Re: [ossec-list] E-mail alert for login

On Tue, Sep 4, 2018 at 8:10 AM Don_Johny wrote: > > I started with this but no succes so far. > > $BAD WORDS: > > > > test > ERROR > (\S+) > extra_data > > The log message is odd, but here's how you mess with it. I'm running a post-3.0 system/pre-3.0 rule set, so not eve

Re: [ossec-list] OSSEC newbie

On Tue, Sep 11, 2018 at 12:20 PM Monah Baki wrote: > > Hi all, > > I just installed ossec 3.0.0 on Redhat 6. My ossec.conf has the following > entry > > > > yes > support@x > xxx > ossecm@x > > Does your smtp server require authentication? Are there any `ossec-

Re: [ossec-list] Getting emails for level 2 alerts

On Thu, Aug 30, 2018 at 1:05 PM SternData wrote: > > I get a lot of emails for level 2 alerts, though I'm set for 7 as the cutoff > > etc/ossec.conf:7 > > Ideas? > Do these rules have the email option set in the rule definition? > -- > -- Steve > > -- > > --- > You received this message beca

Re: [ossec-list] PSAD rule include error

On Thu, Aug 30, 2018 at 4:11 AM Fredrik Hilmersson wrote: > > Hello, > > The ruleset psad_rules.xml which is included in the 3.0.0 version is not by > default included in the ossec.conf file. When i add the the include: > psad_rules.xml within the I get the following error: > > ossec-testrule:

Re: [ossec-list] OSSEC Upgrade to 3.0.0

On Wed, Aug 29, 2018 at 6:06 AM Chris wrote: > > Hi, > > I have upgraded OSSEC from 2.8.3 to 3.0.0 on my Ubuntu server, using the > install.sh from the expanded tar.gz. From what I can see this was successful > in running the upgrade, but as this was not an upgrade using the repo, as > version

Re: [ossec-list] Windows Active Response not firing

On Wed, Aug 22, 2018 at 8:35 PM wrote: > > Hello, > > I am trying a very basic active response which would terminate a powershell > process when it is created on a host (Windows 10) machine. > > I have a standalone SO configuration, with 3 OSSEC agents (V2.9) connected, > all Windows machines. >

Re: [ossec-list] E-mail alert for login

On Wed, Aug 22, 2018 at 6:32 AM Dzenis Aslani wrote: > > Thanks Dan issue is solved :). Any idea why ossec cant be installed through > APT in Ubuntu i tried both manually and automaticaly and i got same error > "unable to correct problems you have held broken packages" > No clue, I don't deal w

Re: [ossec-list] Windows agent 3.0 - Realtime Monitor "Maximum size permitted"

On Tue, Aug 21, 2018 at 8:24 AM dan (ddp) wrote: > > On Tue, Aug 21, 2018 at 3:47 AM Patrik Lindh wrote: > > > > Hello! > > Since updating (this was probably an issue before too) to 3.0 I get this in > > the log. "Maximum size permitted" on the realtime

Re: [ossec-list] Windows agent 3.0 - Realtime Monitor "Maximum size permitted"

On Tue, Aug 21, 2018 at 3:47 AM Patrik Lindh wrote: > > Hello! > Since updating (this was probably an issue before too) to 3.0 I get this in > the log. "Maximum size permitted" on the realtime monitoring folders. > This seems to be due to a restriction in how many folders that can be added > to

Re: [ossec-list] E-mail alert for login

On Mon, Aug 20, 2018 at 6:35 AM Don_Johny wrote: > > Thank you so much Dan, that work out i solve my issue with agent_manager. But > when i add the agents, and extract the key, then i copied the key in agent, i > have output "no agents avaliable". Communication between agent and doesnt > work.

Re: [ossec-list] E-mail alert for login

On Thu, Aug 16, 2018 at 8:54 AM, Don_Johny wrote: > Thx for response Dan but i got nothing man i follow all your steps and > commands and i still have the same problem, also the log file report the > same issue. > So something strange is going on with your system. Try the buildlog thing and send

Re: [ossec-list] E-mail alert for login

On Wed, Aug 15, 2018 at 10:55 AM, Don_Johny wrote: > Arleady did, its same, i reinstall it in this way is correct ? > /var/ossec/bin/ossec-control stop && rm -rf /var/ossec && rm > /etc/init.d/*ossec* && rm /etc/ossec-init.conf > That and a `make clean` inside of `ossec-hids-2.9.3/src` Next time

Re: [ossec-list] E-mail alert for login

On Wed, Aug 15, 2018 at 10:39 AM, Don_Johny wrote: > > When i type /var/ossec/bin/manage_agents ,I have only this output one on both > of them > * OSSEC HIDS v2.9.3 Agent manager. * > * The following options are available: * > ** > ** >(A)dd an agent (A

Re: [ossec-list] E-mail alert for login

On Wed, Aug 15, 2018 at 9:29 AM, Don_Johny wrote: > Thanks Dan you are the best :) Your post help me a lot and i got alert it > was problem with smtp server. But know i am facing issue with adding agents. > I used every type of network provided in VirtualBox (Host-only,Bridged,NAT) > and none of t

Re: [ossec-list] E-mail alert for login

Just a couple of quick ones. I took 3 of the logs you provided, and used `ossec-logtest` to see how they were decoded. **Phase 1: Completed pre-decoding. full event: 'Aug 9 06:00:00 server2 systemd: pam_unix(systemd-user:session): session opened for user dzoni by ($' hostname: 'serv

Re: [ossec-list] E-mail alert for login

On Thu, Aug 9, 2018 at 9:40 AM, Dzenis Aslani wrote: > I couldnt copy from Virtualmachine but i did make a picture.I hope that it > make it help > https://drive.google.com/file/d/11na75k4lPAXUAPowmIjugjpEvQXzqw5n/view?usp=sharing > https://drive.google.com/open?id=11na75k4lPAXUAPowmIjugjpEvQXzqw5n

Re: [ossec-list] E-mail alert for login

On Thu, Aug 9, 2018 at 9:09 AM, Dzenis Aslani wrote: > Im using Ubuntu server 18.04 > > > On Thursday, August 9, 2018 at 3:08:46 PM UTC+2, Dzenis Aslani wrote: >> >> I am sorry, but where can i find them ? >> /var/log/authlog maybe >> On Thursday, August 9, 2018 at 3:00:27 PM UTC+2, dan (ddpbsd)

Re: [ossec-list] E-mail alert for login

On Thu, Aug 9, 2018 at 8:58 AM, Dzenis Aslani wrote: > Hmm i think so, i care about local logins and also anyone who is trying to > enter the server (login attempts) . Could you provide me rule or changes > which i have to apply to conf file > Not with so little information. Get some log samples

Re: [ossec-list] E-mail alert for login

On Thu, Aug 9, 2018 at 6:39 AM, Dzenis Aslani wrote: > Hello everyone, im new to OSSEC, and i wanna know how to create an email > alert when somebody is try to login or was successfully loged in into the > server ? > Do you have a log sample of a successful login? Are you worried about local logi

Re: [ossec-list] Error in sending email according to configuration in ossec.conf

On Mon, Aug 6, 2018 at 10:50 AM, Pablo Garcia wrote: > Hello, I need help because I am receiving emails from level 5 rules in the > ossec configuration, I am configured to send alerts from level 11, in > particular the one that received the most corresponds to the rule Rule: > 31122 fired ( level

Re: [ossec-list] Profile Not Applied on Assigned Agent

.conf does not subscribe to a config profile, that profile will not be applied. The server ignores the agent.conf entirely (except for pushing it out to agents). The server's ossec.conf and the agents' ossec.conf shouldn't really be squished. I can't say for sure if it will cause issue

Re: [ossec-list] Profile Not Applied on Assigned Agent

) On Fri, Jul 27, 2018 at 3:10 PM, James Warne wrote: > I did restart the ossec processes on the agent after the agent.conf was > updated. I will run it again to confirm and do a tail grep to see. > > I didn't think about the agent's ossec.conf! I grabbed the conf from one of > the agents on a ne

Re: [ossec-list] Re: What is this error ERROR: Definition not found for: 'rootcheck.sleep'.

On Wed, Aug 1, 2018 at 11:27 AM, wrote: > No I do not have it defined. > > How should it be defined in internal_options.conf ? > This is what I have in mine: # Rootcheck checking/usage speed. Rootcheck will pause for this # duration after scanning a PID or port. rootcheck.sleep=2 > I did not

Re: [ossec-list] What is this error ERROR: Definition not found for: 'rootcheck.sleep'.

On Wed, Aug 1, 2018 at 8:44 AM, wrote: > Hello All > > When I ran the ossec update to 3.0.0 and restarted ossec I now receive this > error "ERROR: Definition not found for: 'rootcheck.sleep'." I am running all > on Centos 7.0 > > I can not find any information on the net about this error. > > I d

Re: [ossec-list] Profile Not Applied on Assigned Agent

On Tue, Jul 17, 2018 at 12:57 PM, James Warne wrote: > Hello all! > > I have gone through a large amount of posts, docs, and online resources but > haven't found a crystal clear answer to my specific issue. I might well be > missing something but we are a day or so in now and I feel like I need so

Re: [ossec-list] Re: Profile Not Applied on Assigned Agent

On Thu, Jul 26, 2018 at 4:45 AM, Stephen wrote: > I would highly recommend you moving to wazuh. I went through the same > learning curve as you are first testing with ossec then quickly moved to > wazuh-ossec (on a custom-built Linux system). You'll get more feature and > support for the same

Re: [ossec-list] OSSEC agent offline cache

On Wed, Jul 25, 2018 at 5:04 AM, Stephen wrote: > Hi guys, > Here is my scenario. I've got an agent running on a device which goes > offline occasionally. While the system is offline I would like to cache the > logs locally and push it to the manager once I get back online. I tried to > simulate t

Re: [ossec-list] custom decoder & rules for nas device

On Wed, Jul 25, 2018 at 2:42 PM, mjwoods69 via ossec-list wrote: > Hi > > Trying to get alerting implemented on my nas. Unfortunately my work to date > has failed, in summary I have: > > 1. Identified the log message in /var/ossec/logs/archives/archives.log, this > is sent from nas to ossec via sy

Re: [ossec-list] Delete ossec-remoted processes

On Fri, Jul 27, 2018 at 4:45 AM, Chinmay Pandya wrote: > Hi Dan > > Was the logs any helpful? > Well the log you pointed out kind of answers the question, right? *** buffer overflow detected ***: /ossec-server/bin/ossec-remoted terminated The process crashed and was restarted. Figuring out where

Re: [ossec-list] Delete ossec-remoted processes

On Fri, Jul 13, 2018 at 8:03 AM, Chinmay Pandya wrote: > Nothing on OS logs also. > > Should I run ossec in debug mode ?just in case ? to see if debug shows some > insite ? > You can try it, definitely. Running it in the foreground would give you more immediate results (-df). > On Friday, July 1

Re: [ossec-list] Having troubles with exclusion rules

|192.168.92.76|192.168.92.77|192.168.92.78|scan01b Ignore SSH failures originating from scanner > On Wed, Jul 11, 2018 at 7:48 AM, dan (ddp) wrote: >> >> On Fri, Jul 6, 2018 at 5:20 PM, Jeremy Utley >> wrote: >> > Hello to the list! >> > >>

Re: [ossec-list] Delete ossec-remoted processes

On Fri, Jul 13, 2018 at 1:39 AM, Chinmay Pandya wrote: > Here are my logs after restarting ossec. I do not see any remoted error but > still got stall entries > I don't see anything exciting. Anything in the system logs about a crash? You could try running remoted in the foreground (`/var/ossec/b

Re: [ossec-list] Ossec agent logs to two ossec server's / sensors

On Tue, Jul 10, 2018 at 12:24 AM, Shaikh S. wrote: > Hello Dan, > > Thanks for your reply!!! > > Can you please tell me how I can configure it for failover. > I've never done it, so this is mostly a guess: Create a second OSSEC manager. Copy the client.keys file from the original manager to the

Re: [ossec-list] Delete ossec-remoted processes

On Mon, Jul 9, 2018 at 1:30 AM, Chinmay Pandya wrote: > I do no see any info on ossec logs that suggest remoted is crashing. > > any way i can confirm this ? > When ossec-remoted starts it logs to the ossec.log. Look for entries like this: 2018/07/11 10:49:34 ossec-remoted: INFO: Started (pid: 23

Re: [ossec-list] Having troubles with exclusion rules

On Fri, Jul 6, 2018 at 5:20 PM, Jeremy Utley wrote: > Hello to the list! > > Over the past few weeks, our weekly Nessus scans have been triggering a lot > of password failure alerts from OSSEC. Specifically the rules "2502" and > "40111" have been being triggered thousands of times on each weekly

Re: [ossec-list] OSSEC set to monitor but not block?

On Fri, Jul 6, 2018, 9:39 AM OpenBayou wrote: > So enter 'no' on both enable active response and enable the firewall-drop > response? > I didn't think it asked the second one if you told it no on active response. But you are correct. Answer no for both. > -- > > --- > You received this message

Re: [ossec-list] prelude with OSSEC

On Fri, Jul 6, 2018 at 3:46 AM, VIGOUROUX Mael wrote: > Hello everyone, > > > > I’m currently trying to link OSSEC 2.9 with Prelude 4.1. I created a virtual > network with some Debian 9 VM, I have one where I put my OSSEC agent and > another where I installed the server. I want to send the OSSEC o

Re: [ossec-list] timeline of a file/folder

On Sat, Jun 30, 2018 at 8:34 AM, bill890 wrote: > Hello Forum > > Is it possible to monitor every change of a selected file/folder, from the > point of it's creation till today? And visualize that in e.g. a timeline? > > It would be amazing if such a timeline of the files/folders with the dates >

Re: [ossec-list] Checking for symlinks

On Tue, Jul 3, 2018 at 7:09 AM, Alan G wrote: > Hi, > > I'm trying to optimise my syscheck agent configuration deployed on CentOS 7. > > Currently I'm checking /bin and /usr/bin with the former being a symlink to > the latter (also /sbin, /lib, /lib64). This means the scan takes much longer > than

Re: [ossec-list] caching scans-results locally till server comes back online

On Tue, Jul 3, 2018 at 11:00 AM, bill890 wrote: > Hello group > > Does the agent perform it's checks if the server is unavailable and does it > uplod the results to the > server asap the server becomes back online again (ok, caching > integrity-scans locally is less than > ideal)? > I think it's

Re: [ossec-list] Delete ossec-remoted processes

On Wed, Jul 4, 2018 at 3:29 AM, Chinmay Pandya wrote: > I have dockerised ossec server. > > I have built my docker and not using ossec docker. > > Now I need to restart my ossec every day. > > When I do, I have to wait a lot of time for ossec-remoted PID files to be > deleted. > > I see something

Re: [ossec-list] Ossec agent logs to two ossec server's / sensors

On Fri, Jul 6, 2018 at 3:43 AM, Shaikh S. wrote: > Hello Folks, > > Hope you're doing well. > > Is it possible to configure ossec agent to send the logs to two different > server's. for example if the DC ossec server get's down, is it possible to > forward the same agent logs to other DR ossec ser

Re: [ossec-list] OSSEC set to monitor but not block?

On Thu, Jul 5, 2018 at 11:38 PM, Gregory Schultz wrote: > I’m looking for a way to use OSSEC to do everything that OSSEC does except > block IP addresses. If I ran the installation and when to: "Do you want to > enable the firewall-drop response? (y/n) [y]:” should I set it to no and > that’s all?

Re: [ossec-list] exim decoder/rules not fired

On Thu, Jun 28, 2018 at 9:13 AM, FSoyer wrote: > Well, sorry if I have trouble understanding the process, but I found only > "" tag in decoder.xml, with decoder parent names (not ids), not in > rules files. So when I search child rules for id 2900 with parent tag, I > find nothing. > Sorry again,

Re: [ossec-list] exim decoder/rules not fired

On Thu, Jun 28, 2018 at 4:05 AM, FSoyer wrote: > Hi Dan, > thank you for this highlight. Not sure how we can "move the exim decoders > above the debian dpkg decoders" as... there is no dpkg decoders : it is I was just confused. I thought there were dpkg decoders, but apparently not. > rules, in

Re: [ossec-list] syslog output to graylog not working

On Wed, Jun 27, 2018 at 8:57 AM, GCS Tech wrote: > >> On Jun 27, 2018, at 7:53 AM, dan (ddp) wrote: >> >> On Wed, Jun 27, 2018 at 6:52 AM, wrote: >>> I have a working OSSEC that I now want to send the output to a Graylog2 >>> server. I added the follo

Re: [ossec-list] syslog output to graylog not working

On Wed, Jun 27, 2018 at 6:52 AM, wrote: > I have a working OSSEC that I now want to send the output to a Graylog2 > server. I added the following to the ossec.conf file between the > ossec_config tags. > > 192.168.0.33 > 9514 > cef > > I enabled csyslog and restarted

Re: [ossec-list] ossec-syscheckd: WARNING: realtime monitoring request on unsupported system for '/example'

On Tue, Jun 26, 2018 at 3:27 PM, Stephen Vemi wrote: > Hi guys, OSSEC-agent real-time file integrity is showing me this error in > */logs/ossec.logs: > > ossec-syscheckd: WARNING: realtime monitoring request on unsupported system > for '/example' > > Can anyone help me? The filesystem is ext2 on

Re: [ossec-list] Rule 1003 flooding

On Mon, Jun 25, 2018 at 2:55 PM, Mark M wrote: > > Thanks Dan. Should I titrate the number down as far as possible, or does it > matter really? > I'm not sure it matters too much. OSSEC needs to move forward at some point. 2048 seems reasonable. > > On Saturday, June 23, 2018 at 2:59:25 PM UTC-7

Re: [ossec-list] exim decoder/rules not fired

On Mon, Jun 25, 2018 at 5:51 AM, Frank Soyer wrote: > Hi, > I made an upgrade from 2.8.3 to 2.9.4, for handling exim logs/rules. But > this decoder or rules doesn't seems to be tested. Here is a debug session : >> >> # bin/ossec-logtest -v >> 2018/06/25 11:32:41 ossec-testrule: INFO: Reading decod

Re: [ossec-list] Rule 1003 flooding

On Fri, Jun 22, 2018 at 8:19 PM, Mark M wrote: > > Since going to CentOS 7, and installing BigFix on all systems I get a LOT of > syslog rule 1003 (file too large) messages. > > > Non standard syslog message (size too large). > > > What was used to determine the 1025 number? Is this mean

Re: [ossec-list] Rule 5302 doesn't fire?

And here's the pull request: https://github.com/ossec/ossec-hids/pull/1440 On Fri, Jun 22, 2018 at 11:37 AM, dan (ddp) wrote: > On Fri, Jun 22, 2018 at 11:22 AM, dan (ddp) wrote: >> On Thu, Jun 21, 2018 at 3:28 PM, Mark M wrote: >>> >>> >>> I don'

Re: [ossec-list] Rule 5302 doesn't fire?

On Fri, Jun 22, 2018 at 11:22 AM, dan (ddp) wrote: > On Thu, Jun 21, 2018 at 3:28 PM, Mark M wrote: >> >> >> I don't see anything in my rsyslog.conf that should affect local log format? >> Why might the decoder be failing? >> >> Jun 21 12:27:37 dactyl

Re: [ossec-list] Rule 5302 doesn't fire?

On Thu, Jun 21, 2018 at 3:28 PM, Mark M wrote: > > > I don't see anything in my rsyslog.conf that should affect local log format? > Why might the decoder be failing? > > Jun 21 12:27:37 dactyl unix_chkpwd[4723]: password check failed for user > (root) > Jun 21 12:27:37 dactyl su: pam_unix(su-l:aut

Re: [ossec-list] OSSEC Grouping Agents

On Fri, Jun 22, 2018 at 7:52 AM, Vinay Vanama wrote: > Hey, I have tried same with 2 profiles and restarted agents and master and > added some files in the monitoring directories and I have got some email > alerts for the added files. Now I believe that this is > working. > > I have one more ques

Re: [ossec-list] OSSEC Grouping Agents

On Thu, Jun 21, 2018 at 2:45 PM, Vinay Vanama wrote: > So now how can we ensure that this is working ? > Ok, I created an agent.conf: ix# more /var/ossec/etc/shared/agent.conf /var/test It got pushed to an agent. I configured that agent to use the profile: junction# more /var/ossec/

Re: [ossec-list] OSSEC Grouping Agents

On Thu, Jun 21, 2018 at 2:22 PM, Vinay Vanama wrote: > Hi Dan, > > Is my configuration of both agent and server looks fine ? because when I > have added section in the agent ossec.conf then only it started > monitoring files. So why do we need the agent.conf in OSSEC master ? > I don't like the

Re: [ossec-list] Rule 5302 doesn't fire?

On Wed, Jun 20, 2018 at 8:24 PM, Mark M wrote: > > I'm re-visiting my OSSEC rules today because failed su - root attempts > (level 9) no longer fire or send email. You can see 5301 fires, but not > 5302? This was working in the past on the same server. > The `root` user isn't decoded in the provi

Re: [ossec-list] Re: At some point, Windows events are not sent to the Wazuh server.

On Thu, Jun 21, 2018 at 3:31 AM, e.fanti e.fanti wrote: > Hello. > On the ossec.log file there is the message of connection to the server and > the start of the syscheck and its forward to the server. > Only the client connection is on the server log. > > The other clients, linux and windows, cont

Re: [ossec-list] ossec client registration over firewalls

On Thu, Jun 21, 2018 at 10:37 AM, wrote: > Hi all > > I'm trying to connect several ossec agents to an ossec server over the > internet and without vpn tunnels. This means, IPs get transformed because of > NAT. This is not a problem for agent-to-server communication, since I can > register each a

Re: [ossec-list] OSSEC Grouping Agents

On Thu, Jun 21, 2018 at 8:32 AM, Vinay Vanama wrote: > Hi Dan! > > I have achieved this by using profile concept > > what i have done is I have used a and for > dynamic agents I have used and then I have > restarted agents and agent.conf has been updated in both machines. But I'm > confused here

Re: [ossec-list] At some point, Windows events are not sent to the Wazuh server.

On Wed, Jun 20, 2018, 12:06 PM e.fanti e.fanti wrote: > Hello to all. > Almost every day the following thing happens. > I have 2 agents installed on two windows 2008 servers. > The agent is connected to the Wazuh Manager, but windows events are not > sent to the Wazuh server. > The events are pre

Re: [ossec-list] OSSEC Grouping Agents

On Tue, Jun 19, 2018 at 5:33 AM, Vinay Vanama wrote: > Hi Team, > > I have installed OSSEC -Master and OSSEC - Agents (Version - 2.9.2) on > ubuntu machines which are static machines. So far everything is fine and I'm > getting alerts. Now I'm using same setup for dynamic machines and agents are >

Re: [ossec-list] New to OSSEC

On Mon, Jun 18, 2018 at 9:52 AM, wrote: > > > On Monday, June 18, 2018 at 8:02:51 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jun 15, 2018 at 1:46 PM, wrote: >> > I am new to OSSEC and have the server running and over 1000 agents >> > listed. >> > the things that I am attempting to figure out a

Re: [ossec-list] ossec-reportd is crashing

On Mon, Jun 18, 2018 at 7:48 AM, dan (ddp) wrote: > On Thu, Jun 7, 2018 at 2:23 AM, Vibin K Madampath wrote: >> Hello Dan, >> >> Seems like the error gets triggered when it finds an empty line in the >> alerts.log >> >> Master branch - I haven't tried

Re: [ossec-list] [v2.8.3][ossec-maild] ERROR (smtp server)

On Thu, Jun 7, 2018 at 2:28 AM, wrote: > tcp0 0 0.0.0.0:465 0.0.0.0:* LISTEN > 26256/master > Is postfix listening on 127.0.0.1 port 25? > I can send emails through postfix from the terminal; the problem is that > OSSEC does not send the requests to the po

Re: [ossec-list] Statically compiling an Agent

On Mon, Jun 11, 2018 at 9:26 PM, Dan Avrukin wrote: > Hello folks, > > We're testing deployment of agents on production systems, and we'd like to > have them compiled statically. > It doesn't seem to be too common, and I'm curious if there's a reason behind > that. > Have any of you successfully d

Re: [ossec-list] Reg. OSSEC Agent LOG file

On Wed, Jun 13, 2018 at 8:55 AM, Mohamed Faizal Kamaluddin wrote: > Dear Team, > > > > We have installed ossec agent on our systems. it stores log in single text > file. its getting big and bigger after few months. I want to know from you > people that there is any possibility to configure the thi

Re: [ossec-list] Monitoring /dev with syscheckd

On Thu, Jun 14, 2018 at 6:43 PM, Dan Avrukin wrote: > Hello, > > Considering the nature of objects under /dev, would having a check_sum check > run over /dev, make it hang? > Manually running md5sum /dev/* definitely hangs, and I'm curious if perhaps > syscheckd gethers its checksums in a way that

Re: [ossec-list] New to OSSEC

On Fri, Jun 15, 2018 at 1:46 PM, wrote: > I am new to OSSEC and have the server running and over 1000 agents listed. > the things that I am attempting to figure out are as follows > > 1) Of the over 1000 windows agents that are Active I never see any alerts > for them Are the agents able to succ

Re: [ossec-list] ossec-reportd is crashing

thanks. It seems to be crashing my reportd, so I'll take a look at it. > > On 6 June 2018 at 19:57, dan (ddp) wrote: >> >> On Tue, May 22, 2018 at 9:08 AM, Vibin K Madampath >> wrote: >> > Hello, >> > >> > I'm also getting a similar error du

Re: [ossec-list] Agents programming language

e code could make it clear. > Thanks. > > On Wed, Jun 6, 2018 at 7:25 AM dan (ddp) wrote: >> >> On Mon, Jun 4, 2018 at 4:09 PM, Void Main >> wrote: >> > Hello all, >> > >> > I've been going through the docs, but I don't seem to find

Re: [ossec-list] Re: OSSEC installation on CoreOS

On Wed, May 30, 2018 at 12:37 PM, wrote: > +1 on this question; really would like to know how someone did this; SDK, > toolbox, etc? > What challenges does CoreOS present that aren't a problem for a normal linux distribution? > On Thursday, November 9, 2017 at 11:37:35 AM UTC-5, SET wrote: >> >

Re: [ossec-list] [v2.8.3][ossec-maild] ERROR (smtp server)

On Tue, May 29, 2018 at 6:07 AM, wrote: > It's empy. > > There are no entries at maillog. > > However, if I send a mail with sendmail (echo "Subject: sendmail test" | > sendmail -v x...@xxx.xxx), at /var/log/maillog: > > May 29 12:04:30 X postfix/pickup[8183]: 638F727EA4: uid=0 from= > May 29 12:

Re: [ossec-list] FIM Syscheck

On Wed, Jun 6, 2018 at 6:16 AM, Mikel Sheshi wrote: > Hello, > I have Wazuh Server configured to monitor my Windows Servers > If I want to monitor a directory : Example : realtime="yes">C:\test > > When I do changes with a user logged on the server I receive all the changes > through syscheck > >

Re: [ossec-list] ossec-reportd is crashing

On Tue, May 22, 2018 at 9:08 AM, Vibin K Madampath wrote: > Hello, > > I'm also getting a similar error due to which the reports are not being > generated/sent. > > Using the same version 2.9.3 > > [root@usws1ossecap01 ~]# /var/ossec/bin/ossec-reportd < > /var/ossec/logs/alerts/alerts.log > 2018/0

Re: [ossec-list] Improving agentless sequential polling

On Mon, Jun 4, 2018 at 12:22 PM, Mike wrote: > Hi, > > I want to reduce the frequency of the agentless polling for quicker > performance on my manager (version 2.8) but I cannot find clues for doing > this. > > It seems to me that the agentless process runs my agentless configuration in > a sequen

Re: [ossec-list] Agents programming language

On Mon, Jun 4, 2018 at 4:09 PM, Void Main wrote: > Hello all, > > I've been going through the docs, but I don't seem to find that piece of > information. > Do you happen to know what language was used to program the Agents? > Most of OSSEC is written in C. > Thanks. > > -- > > --- > You received

Re: [ossec-list] [v2.8.3][ossec-maild] ERROR (smtp server)

On Tue, May 29, 2018, 5:06 AM wrote: > Hi, > > I am receiving the error: > > > > *2018/05/28 17:29:54 ossec-maild(1223): ERROR: Error Sending email to > 127.0.0.1 (smtp server)2018/05/28 18:00:01 ossec-maild(1223): ERROR: Error > Sending email to 127.0.0.1 (smtp server)2018/05/28 18:22:07 > ossec

Re: [ossec-list] ossec-reportd is crashing

On Thu, May 17, 2018, 8:54 AM Chinmay Pandya wrote: > I am running ossec-reportd and it is crashing due to double free . This > can lead to exploitatoin. So can some one solve it ? > > /ossec-server# bin/ossec-reportd < logs/alerts/alerts.log > 2018/05/17 12:51:32 ossec-reportd: INFO: Started (pi

Re: [ossec-list] Cannot configure MAXAGENTS when upgrading from 2.9.1 to 2.9.3

On Tue, May 8, 2018, 5:39 PM Victor Drobysh wrote: > This is easier and did work when upgrading another OSSEC server: > > Defines: > -DMAX_AGENTS=4096 -DOSSECHIDS -DDEFAULTDIR="/opt/ossec-server/" > -DUSER="ossec" -DREMUSER="ossecr" -DGROUPGLOBAL="ossec" -DMAILUSER="ossecm" > -DLinux -DINOTIF

Re: [ossec-list] Cannot configure MAXAGENTS when upgrading from 2.9.1 to 2.9.3

On Tue, May 8, 2018, 4:37 PM Victor Drobysh wrote: > Hello, > > could someone help figuring out on how to fix remoted that stopped working > after upgrading OSSEC server with 2606 agents connected? > > First, I upgraded without specifying MAXAGENTS. Then, I realized that > remoted is not starting

Re: [ossec-list] Re: File content changes not reported thru email

On Mon, May 7, 2018 at 1:09 AM, Vibin K Madampath wrote: > Appreciate any help. > > Regards, > Vibin > > On 3 May 2018 at 15:13, Vibin K Madampath wrote: >> >> Hello Team, >> >> OSSEC is not reporting the file content changes thru email even though it >> is configured to do so. >> >> I can see th

Re: [ossec-list] OSSEC and TLS

On Fri, May 4, 2018 at 7:21 PM, DG wrote: > Hi, > > I am a total newb to ossec so I apologize ahead of time. I have been tasked > to see if OSSEC can be leveraged to alert on TLS version used for > connections on a given instance/vm/computer. > > So far I know if I have a scanner (custom script) w

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

On Mon, May 7, 2018 at 10:13 PM, dan (ddp) wrote: > On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин > wrote: >> Hi guys! >> >> Is there an ability to configure resolving hostname in alert from syslog >> device (not an agent)? >> >> For example

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин wrote: > Hi guys! > > Is there an ability to configure resolving hostname in alert from syslog > device (not an agent)? > > For example can : > > Received From: ids->10.10.19.1 > > look like > > > Received From: ids->asa123 > > > or > > > Received

Re: [ossec-list] Re: Log Retention with Ossec

On Mon, Apr 30, 2018, 7:31 PM wrote: > Hi Dan, Florian > > This entry mentions OSSEC has been configured to keep logs as long as 13 > months. May I ask how to achieve that? I don't know the configuration file > I need to edit to let OSSEC know it must not rotate logs until the 13th > month. > > B

Re: [ossec-list] Re: custom decoder kernelmon syslog-ng

On Wed, Apr 25, 2018 at 1:58 PM, Jacob Mcgrath wrote: > Do agent-less syslog's for ossec change on there delivery to the ossec > server? These are syslogs being sen t to ossec. > I don't think so, but maybe I don't understand the question. Since I'm at a computer, this decoder: iptables ^

Re: [ossec-list] Re: custom decoder kernelmon syslog-ng

On Wed, Apr 25, 2018, 1:11 PM dan (ddp) wrote: > > > On Wed, Apr 25, 2018, 12:37 PM Jacob Mcgrath > wrote: > >> tried these with no result: >> >> >> kernelmon >> ^TS5400R33A >> >> >> >> iptables >> ^TS5400R33A

Re: [ossec-list] Re: custom decoder kernelmon syslog-ng

On Wed, Apr 25, 2018, 12:37 PM Jacob Mcgrath wrote: > tried these with no result: > > > kernelmon > ^TS5400R33A > > > > iptables > ^TS5400R33A > > > The parent decoder will always be displayed. For your decoders to really do anything, they will need to pull out some data into fields (

Re: [ossec-list] syscheck error

7;t looked at it further than that yet. > On Mon, Apr 23, 2018 at 4:29 PM dan (ddp) wrote: >> >> On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp) wrote: >> > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf >> > wrote: >> >> Is there documentation that explain

Re: [ossec-list] ossec-logcollector(1103): ERROR [(9)-(Bad file descriptor)]. Can't get my OSSEC agent to monitor my Windows logs.

On Fri, Apr 20, 2018 at 10:25 AM, Patrik Lindh wrote: > Hello! > I've installed Ossec windoiws agent on a server 2008r2 and want to monitor > logs residing in:C:\ProgramData\GlobalSCAPE\EFT Server Enterprise/Logs > > But when i start the agent i get the following error: 2018/04/20 14:54:42 > ossec

Re: [ossec-list] Ignore path

On Thu, Apr 19, 2018 at 1:36 PM, Carlos Islas wrote: > Hello to everybody > > I have this exclusion in my agent.conf: > > C:\Program Files (x86)\ossec-agent\rids > Try: C:\Program Files (x86)/ossec-agent/rids > But i continue receiving email notifications. Is necesary "escaped" the > space? > >

Re: [ossec-list] syscheck error

On Mon, Apr 23, 2018 at 6:26 PM, dan (ddp) wrote: > On Mon, Apr 23, 2018 at 6:05 PM, Cooper Graf wrote: >> Is there documentation that explains what a glob is? This worked fine with >> 2.7. >> > > I don't think so. I just tried it on a 3.x system and didn

Re: [ossec-list] syscheck error

ansible/.ssh', with options perm | size | owner | group | md5sum | sha1sum. 2018/04/23 18:25:15 ossec-syscheckd: INFO: Monitoring directory: '/home/checker/.ssh', with options perm | size | owner | group | md5sum | sha1sum. > On Mon, Apr 23, 2018 at 12:53 PM dan (ddp) wrote: &g

Re: [ossec-list] Regarding Ossec-agent

On Sat, Apr 21, 2018 at 4:35 AM, Mohamed Faizal Kamaluddin wrote: > Dear Team, > > > > We have installed ossec-agent on our windows server 2012. There is one text > file in the program files inside the ossec-agent which takes more than 20 > GB. We would like to know the following: > > > > What tex

Re: [ossec-list] Non standard port

On Sun, Apr 22, 2018 at 9:52 PM, Cooper wrote: > Why are the ossec clients trying to connect to the server using port 1514, > when the default port (and the port they registered with) is 1515, which is > also the port the server is listening on? > > 2018/04/22 20:49:16 INFO: Connected to at addre

Re: [ossec-list] syscheck error

On Mon, Apr 16, 2018 at 2:08 PM, Cooper wrote: > I am getting the following error from syscheckd when starting up OSSEC > 2.9.3: > > 2018/04/16 13:01:14 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2018/04/16 13:01:14 ossec-syscheckd(1121): ERROR: Glob error. Invalid > pattern:

Re: [ossec-list] how to get an alert. the user, whom modified a file

On Wed, Apr 11, 2018, 10:18 AM wrote: > I'm using OSSEC HIDS > > from this i'm getting the alerts based on all events. but, i need to know > a *user whom modified the specific file*. > is this possible? > It's still not possible out of the box. You might be able to setup some specific auditing

Re: [ossec-list] Directories to check and ignore directories

On Tue, Apr 10, 2018, 5:02 PM Carlos Islas wrote: > Hello to everybody, > > I´ve a problem, in my ossec server i had added new directories to check or > to ignore, example: > > /etc,/usr/bin,/usr/sbin > check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv > C:\Windows\Test > C:\Progra

<    1   2   3   4   5   6   7   8   9   10   >