On Wed, Apr 26, 2017 at 9:59 AM, Nikki S wrote:
> We have about 480 agents reporting the OSSEC server. The remoted server is
> running constantly at 100% CPU utilization. Any suggestions on how to
> re-mediate this please?
>
Is there a lot of traffic between the agents
On Apr 25, 2017 11:25 AM, "Huc Manté Miras" wrote:
Hello,
I try to disable all rules to ossec server.
This is possible?
Have you tried removing the rules from the server's ossec.conf?
Thanks!!
--
---
You received this message because you are subscribed to the Google
On Apr 25, 2017 11:37 AM, "Martin" wrote:
Hello,
I'm getting a bit lost with the port opening for ossec.
Let's say I have 3 machines running on ubuntu 16.04. I do a fresh install
of OSSEC manager on the machine A and a fresh install of ossec agent on
both B & C.
Now I
> befuddle ossec? (I get I'll lose the change history.)
>
You should be able to delete the files. I don't generally use the diff
option, so haven't tested this all myself.
>
>
> On 04/20/2017 01:29 PM, dan (ddp) wrote:
>>
>> On Thu, Apr 20, 2017 at 1:02 PM, Bee esS <bs27...
On Thu, Apr 20, 2017 at 1:02 PM, Bee esS wrote:
>> If you need them shrunk, you'll have to clear the databases.
>
> How?
>
When resurrecting 2+ year old threads, it might be best to offer more context.
To clear a syscheck db:
1. stop the ossec processes on the server
2.
On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant <cspitr@gmail.com> wrote:
>> How would I go about checking if AR is disabled on agents? Checking config
>> files and don't see anything about it. Run
On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote:
> How would I go about checking if AR is disabled on agents? Checking config
> files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this
> on Ubuntu
>
I think it's enabled by default. This is all I have
On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote:
> Still no luck. Just to verify, the scripts should be located in
> /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't
> really telling me anything either.
>
Yep, that's where they go.
AR isn't
On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote:
> Yes test.sh is on the agent. Execd is also running and yep the alert is
> firing.
>
Try removing the level option and leave just the rules_id.
> On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote:
>>
On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote:
> Hello,
>
> I'm pretty new to OSSEC and I'm working to get some active responses
> working. I have tried a number of different active responses but cannot seem
> to get it to work anywhere (not on the server or agents).
On Mon, Apr 17, 2017 at 11:09 AM, Kumar G wrote:
> Hi Team,
>
> In our ossec environment we are getting lots of sha1sum alerts (even though
> its not configured) and that are irrelevant to us. Is there any way to
> suppress these alerts?
>
> ** Alert 1491577582.15621: mail -
On Sat, Apr 15, 2017 at 4:57 AM, Руслан Аминджанов
wrote:
> Reinstalled on both server and client, enabled debug mode. Still same
> situation.
>
Are there any relevant logs in the server's ossec.log?
Are there any relevant logs in the agent's ossec.log?
Help me help you.
On Fri, Apr 14, 2017 at 9:28 AM, Paul wrote:
> Another tech set up a kiwi syslog server on a Windows machine and I am
> trying to monitor those files with ossec. (v2.8.3)
> However, the way things are setup, each device has its own folder with the
> logs going inside of
On Thu, Apr 13, 2017 at 9:24 PM, weisst wrote:
> windows 2012 r2 error
> 问题签名:
> 问题事件名称:APPCRASH
> 应用程序名:win32ui.exe
> 应用程序版本:0.0.0.0
> 应用程序时间戳:58ef28a9
> 故障模块名称:StackHash_bc03
> 故障模块版本:6.3.9600.17415
> 故障模块时间戳:5450559e
> 异常代码:
On Fri, Apr 14, 2017 at 4:21 AM, Руслан Аминджанов
wrote:
> Yes, I done it.
>
Configure debug mode on the OSSEC server
(`/var/ossec/bin/ossec-control enable debug &&
/var/ossec/bin/ossec-control restart`).
Then check the server's ossec.log again to see if an error is
On Thu, Apr 13, 2017 at 5:14 AM, weisst wrote:
> Dear all
>
> i try compile windows 64bit on Ubuntu 16.10, and i install depend
>
> sudo apt-get install build-essential -y
> sudo apt-get install nsis nsis-common -y
> sudo apt-get install mingw-w64 mingw-w64-common
On Wed, Apr 12, 2017 at 4:01 PM, Nikki S wrote:
> How long does it take for the agent to appear as 'disconnected'? I read on
> another thread that the 'keep alive' needs to fail three times. I could not
> find where we set the frequency of the agent check in.
>
I think
On Wed, Apr 12, 2017 at 1:40 PM, Rob Williams wrote:
> Essentially, I want to trigger an active response for a rule that I created
> that has a severity level of 0. I created this rule because I did not want
> to be alerted on the default rule and only wanted to be
On Wed, Apr 12, 2017 at 6:28 AM, wrote:
> Hi,
>
> I do not receive file deletion alert in latest 2.9.0 version,
> Also any changes made to the file are not reported before.
>
I haven't tested this, but I'll give it a shot.
> Also maild demon fails sending the mail.
On Mon, Apr 10, 2017 at 2:46 PM, Anoop Perayil wrote:
> I am running OSSEC on a Security Onion build Ubuntu 14.04.5 LTS.
> The issue started after I added in more disk since I ran out of space in /
>
I really wish SO would partition their system properly. Big /, nothing
On Mon, Apr 10, 2017 at 2:34 PM, Felix Martel wrote:
> Perhaps this is way off base, but have you added an agent for localhost ? In
> my context of a new install, a ton of issues went away after I added an
> agent for the localhost (name=localhost, IP=127.0.0.1). Didn't
On Mon, Apr 10, 2017 at 2:34 PM, Dayne Jordan wrote:
> DISREGARD - major faux pas on my part from previous... its' alert not alerts
> table.(singular)
>
> Alert table does exist, however the column "level" does not, i will create
> it manually.
>
> MariaDB [ossec]> describe
On Thu, Apr 6, 2017 at 1:46 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Apr 6, 2017 at 1:29 PM, Jake B. <cspitr@gmail.com> wrote:
>> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is
>> there anyway to use the agents name in a rule o
On Thu, Apr 6, 2017 at 1:29 PM, Jake B. wrote:
> Ok I'll do that. Also, not sure if you know but thought I'd ask anyway...Is
> there anyway to use the agents name in a rule or decoder? I have my agents
> named after the hostname so I was thinking that could potentially be
On Thu, Apr 6, 2017 at 1:28 PM, Rob Williams wrote:
> Hi,
>
> I tried to do this, but I'm getting:
>
> ERROR: Parent decoder name invalid: 'rootcheck'
> ERROR: Error adding decoder plugin
>
> I don't see the rootcheck decoder within decoder.xml as well, any ideas?
>
It
On Wed, Apr 5, 2017 at 11:13 AM, Jake B. wrote:
> I'm not server if this is a problem with the OSSEC configuration or the host
> itself, but there are some events where the logs or full message only have
> some of the information I need. For example, this will be the full
On Wed, Apr 5, 2017 at 11:32 AM, Martin wrote:
> Hello Victor,
>
> I tried to run a second manager and I've the same file
> /var/ossec/etc/client.keys on it and on the first manager. I've copied the
> local_rules, ossec.conf, local_decoder as well.
>
> And I've specified on
On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams wrote:
> I stopped them all (which appeared to work fine) and start again. Here is
> the rule and decoder I made for this (I want to alert only once if the same
> ID (filepath) has alerted in the past minute):
>
>
>
> 510
On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams wrote:
> Yes I have, I've also tried to disable all the relevant changes I've made,
> restart, and still have the same issue.
>
Try stopping the ossec processes, verify that ossec-analysisd has
stopped (sometimes it doesn't
On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams wrote:
> Hi all,
>
> I'm running into an issue where rule 510 is triggering and I'm getting
> spammed with alerts but I can't seem to tune it correctly. What's weird is
> that I am still getting alerted for rule 510 for this
There was a major iaaue with the windows decoder in 2.9.0. Grab the
decoders feom MASTER or 2.9.1 branch and try those
On Apr 3, 2017 12:59 PM, "Charles Profitt" wrote:
I have checked the agent and server versions and they are 2.9.0.
I am getting all my alerts from
I agree with Dan, I tested OSSEC v2.9 on a clean CentOS 7 with your
>>>> configuration and it worked. But when I disabled IPv6 I got the
>>>> same errors you have.
>>>>
>>>> Please try to enable IPv6 on the running system with:
>>>>
>>>
On Tue, Mar 28, 2017 at 5:16 PM, Keith Goodlip wrote:
> I've been trying to setup policy audit in a lab I've set up to no avail.
>
> My setup is 2 servers (server, client) using CentOS 7.3 and RPMs from the
> atomic repository (selinux, firewalld are disabled) (ipv6 is
On Mon, Mar 27, 2017 at 4:26 AM, wrote:
> Hello Dan,
>
> Thank you for your feedback. I have changed the frequency to 900
> sec, and inspected the ossec.log. I noted that inside the log file none of
> the agent.conf directories where present. Any theories
On Mon, Mar 27, 2017 at 10:50 AM, Marc Baker wrote:
> OSSEC agents this morning were working without issue and then began
> reporting as Disconnected. Agent logs are returning the following error:
>
> 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for
>
On Mon, Mar 27, 2017 at 11:25 AM, wrote:
> Hi All,
>
> So I am currently still troubleshooting, but noticed that the syslog-ng
> process was listening on 514 TCP, but also had an entry for 514 UDP, which
> is the protocol I've set within my ossec.conf. Could this be part
On Mon, Mar 27, 2017 at 12:52 PM, Joel Fries wrote:
> Am I able to setup the OSSEC windows agent to report to both a Wazuh and a
> OSSIM server at the same time?
>
There is no support in the OSSEC agent to report to 2 destinations
simultaneously. It is possible that Wazuh has
On Sat, Mar 25, 2017 at 6:32 PM, Justin Redman wrote:
> I'm receiving generic level 2 rule 1002 "Unknown problem somewhere in the
> system" alerts. It is opendkim reporting "bad signature data" in syslog when
> receiving email from some domains. Unfortunately not everyone
On Sat, Mar 25, 2017 at 4:54 AM, wrote:
> Hello fellow googlers,
>
>
> The GOAL:
>
> For every user on my windows OSSEC agent, generate OSSEC alert severity 10
> when new file added to
>
> C:\Users/*/%AppData%/Local/Temp directory
>
> Where star was supposed to be
On Thu, Mar 23, 2017 at 12:29 PM, The Dude wrote:
> I went with the first option. Works as expected but now I need to adjust the
> number of of fails before the ip is blocked.. Where do I do that?
>
Try using 5720 for the rule to trigger active response. It looks for
8+
On Thu, Mar 23, 2017 at 12:41 PM, Martin wrote:
> Hello,
>
> I've those kind of log comming from a custom app
>>
>>
>> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1
>> [] []
>
>
> I'm trying to block an ip with to much authentication failure.
>
>
On Thu, Mar 23, 2017 at 1:08 PM, Eduardo Reichert Figueiredo
wrote:
> Hi dan, i dont have ipv6 enabled in my system linux, so i dont have inet6 in
> my ifconfig configurations, only ipv4.
>
> This can caused for the problem?
>
I think having ipv6 support is
On Tue, Mar 21, 2017 at 7:11 PM, Marcin Gołębiowski
wrote:
> Trying to debug with expect I got:
> expect -d agentless/ssh_integrity_check_linux u...@server.com
> /directory/to/check
> expect version 5.45
> argv[0] = expect argv[1] = -d argv[2] =
>
On Tue, Mar 21, 2017 at 2:53 PM, Marc Baker wrote:
> I am attempting to forward OSSEC logs to a SIEM via syslog. Recommended
> configuration in the documentation is:
>
>
> 192.168.4.1
>
>
>
>
> The SIEM recognizes json format on port 5500 so I've configured logs
On Wed, Mar 22, 2017 at 7:05 AM, Martin wrote:
> Ok the problem was that I thought that all as stated in
> the doc would execute the command everywhere (meaning on all the agents &
> the server).
>
> But "all" means all the agents except the server.
Thanks for pointing that
On Tue, Mar 21, 2017 at 10:46 AM, Eduardo Reichert Figueiredo
wrote:
> When i install ossec 2.9.0 on rhel 7.3 (no ipv6 feature and address) i have
Is IPv6 totally disabled for your system (support for IPv6 was removed)?
> a problem to ossec-remoted and ossec-auth,
On Wed, Mar 22, 2017 at 8:20 AM, Per-Erik Persson wrote:
> Is anyone working in this?
Not that I'm aware of.
> Or is there any way to feed the journald logs the ossecagent?
> Or am I supposed to install rsyslog and forward the logs to the ossec server?
> Any way to feed
On Thu, Mar 16, 2017 at 6:44 AM, Eduardo Reichert Figueiredo
wrote:
> Hi Dan, i have success when run this command below.
>
> # su ossec -s /bin/bash -c 'cd /var/ossec && expect
> agentless/ssh_generic_diff user_ossec@SERVIDOR-01 ls -lah'
> Connection to SERVIDOR-01
On Thu, Mar 16, 2017 at 7:11 AM, Martin wrote:
> Hello,
>
> Thank you for your answer.
>
> I modified the Active-Response in the file /var/ossec/etc/ossec.conf to look
> like this;
>
>
>
>
> host-deny
> all
> 6
> 600
>
>
>
>
>
>
On Thu, Mar 16, 2017 at 11:33 AM, wrote:
> Here is the output:
>
> udp0 0 0.0.0.0:514 0.0.0.0:*
> 21090/syslog-ng
>
So syslog-ng is listening for incoming messages.
You'll have to figure out what syslog-ng is doing with the log messages.
> This
On Wed, Mar 15, 2017 at 4:15 PM, Ralph Durkee wrote:
> Dan,
>
>
> When I started this I was apparently was using some old documentation,
> probably the book you wrote several years ago, and the parameter examples
> were limited. Also the newer docs show a limited set of
>
On Mon, Mar 13, 2017 at 9:59 AM, Eduardo Reichert Figueiredo
wrote:
> Dear all,
> i have the ERROR below in my ossec server, and not generated alerts from
> Linux (agentless) in ossec.
> I search more error similars in this foruns but i dont founded solution.
>
> Can
On Tue, Mar 14, 2017 at 1:51 PM, BeesZA wrote:
> Hi All,
>
> I am very new to OSSEC and I need some help with a simple issue. I need an
> example rule for the following:
>
> I have a user that have a granular password policy applied to him, this
> policy says that this
On Tue, Mar 14, 2017 at 3:37 PM, wrote:
> Hello, yes:
>
> root@xx:/var/log# netstat -tuna | grep 514
> tcp0 0 0.0.0.0:514 0.0.0.0:*
> udp0 0 0.0.0.0:514 0.0.0.0:*
>
>
Adding -p to that could tell you the process using
On Tue, Mar 14, 2017 at 11:44 AM, Jose Luis Ruiz wrote:
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need to
> enable this in the configuration:
>
Unless you're using a proper syslog daemon, which may already be
listening on that port.
>
On Tue, Mar 14, 2017 at 5:44 PM, Ralph Durkee wrote:
> Yes, I got the production system working against a test attack script. Will
> monitor it to do tuning for the real flurries of bogus DNS queries, and will
> try the duplicate / twin decoder name to see if that works.
On Wed, Mar 15, 2017 at 7:25 AM, Martin wrote:
> Hello,
>
> First, i'm sorry if the question has already been asked.
>
> So what i'm trying to achieve is this ;
>
> If someone fail to log in, too many time on one of my agent, I want this ip
> to be drop on all others agents
On Mar 14, 2017 10:57 AM, wrote:
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:
On Mar 13, 2017 11:50 AM, "Martin Dulovič" wrote:
Hello,
i have this problem, you could say. I need Ossec to crunch modified logs
(syslogs). Our syslog message is as follows.
*Example message:*
[syslog-1] Mar 13 06:25:16 my-server-1 syslog-ng[1012]: EOF on control
On Fri, Mar 10, 2017 at 3:37 AM, Ieva wrote:
> Hello
> Maybe someone can help for newbie to write first OSSEC rule. I tried to read
> OSSEC chapter 4 book „Working with rules“ but it didn‘t help. So I have
> Windows event logs and want to write a rule with regex to drop out
On Mar 6, 2017 9:42 AM, "Eduardo Reichert Figueiredo" <
eduardo.reich...@hotmail.com> wrote:
Dear all,
my ossec dont list agentless servers with command "agent_control -l" and in
my ossec.log i have log below.
2017/03/06 11:27:54 ossec-logcollector: socketerr (not available).
2017/03/06 11:30:04
; >>
> >> **Phase 2: Completed decoding.
> >>decoder: 'windows'
> >>status: 'AUDIT_FAILURE'
> >>id: '5152'
> >>extra_data: 'Microsoft-Windows-Security-Auditing'
> >>dstuser: '(no user)'
> >
On Mar 6, 2017 11:16 AM, "Sam Gardner" wrote:
Once I turned on "alert_new_files" I started getting alerts - things appear
to be working now.
Is there any way to completely disable the logcollector daemon? We have
another process that does that job so no need to have that bit
There were some unreported issues with 2.9, so I'm hoping to roll 2.9.1
real soon now.
Going forward, I'm going to work on a better test plan for releases. I've
been sloppy and need to improve that.
On Mar 6, 2017 9:01 AM, "Kat" wrote:
> Hi all,
>
> It seems to me that
On Sat, Mar 4, 2017 at 2:36 PM, Eduardo Reichert Figueiredo
wrote:
> Hi All,
> i killed de process and take command "ossec-control start" and the process
> of remoted stay up.
> But my agents "Windows" display "never connected" but the port 1514 stay up
> and with
On Fri, Mar 3, 2017 at 5:29 PM, Sam Gardner wrote:
> Thanks for the info - I'd like to explore what I can actually do with OSSEC
> and do my due diligence before exploring other options.
>
> I've spun up the following conf file and am running ossec-analysisd and
>
On Sat, Mar 4, 2017 at 12:21 PM,
wrote:
>
> I am having the problem that within the installation of the OSSEC client the
> corresponding user/groups (that OSSEC use within its executable files and
> directories) are not created.
> I am running the
extra_data: 'Microsoft-Windows-Security-Auditing'
>> dstuser: '(no user)'
>>system_name: 'WK034.dom.com'
>>srcip: '10.20.10.55'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '18105'
>>Level: '4'
>
be the package for them. Projects
like Aide are great at what they do without the fluff.
But that kind of decision is very project/requirement specific, so
don't consider this a professional opinion. :-)
> On Thu, Mar 2, 2017 at 4:44 PM, dan (ddp) <ddp...@gmail.com> wrote:
>>
>
On Thu, Mar 2, 2017 at 2:33 PM, Sam Gardner wrote:
> Hi All -
>
> I'd like to run only the syscheck subsystem in order to provide FIM.
>
> I don't see anything in the docs that immediately appears to do what I want
> - is there any way to run syscheckd in "standalone" mode or
'
Description: 'Windows audit failure event.'
**Alert to be generated.
On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfbar...@gmail.com> wrote:
>> Thanks.
>> But don't work. It only decode srcip field. Attach
On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote:
> Thanks.
> But don't work. It only decode srcip field. Attach the output:
>
> **Phase 1: Completed pre-decoding.
>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user):
On Thu, Mar 2, 2017 at 1:01 AM, InfoSec wrote:
> In the Wazuh fork, dynamic decoders are an outstanding idea. It allows
> unprecedented visualization capabilities in the security console *without*
> having to resort to further parsing tricks at ingestion time. It is all
On Wed, Mar 1, 2017 at 6:40 PM, Ed Davison wrote:
> It would be great to see the decoder entries that go with these rules ... I
> know this is an older post but maybe you are still around and can share the
> decoder and maybe the plugin as well?
>
If you can provide log
On Wed, Mar 1, 2017 at 6:59 AM, Eduardo Reichert Figueiredo
wrote:
> Port 1514 is already, i received UPD packets (validated with tcpdump), ossec
> is running (monitord, logcollector, syscheck, analysisd), only remoted not
> running, but remoted is displayed for port
On Mon, Feb 27, 2017 at 2:50 PM, Jahchan, Georges J.
wrote:
> That is not what I meant.
>
> If the source IP is decoded and stored in field srcip, I want to be able to
> specify _srcip_ (or whatever convention used to tell regex that this is a
> variable), and have
On Wed, Mar 1, 2017 at 11:10 AM, Dominik wrote:
> OSSEC creates checksums and chained checksums of the archives. I need a way
> to confirm that the chain is correct.
>
> zcat /var/ossec/logs/archives/2017/Feb/ossec-archive-28.log.gz | md5sum
> creates the entry
> Current
On Feb 26, 2017 11:45 AM, "InfoSec" wrote:
Is it possible to refer to the content of a decoded field by its field
name inside a regex in a rule?
Example: after decoding an event, we have two fields among several, field1
and field2.
The event contains:
... Field1
Any Windows users want to take a look at this?
On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J.
wrote:
> I am using the eventchannel format. Eventlog provides no useful information
> for logs other than the three basics: Application, Security and System.
>
> If
On Thu, Feb 23, 2017 at 2:27 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Feb 23, 2017 at 2:11 PM, <sergio.uriarte.3...@gmail.com> wrote:
>> ossec-authd while configured to default to tls 1.2 still reponds to lower
>> encryption types of sslv3, tls1, and t
On Thu, Feb 23, 2017 at 2:11 PM, wrote:
> ossec-authd while configured to default to tls 1.2 still reponds to lower
> encryption types of sslv3, tls1, and tls 1.1. Are there any plans to resolve
> this issue?
>
Sure: https://github.com/ossec/ossec-hids/issues/1070
On Fri, Feb 10, 2017 at 3:04 AM, Quintin Beukes wrote:
> Thanks Dan. Is there a way to get OSSEC to provide more details on the
> messages it actually processes? I'd like to gain a better understanding of
> this application because it has a lot of seemingly random
On Sat, Feb 18, 2017 at 3:51 PM, Samet Sazak wrote:
> Hi everyone,
>
> I want to alert when these two rule triggered. One rule sid is enough but it
> works like "OR" I want to use "2502" and "18149" both triggered, then alert
> for me ?
>
>
> 2502
> 18149
> Test Rule 1
>
On Mon, Feb 20, 2017 at 5:33 AM, Antonis M wrote:
> Hello,
>
> I have installed OSSEC agent on some Windows Servers 2008. OSSEC agent,
> through svchost.exe, consumes all the available memory on the system.
> Any thoughts would be appreciated!
>
Can you provide your
On Thu, Feb 23, 2017 at 10:30 AM, InfoSec wrote:
> I found how to run the agent in debug mode. It seems like the issue lies
> with the agent, and the server is faithfully accepting whatever the agent is
> sending across.
>
Oh sweet, I didn't know it did that. I guess I
On Thu, Feb 23, 2017 at 9:30 AM, InfoSec wrote:
> I tend to think that the Windows Agent is the culprit.
>
> Can the agent be temporarily run in debug mode, so it logs locally the
> events that it forwards to the server?
>
There are no options for that. The best you can
On Thu, Feb 23, 2017 at 11:58 AM, David G. Pullman
wrote:
> I'm using OSSEC 2.8.3 and the Wazuh ruleset addon, primarily for the pci_dss
> tagging. I have the syslog_output configured to forward to localhost to
> capture the alerts in syslog (rsyslog on Ubuntu 16.04). The
On Mon, Feb 20, 2017 at 6:08 AM, Casimiro wrote:
> Version 2.8
>
> Events:
>
> WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows
> Filtering Platform blocked a packet. Application Information: Process ID: 0
On Mon, Feb 20, 2017 at 6:09 AM, InfoSec wrote:
> The event is from a Windows 10 system.
>
> I have turned on logall. I am having a hard time regenerating event ID 5140,
> however I have spotted several other event types where the xml field labels
> are NOT logged up by
On Feb 21, 2017 9:05 AM, wrote:
Hi ,
I am unable to receive emails triggered on events to the specified
email-id.
Could anyone please help me on this .
Sure.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
On Fri, Feb 17, 2017 at 6:04 AM, Casimiro wrote:
> I'm trying to override the windows decoder to extract more fields (in
> local_decoder.xml), like source ip, destination ip, source port,
>
> This is my local decoder for windows
>
>
>windows
>AUDIT_FAILURE(51512)
>
unnecessary emails/day from my inbox wouldn't make a dent!
Thanks for reporting back, I'll submit a PR.
> Thanks a lot for the help!
>
> Best regards
> Göran Lundberg
>
> "dan (ddp)" <ddp...@gmail.com> skrev: (15 februari 2017 22:17:23 CET)
>>
>> On Wed,
On Thu, Feb 16, 2017 at 11:57 AM, Eduardo Reichert Figueiredo
wrote:
> Hi all,
> i tested ossec with agents (windows) set ip 10.10.10.0/24, and alway
> computer within network response with your log (file integrity, evnt vwr).
> But, when i have alert of integrity
er.
>
> Can anyone add this upstream to the mailscanner_rules.xml? If it is
> confirmed to work that is.
>
Test it out and let me know. If it works as intended I'll try to put it in.
> --
> Best regards,
> Göran Lundberg
>
>
> 2017-02-15 21:05 skrev dan (ddp):
>>
>> On T
On Tue, Feb 14, 2017 at 8:10 AM, amir zargaran wrote:
>
> Dear All
> I want to Monitor the
> "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" Path in
> Ossec.
> Also i add mentioned path to C:\Program_File(x86)\ossec-agent\ossec.conf
> file in syscheck
On Tue, Feb 14, 2017 at 6:24 PM, aiborin wrote:
> I am running v2.8.3-53.
>
> Please explain what you mean by "what is my remote config?"
> - I checked ossec.conf and only see a setting related to running remote
> connections secure (default port 1514).
>
So, this?
On Wed, Feb 15, 2017 at 3:20 AM, InfoSec wrote:
> The events are sanitized.
>
> XML in Windows Event Viewer:
> - http://schemas.microsoft.com/win/2004/08/events/event;>
> -
>Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
> 5140
> 1
> 0
> 12808
> 0
>
On Tue, Feb 14, 2017 at 7:11 PM, wrote:
> Hi! I'm trying to remove these notifications from mailscanner.
>
>
> OSSEC HIDS Notification.
> 2017 Feb 14 06:29:41
>
> Received From: hostname->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
On Wed, Feb 15, 2017 at 1:03 PM, Ralph Durkee wrote:
> I'm surprised I'm not finding a quick answer to this one in my searches, so
> hopefully this will be quick.
> OSSEC is not parsing log files with a priority prefix, in the rfc3164 / BSD
> format. The prematch fails.
On Feb 13, 2017 11:48 AM, "aiborin" wrote:
I am running an OSSEC server in each of my two data centers. In one data
center, the server will stop the ossec-remoted service multiple times a
week. There is nothing in /var/ossec/logs/ossec.log to indicate why. I
get the
601 - 700 of 5855 matches
Mail list logo