.
Vietnhi Phuvan
On Aug 30, 12:37 pm, "dan (ddp)" wrote:
> On Mon, Aug 30, 2010 at 10:04 AM, blacklight wrote:
> > I just sent you in a zipped file a copy of the shared directory of our
> > OSSEC server, which includes all
Aug 31, 2010 at 3:43 PM, blacklight wrote:
> > FYI, here is a typical listing on one of the agents showing a failure
> > to update:
>
> > [r...@he4 shared]# ls -l
> > total 176
> > -rwxrwx--- 1 root ossec 3303 Jan 11 2010 agent.conf
> > -rwxrwx--- 1 root
Hello Folks,
I have implemented an active response whereby if the content of an
analyzed log message fits that rule, the OSSEC server will immediately
trigger a "firewall drop" active response on the agent host where the
analyzed log message came from.
The issue is that the active response does n
For a start, are contents of the shared directory on your OSSEC server
being fully replicated to the contents of the shared directory of your
Windows agents?
On Sep 2, 2:35 pm, "dan (ddp)" wrote:
> On Thu, Sep 2, 2010 at 12:37 PM, blacklight wrote:
> > You will pleased
ack was launched through HTTP TCP packets. Can you tell me if the
firewall-drop rule will cause the relevant established connection to
break? (I gogled for the answer but could not ascertain anything)
V.
On Sep 2, 3:06 pm, "dan (ddp)" wrote:
> On Thu, Sep 2, 2010 at 1:35 PM, bl
files in the shared directory got updated.
On Sep 2, 11:58 pm, "dan (ddp)" wrote:
> On Thu, Sep 2, 2010 at 3:14 PM, blacklight wrote:
> > For a start, are contents of the shared directory on your OSSEC server
> > being fully replicated to the contents of the shared direct
on is 2,3 and above.
On Sep 2, 11:58 pm, "dan (ddp)" wrote:
> On Thu, Sep 2, 2010 at 3:14 PM, blacklight wrote:
> > For a start, are contents of the shared directory on your OSSEC server
> > being fully replicated to the contents of the shared directory of your
I checked yesterday on Tuesday and everything is peachy, just as I
expected. Issue resolved.
On Sep 4, 1:00 am, blacklight wrote:
> Letting you know that updaing the version of the Windows OSSEC agent
> did result in the immediate upodating of the contents of the shared
> directory, s
Hello Folks,
I am wondering why active response on an OSSEC client which happens to
be an MS Windows 2008 Server is not being triggered. What is
frustrating is that it was working this morning while I was
troubleshooting it.
To start:
(1) The OSSEC server is properly configured:
OSSEC HIDS agen
Hello Folks,
I am looking into how to get one agent host NOT to induce the OSSEC
server host to trigger an active response block on an another agent
host as a result of some action by that source agent host that would
normally trigger said active response. Example: source agent host
Apple1 tries t
:http://www.ossec.net/doc/syntax/head_ossec_config.reports.html
>
>
>
>
>
> On Thu, Sep 30, 2010 at 6:43 PM, blacklight wrote:
> > Hello Folks,
>
> > I am looking into how to get one agent host NOT to induce the OSSEC
> > server host to trigger an active res
ver is too much
of a blunt instrument for us.
On Oct 1, 11:55 am, Michael Starks
wrote:
> On Fri, 1 Oct 2010 07:36:55 -0700 (PDT), blacklight
> wrote:
>
> > I just spoke with my boss - the method I ran by you is cumbersome and
> > lacks scalability. Is there a way to get white
. And unfortunately for us, every one of
these hosts's syslog has "app01" as the hostname.
On Oct 1, 1:00 pm, "dan (ddp)" wrote:
> On Fri, Oct 1, 2010 at 12:40 PM, blacklight wrote:
> > The scalability problem comes in two ways:
>
> > (1) While all our OS
o try it out at the moment) if the
> "location" option is available in rules. Usually location is the agent
> name or filename the alert came from. If that is indeed an available
> option it could help solve the problem of the multiple app01's.
>
>
>
> On Fri, Oct 1
t
received
The agent name is most probably referred to in the OSEC source code by
some other parameter name than "location"
On Oct 1, 1:46 pm, "dan (ddp)" wrote:
> If you try the location method before I get a chance, let us know if
> it works or not.
>
> On Fri, O
I want to report that I also upgraded our OSSEC server to 2.5 today
and I similarly got
[r...@wiggum logs]# service ossec status
ossec-monitord is running...
ossec-logcollector: Process 28337 not used by ossec, removing ..
ossec-logcollector not running...
ossec-remoted is running...
ossec-syschec
Hello Folks,
We noticed that rule 11109 failed to trigger the active response that
we had specified. We traced the failure of rule 11109 to trigger the
active response that we had specified in ossec.conf to to a syntax
error in the "ftpd-mac-failure" decoder in the decoder.xml file that
comes by d
Hello Folks,
Once in a while, the active response does not kick in. Then I have to
go into /var/ossec/queue/rids of the OSSEC agent host and to delete
the agent ID file, say "011", and restart OSSEC at the agent. And I
have to go into/var/ossec/queue/rids of the OSSEC server host, delete
the agent
> What others did you test?
>
> Looks like an okay change to me.
>
> On Thu, Oct 28, 2010 at 1:22 PM, blacklight wrote:
> > Hello Folks,
>
> > We noticed that rule 11109 failed to trigger the active response that
> > we had specified. We traced the failure of rul
s problem. In fact I've never had to clear out the
> rids files.
> Can you provide a bit more information about the hosts showing this problem?
>
>
>
>
>
>
>
> On Thu, Oct 28, 2010 at 1:31 PM, blacklight wrote:
> > Hello Folks,
>
> > Once in a whi
Hello Folks,
We are running OSSEC 2.5.1
root@bobo src]# service ossec status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild: Process 31720 not used by ossec, removing ..
ossec-maild
Hello Folks,
The format of OSSEC's syslog output for OSSEC clients is as typified
in this example:
discosco ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying
to get access to the system.; Location: (lady-dev.gaga.net)
74.143.171.166->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35
uit from 72.55.156.23"
Sorry if I caused any confusion,
On May 4, 6:53 pm, blacklight wrote:
> Hello Folks,
>
> The format of OSSEC's syslog output for OSSEC clients is as typified
> in this example:
>
> client ossec: Alert Level: 10; Rule: 5712 - SSHD brute for
Hello Folks,
The exported syslog entries from our OSSEC agent hosts have the
following format
ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force
trying to get access to the system.; Location:
(ossecclient.domain.com) 74.143.171.166->/var/log/secure; srcip:
72.55.156.23; Apr 12 22
May 6, 3:55 pm, "dan (ddp)" wrote:
> Hi blacklight,
>
>
>
>
>
>
>
>
>
> On Fri, May 6, 2011 at 3:48 PM, blacklight wrote:
> > Hello Folks,
>
> > The exported syslog entries from our OSSEC agent hosts have the
> > following format
&g
uot; wrote:
> I don't know the answer to that. I haven't looked at the code far
> enough in depth for that.
> I'd start by looking in src/os_csyslogd
>
>
>
>
>
>
>
> On Mon, May 9, 2011 at 12:20 PM, blacklight wrote:
> > Hello Dan,
>
>
Hello Folks,
As you may already know, I had to customize some code in the alert.c
program in the os_csyslogd directory. The code customization only
affects the format of the OSSEC entries that are sent to a syslog
server.
As I re-ran the install.sh script, said script explicitly asked me
whether
Hello Folks,
I have a concern about the csyslogd demon:
2011 Jun 04 13:51:03 Rule Id: 151601 level: 7
Location: ossec-server->/var/log/messages
Grouping of kernel error rules.
Jun 4 13:51:02 ossec-server kernel: ossec-csyslogd[21507]: segfault at
rip 003dd8479a30 rsp 7fff
rote:
> > Please try running it under gdb:
>
> > gdb ossec-csyslogd
>
> > (gdb) set follow-fork-mode child
> > (gdb) run
>
> > On Mon, Jun 6, 2011 at 5:50 PM, Jefferson, Shawn
> > wrote:
> >> Hey, I had the same crash too!
>
> >> --
-fork-mode child
> >> (gdb) run
>
> >> On Mon, Jun 6, 2011 at 5:50 PM, Jefferson, Shawn
> >> wrote:
> >>> Hey, I had the same crash too!
>
> >>> -Original Message-
> >>> From: ossec-list@googlegroups.com [mailto:ossec-list@googl
Hello Folks,
I am at wits' end with an issue: I have written up an OSSEC rule that
detects whether a Zimbra mail server is acting up.
There is no issue with the syntax of the rule: it passes the ossec-
logtest with flying colors. The rule works 100% when I deliberately
insert for testing purposes
an alert.
>
> HTH.
>
>
>
>
>
>
>
> On Thu, Jul 7, 2011 at 3:52 PM, blacklight wrote:
> > Hello Folks,
>
> > I am at wits' end with an issue: I have written up an OSSEC rule that
> > detects whether a Zimbra mail server is acting up.
>
I'd like to add that mailbox.log is a rotating log and that we
schedule this log to rotate every night. Also note that mailbox.log is
about 40 x larger than audit.log
On Jul 7, 5:33 pm, blacklight wrote:
> I am using the same decoder for both log files (that's log4j above)
>
&
the
> other, hence my line of questions.
>
> Can you paste the exact log that the Zimbra server wrote into the
> mailbox.log file over here.
>
>
>
>
>
>
>
> On Thu, Jul 7, 2011 at 5:33 PM, blacklight wrote:
> > I am using the same decoder for both log files (tha
assuming your audit.log file is on the same server as the
> mailbox.log, right?
>
> 2. Is OSSEC alerting on anything in the mailbox.log file? Can you test
> with another known alert and insert it into mailbox.log and verify that
> OSSEC is alerting on it?
>
>
>
>
>
host does not mention these two files.
On Jul 8, 11:12 am, Christopher Moraes wrote:
> Can you paste your ossec.conf and agent.conf files here.
>
>
>
>
>
>
>
> On Fri, Jul 8, 2011 at 10:50 AM, blacklight wrote:
> > 1. "You manually inserted the test log
on the OSSEC agent mailserver.
I grepped for "buildhost" in alerts.log and found just one current
instance, and that instance was a test entry inserted in audit.log. I
am 100% sure that any instances that are archived from alerts.log will
be test entries inserted in audit.log
On Jul 8,
pecified in our new rule.
On Jul 8, 3:19 pm, Christopher Moraes wrote:
> For point #2 - can you go into your alerts.log file and paste the entire
> alert message that is logged there. I'm interested in knowing what alert
> has been generated.
>
>
>
>
>
>
>
>
ent count after '2':
4920194->4066320 (82%)
2011/07/08 16:04:01 ossec-syscheckd: INFO: Ending syscheck scan.
2011/07/08 16:08:02 ossec-agentd: INFO: Event count after '2':
4873936->4053080 (83%)
2011/07/08 16:09:01 ossec-syscheckd: INFO: Starting syscheck scan.
2011/07/08
rver is created a new
> file (new inode) at the end of each day. (just thinking aloud)
>
>
>
>
>
>
>
> On Fri, Jul 8, 2011 at 4:12 PM, blacklight wrote:
> > [root@ossecserver tmp]# grep -A5 'mailbox.log' ossec-alerts-07.log|
> > more
>
> &
topher Moraes wrote:
> The logs do not mention that audit.log or mailbox.log are being monitored.
> Is there something missing from the logs?
>
>
>
>
>
>
>
> On Fri, Jul 8, 2011 at 4:27 PM, blacklight wrote:
> > 2011/07/08 14:42:34 ossec-syscheckd: INFO: Ending sys
Is there anything we can do when the log rotation results in an inode
change? Aside from stopping the log from rotating, that is.
On Jul 8, 4:35 pm, blacklight wrote:
> I restarted OSSEC agent at 14:43:01 - see the mailserver OSSEC agent's
> ossec.log that I posted in response to y
can be
> tested easily by restarting the agent, and inserting the test log before the
> log rolls over. (I guess you've already tested this, right?)
>
> If OSSEC is still not alerting on the event, then log rotation would not
> seem to be the issue.
>
>
>
>
>
the event, then log rotation would not
> seem to be the issue.
>
>
>
>
>
>
>
> On Mon, Jul 11, 2011 at 11:00 AM, blacklight wrote:
> > Is there anything we can do when the log rotation results in an inode
> > change? Aside from stopping the log from rotating,
I take it that the corrective action going forward is to schedule a
restart of the OSSEC agent shortly after mailbox.log gets rotated.
On Jul 11, 1:04 pm, blacklight wrote:
> I am eating my words just now, including a helping of crow protein :).
> I did restart the agent last Friday, but
Hello Folks,
I am trying to get a host that I had removed from OSSEC monitoring
through /var/ossec/bin/manage-agents completely off the list of hosts
in the OSSEC GUI - The host name still remains on the OSSEC GUI but
it's a ghost (or if you prefer, a zombie) - How do I wipe this ghost
out?
wing the host?
>
> If it is the alerts screen, you will continue to see the host, as it has
> generated alerts which are present in the alert log file, that the web-ui is
> parsing.
>
>
>
>
>
>
>
> On Tue, Jul 19, 2011 at 7:01 PM, blacklight wrote:
> > Hello Fo
Oh, yes ! In fact, every time an agent is added or deleted through /
var/ossec/bin/manage-agents, manage-agents will print on your screen a
reminder to restart OSSEC :)
On Jul 20, 11:59 am, Jorge Armando Medina
wrote:
> On 07/20/2011 09:51 AM, blacklight wrote:> I am indeed referring
ou see it on, figure out
> which file it's getting the list from, and remove the mentions in that
> file.
>
> Also, search the mailing list archives, I feel like this comes up
> every so often. Often enough I keep wondering why I reply to wui
> mails.
>
>
>
>
>
I haven't had to face that issue but here is my advice: either go into
regedit and search for the key. Or from the domain controller, run
psexec \\agenthost reg QUERY HKLM\SYSTEM\CurrentControlSetEnum
\USBSTOR'.
where \\agenthost is whatever the host name is for the host where the
OSSEC agent is
Hello Folks,
One of our agents is listed in the list of "Available Agents" in the
OSSEC GUI as "Inactive"
Attempted Resolution:
(1) I logged into the OSSEC server host, ran /var/ossec/bin/
manage_agents to get the index ID of the host - say 140
(2) On the OSSEC server host, I went into /var/osse
ver
(2) the server assigns a counter to the agent - I have't checked
anything else in the server log.
On Aug 12, 6:13 pm, "dan (ddp)" wrote:
> On Thu, Aug 11, 2011 at 1:07 PM, blacklight wrote:
> > Hello Folks,
>
> > One of our agents is listed in the list of
usly, we'd like to fix that.
On Aug 12, 2:13 pm, "dan (ddp)" wrote:
> On Thu, Aug 11, 2011 at 1:07 PM, blacklight wrote:
> > Hello Folks,
>
> > One of our agents is listed in the list of "Available Agents" in the
> > OSSEC GUI as "
> agent, and to the agent from the manager.
>
>
>
>
>
>
>
>
>
> On Mon, Aug 15, 2011 at 3:43 PM, blacklight wrote:
> > The agent ossec.log files for the two agents show that the agents are
> > operational and ready to go:
>
> > Typical e
out telling us. Sometimes, being in charge
means that we are the last ones to be notified of anything :)
This takes care of our issue:)
On Aug 17, 10:29 pm, Joe Gedeon wrote:
> Blacklight,
>
> I sent you an email off the list offering assistance with a web based
> screen sharing tool.
69 matches
Mail list logo