The agent has disconnected from the manager.
On Thu, Dec 9, 2010 at 1:26 PM, Michael Barrett
wrote:
>
> Agent disconnected: 'griffin-172.24.189.12'
>
>
>
> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
> Insurance Corporatio
The communication between agent and manager is done via UDP, so the
telnet won't work.
Do a tcpdump on the manager looking for traffic to and from the win7
box. There should be traffic going in both directions.
On Fri, Dec 10, 2010 at 1:14 PM, Matthew Ayres wrote:
>
>
> I have OSSEC server runnin
I don't understand the issue, but newer versions of OSSEC have better
database support.
On Sun, Dec 12, 2010 at 5:53 PM, Miguel Miralles
wrote:
> Hi, my problem is on server OSSEC and MySQL. The problem is what the agent
> OSSEC only set the header "MySQL log: 9:54:50" in the first case on o
On Mon, Dec 13, 2010 at 4:00 PM, Erik wrote:
> Hello,
>
> Ossec refuses to accept my smtp server
>
> tail /var/ossec/logs/ossec.log
>
> 2010/12/12 15:47:47 ossec-maild(1223): ERROR: Error Sending email to
> xxx.xxx.xxx.xx (smtp server)
> 2010/12/12 15:50:47 ossec-maild(1223): ERROR: Error Sending
On Tue, Dec 14, 2010 at 9:12 AM, wrote:
>
>
> Hi all
>
>
>
> This is what I have done up t’il now to track those ww files
>
> But it doesn’t appear to work. Sooo what did I miss
>
>
>
> I have a one liner script in active response that extract the info
>
> I need
>
> stat -c %A" "%n /c
Any difference between the servers? OS/version?
On Mon, Dec 13, 2010 at 2:45 PM, Christopher Moraes
wrote:
> Hi,
> I have two instances of ossec running of difference servers. When I run
> ossec-reportd on one, I get a report which contains summary stats as well as
> a dump of the relevant alert
gt; -Message d'origine-
> De : ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] De la
> part de dan (ddp)
> Envoyé : 14 déc. 2010 09:21
> À : ossec-list@googlegroups.com
> Objet : Re: [ossec-list] Still working on world writable files
>
and the
> full log dump.
> The alert file on both systems is the same (they are both test instances and
> I've used the same log dump to generate the alerts).
> Regards,
> Chris
>
> On Tue, Dec 14, 2010 at 9:26 AM, dan (ddp) wrote:
>>
>> Any difference between the
There should be an alert for when there are more messages than
average, but nothing that I know of for not receiving any messages.
On Wed, Dec 15, 2010 at 5:30 AM, NewRules wrote:
> Hi,
>
> I'm using ossec as a log corellator.
> For log centralization I'm using syslog-ng (for formatting features)
ervers.
> I will try to get reportd on the RHEL instance run as root and see if that
> solves the issue.
> Thanks and regards,
> Chris
>
> On Tue, Dec 14, 2010 at 4:15 PM, dan (ddp) wrote:
>>
>> The the counts in the summary match up in both reports?
>> I'd
>
> On 15 déc, 15:44, "dan (ddp)" wrote:
>> There should be an alert for when there are more messages than
>> average, but nothing that I know of for not receiving any messages.
>>
>
> Is there a way to create custom rules to generate such an alert ?
&g
th the compatibility in the different
> versions??? Is necessary update server OSSEC and all agents??
>
> Thanks.
>
>
>
> 2010/12/13 dan (ddp)
>>
>> I don't understand the issue, but newer versions of OSSEC have better
>> database support.
>>
&
ly other difference is #3 is a 'production' box. I'm wondering if it
> could have some additional security that is preventing the log dump being
> generated.
> Is there any way to debug what reportd is doing? I can't find a debug log
> level for reportd in internal_o
Comment out the warning in the source?
On Tue, Dec 14, 2010 at 4:18 PM, jplee3 wrote:
> Ughh. Too many typos. My second paragraph I meant to say I *WANT* to
> disable this so that the ossec.log doesn't grow...
>
> TIA!
>
> On Dec 14, 1:09 pm, jplee3 wrote:
>> Hi all,
>>
>> I was wondering if the
t;
>
> -Message d'origine-----
> De : ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] De la
> part de dan (ddp)
> Envoyé : 14 déc. 2010 11:03
> À : ossec-list@googlegroups.com
> Objet : Re: [ossec-list] Still working on world writable files
>
> So when a
On Wed, Dec 15, 2010 at 1:38 PM, carlopmart wrote:
> On 12/15/2010 07:14 PM, d.asse...@cgi.com wrote:
>>
>> And the answer is E
>>
>> But I did remove some functionality from the server side
>>
>> I'm writhing a doc on it for the deployment team But basicali remove
>> In ossec.conf the service
On Wed, Dec 15, 2010 at 2:14 PM, carlopmart wrote:
> On 12/15/2010 07:38 PM, carlopmart wrote:
>
>>
>> Thanks Dan.
>>
>> I have installed ossec as a server disabling rootchek, syscheck and active
>> response.
>> But when I launch ossec init script syscheckd is started. How can I
>> prevent to star
On Wed, Dec 15, 2010 at 2:15 PM, carlopmart wrote:
> On 12/15/2010 08:10 PM, dan (ddp) wrote:
>>
>> On Wed, Dec 15, 2010 at 1:38 PM, carlopmart wrote:
>>>
>>> On 12/15/2010 07:14 PM, d.asse...@cgi.com wrote:
>>>>
>>>> And the answer is E
On Wed, Dec 15, 2010 at 2:51 PM, Kenny - Risco Zero
wrote:
> hi
>
> I just wanna know if it's possible to have different durations for each
> level of event, on ossec.conf.
> This is the example:
>
> ###
>
>
>
>
> host-deny
> local
> 6
> 3600
dded the line
> r_filter->show_alerts=1;
> to report.c at line 194, that is just above the line
> /* the real stuff now */
> os_ReportdStart(&r_filter);
> I've tested and this works now on my test env.
> Regards,
> Chris
>
>
>
> On Wed,
ow */
> os_ReportdStart(&r_filter);
> I've tested and this works now on my test env.
> Regards,
> Chris
>
This wouldn't compile for me, but r_filter.show_alerts=1; did. And it
seems to have fixed the issue for me too.
>
>
> On Wed, Dec 15, 2010 at 11:03 AM,
On Fri, Dec 17, 2010 at 4:52 AM, carlopmart wrote:
> Hi all,
>
> I have installed two ossec servers to provide HA for several agents. Using
> a software load balancer, this scenario works as I expected. But I have a
> problem with six servers (all linux based) that resides on the same OSSEC
> ser
Is your active response configuration also on the server? If it isn't,
copy it to the server's ossec.conf, restart, and try again.
On Fri, Dec 17, 2010 at 7:27 AM, Ankush Grover wrote:
> Hi Friends,
>
> I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on
> Windows XP where I
On Fri, Dec 17, 2010 at 10:55 AM, carlopmart wrote:
> On 12/17/2010 04:32 PM, dan (ddp) wrote:
>>
>> On Fri, Dec 17, 2010 at 4:52 AM, carlopmart wrote:
>>>
>>> Hi all,
>>>
>>> I have installed two ossec servers to provide HA for several a
On Mon, Dec 20, 2010 at 1:54 PM, Jarred White wrote:
> Hello. I’m trying to find a way to remotely deploy OSSEC to some of our
> remote sites and have it report back to us on server health/security. There
> is no direct connection to the remote network, so any reporting would need
> to happen over
On Mon, Dec 20, 2010 at 4:43 PM, Saket wrote:
> Hi,
>
> I want to try out OSSEC in my lab. I found OSSEC server installation
> for LINUX but not for WIndows. I just want to double check if windows
> is supported for server installations.
Nope, the manager is linux/unix only.
On Fri, Dec 17, 2010 at 7:27 AM, Ankush Grover wrote:
> Hi Friends,
>
> I have installed Ossec 2.5.1 on Centos 5.x machine and an agent*2.5.1) on
> Windows XP where IIS is running. From another test machine (linux) I tried
> to wget some false files from IIS server which resulted in 404 errors on
On Tue, Dec 14, 2010 at 8:26 AM, tux3132 wrote:
> Hello
>
> I have created on the server multiple entry for agents with IP address
> fixed to any because the agents are behind a firewall and they are
> seen by the server with its public IP.
>
> All is working fine except when the agent fire too mu
On Tue, Dec 21, 2010 at 1:42 PM, wrote:
> I’m running into issues installing the OSSEC 2.5.1 client on a windows 2008
> R2 server. After repeated un-installation and reinstallation I am unable to
> start the OSSEC client from the OSSEC Agent Manager, receiving an “Unable to
> start OSSEC (check
What do you have so far?
How important is the "from china" part?
On Sat, Dec 18, 2010 at 2:21 PM, Steve West wrote:
> Hi,
>
> Can anyone help me create a rule to stop Dic attack on smtp server from
> china? I've tried manually blocking these attacks via iptables, but the ip
> addresses just keep
ening directory:
> 'C:\Windows/System32/tlntsvr.exe': No such file or directory
> 2010/12/20 20:40:17 ossec-agent: INFO: Finished creating syscheck database
> (pre-scan completed).
> 2010/12/20 20:40:27 ossec-agent: INFO: Ending syscheck scan (forwarding
> database).
>
ss
>
I don't have any idea. I'm not very familiar with the Agent Manager
and how it interacts with the system/OSSEC services.
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On
> Behalf Of dan (ddp)
> Sent: Tuesday, De
On Tue, Dec 21, 2010 at 3:04 PM, Mike Smith wrote:
> Hello,
>
> Where can I fiind example and information on where to configure
> alert_new_files. I'm using Windows Agents.
>
> I configured it in the ossec.conf file, but does not seem to be working.
>
> Thanks,
>
> Mike
I think you've stumbled i
On Wed, Dec 22, 2010 at 7:26 AM, Shraddha Tickoo wrote:
> HI,
>
>
> We are trying to implement Deep Security 7.5 at one of our customer
> location but are facing following issues :
>
> 1. We are trying to create a custom 'Log Inspection' rule to trigger
> certain keywords in System Event logs. Ple
On Wed, Dec 22, 2010 at 8:19 AM, ItsMikeE wrote:
> I have seen an option to specify a time range in a rule (such as detecting
> logins during non-business hours).
>
> Is there a way to specify days?
> I want to skip reporting on syslogd re-starting if it is at a specified time
> and date (i.e. don
I don't have access to ossec-logtest right now, so you'll have to do
some testing with that on your own.
Everything I'm writing in this mail is untested. ;)
On Wed, Dec 22, 2010 at 12:41 PM, carlopmart wrote:
> Hi all,
>
> I am trying to decode auditd messages using OSSEC under RHEL6 host. To do
On Wed, Dec 22, 2010 at 3:17 PM, carlopmart wrote:
> On 12/22/2010 08:44 PM, dan (ddp) wrote:
>>
>> I don't have access to ossec-logtest right now, so you'll have to do
>> some testing with that on your own.
>> Everything I'm writing in this mail is unt
>
> Many thanks for your help dan.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
Not a problem. Can you post your final decoder for the archives? It
might help someone else looking to do the same thing.
These event messages seem odd. Running the first one through logtest
gives me the following:
2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file.
2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248).
ossec-testrule: Type one log per line.
Dec 23 09:08:13 1.1.1.1 DOMAINCO
On Thu, Dec 23, 2010 at 2:50 PM, Anthony, Russell (Information
Security) wrote:
> Hi,
>
>
>
> If anyone has created custom rules for windows events, I would really
> appreciate some pointers and examples. I have read the FAQs, bought and
> read the book, and googled as much as I could, but I’m
Check the ossec.log on the agents that disconnect and the manager for
information on the agents that disconnect. You can also run the
manager's processes in debug mode (-d) for more verbose messages.
On Thu, Dec 23, 2010 at 4:15 AM, Henry wrote:
> I have been setting up with a ossec server and a
Setting the frequency to 15 minutes actually means "wait at least 15
minutes, but it's okay if you need a little more time." And I'm
guessing the system starts counting after the previous syscheck run
has completed (as opposed to 15 minutes from the last time syscheck
started).
So starting 20 minut
On Fri, Dec 24, 2010 at 8:20 AM, Ankush Grover wrote:
> server. I do get email alerts that where it is showing there are 400 error
>>
>> > codes but the offending ipaddress is not getting blocked as I am able to
>> > get
>> > the correct files download from the IIS server at the same time.
>> >
>>
)\t(\.+)\t
id, extra_data, user, status, system_name
name, id, location, user, system_name
You might have to put it in decoder.xml above the "windows-snare"
decoder, I'm not sure. A quick test with ossec-logtest (pasting
everything from "Dec 23 09:08:13" to the end) wou
**Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
>
&
Nope. You'll have to recompile the code.
On Wed, Dec 29, 2010 at 9:34 AM, Maahkus wrote:
> Hi Group - I'd like to increase the max agents allowed on an already
> built and active ossec server. All the documentation I've read states
> to do this before you install or update ossec. Is there a way t
ile I shouldn't
> have to worry about any of the agents breaking?
>
> On Dec 29, 9:48 am, "dan (ddp)" wrote:
>> Nope. You'll have to recompile the code.
>>
>> On Wed, Dec 29, 2010 at 9:34 AM, Maahkus wrote:
>> > Hi Group - I'd like to inc
The alerts can be forwarded using the client syslog functionality in ossec.
On Wed, Dec 29, 2010 at 3:34 PM, Saket wrote:
> Hi,
>
> I am trying to forward the OSSEC logs to a syslog server.
>
> I know it stores the logs in /ossec/logs/ossec.log file and
> /ossec/logs/alerts/alerts.log
>
> But, is
On Thu, Dec 30, 2010 at 4:55 PM, Saket wrote:
> Hi,
>
> Is there a way to consolidate all the active-response.log file from
> all the agents?
>
> It is difficult to access each agents active-response.log, I am
> presuming there is a way to consolidate all the active-response.log in
> the server.
>
On Fri, Dec 31, 2010 at 1:35 PM, Jason 'XenoPhage' Frisvold
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Dec 30, 2010, at 7:44 PM, dan (ddp) wrote:
>> Have ossec read the active-response.log file?
>>
>>
>> syslog
>> /va
Hi Michael and x509v3,
On Sun, Jan 2, 2011 at 10:05 PM, Michael Starks
wrote:
> On 01/02/2011 07:55 PM, x509v3 wrote:
>>
>> Like many folks, I'm using OSSEC to support PCI requirements. I'm
>> very, very pleased with OSSEC and it has automated many things more
>> efficiently than our previous mor
Hi Saket,
On Wed, Dec 29, 2010 at 6:23 PM, Saket wrote:
> This is what I was looking for.
>
> Can you tell me where to find
>
> 192.168.4.1
>
>
>
> 10
> 10.1.1.1
>
>
> I looked up ossec.conf , should I include it there?
>
> Thanks,
> Saket
>
Yes, this configuration belon
Hi jplee3,
On Thu, Dec 16, 2010 at 4:11 PM, jplee3 wrote:
> Hey all,
>
> I started noticing this message when running the OSSEC batch manager
> Perl script:
>
> [r...@mybox jplee3]# ./ossec-batch-manager.pl -a -n testing1 -i 211 -p
> 10.1.1.1
> Use of uninitialized value in string eq at ./ossec-b
1 at 3:55 PM, dan (ddp) wrote:
>>
>> Hi jplee3,
>>
>> On Thu, Dec 16, 2010 at 4:11 PM, jplee3 wrote:
>> > Hey all,
>> >
>> > I started noticing this message when running the OSSEC batch manager
>> > Perl script:
>> >
>>
Hi Alisha,
On Thu, Jan 6, 2011 at 11:56 AM, Alisha Kloc wrote:
> Hi list,
>
> We are trying to examine the impact of the OSSEC agent on our more
> sensitive systems. However, we're quite confused about which OSSEC
> process does what.
>
> Our agents are configured with syscheck and rootcheck both
sure you are looking at the correct logs on the Windows agents.
Look in the ossec.conf to see which logs are being looked at, and
check Event Viewer on the agent to make sure those logs are being
populated with data.
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:
Hi Shawn,
On Thu, Jan 6, 2011 at 5:26 PM, Jefferson, Shawn
wrote:
> I was thinking of setting up an ARP cache check with OSSEC that would check
> for duplicate ARP entries. Thinking about it, I think on Windows a vbscript
> is probably the best way. On Linux, bash script I guess? I was going t
Hi,
On Thu, Jan 6, 2011 at 7:56 PM, Saket wrote:
> I was able to successfully get the active-responses.log to alert via
> syslog
>
> Here is my log : Thu Jan 6 16:18:29 EST 2011 /var/ossec/active-
> response/bin/host-deny.sh add - 192.100.229.132 1294348709.10093 570
>
> I am trying to understan
Hi Jason,
On Fri, Jan 7, 2011 at 8:51 AM, Youngquist, Jason R.
wrote:
> Last weekend I installed OSSEC on a number of servers. On one Windows server
> OSSEC will run for awhile, and then it will stop. I went into the server and
> re-started OSSEC, and it ran for awhile and then stopped again.
Hi Billy,
On Mon, Jan 10, 2011 at 12:55 PM, Billy McCarthy wrote:
> I've got Ossec up and running, using the RPMs provided by Atomicorp, but
> cannot get agents to talk to the main server. When I run `manage_agents` on
> my main server it gives me the short menu, like you see on clients. I was
Hi Jeremy,
On Mon, Jan 10, 2011 at 11:35 AM, Jeremy Lee wrote:
> Thanks for the response Daniel. Unfortunately, I didn't get to measure # of
> events per second for the particular log. One thing I was also wondering
> though: would the size of each log potentially create issues? The log is in
> n
h for OSSEC to handle at least when volume/web traffic is
> high for us.
>
If the log file ONLY receives logs from this application, you
could write a script to read the messages and convert them into
something more useful.
> On Mon, Jan 10, 2011 at 11:49 AM, dan (ddp) wrote:
&
On Mon, Jan 10, 2011 at 4:57 PM, Billy McCarthy wrote:
>
>
> On Mon, Jan 10, 2011 at 11:45 AM, dan (ddp) wrote:
>>
>> Hi Billy,
>>
>> On Mon, Jan 10, 2011 at 12:55 PM, Billy McCarthy
>> wrote:
>> > I've got Ossec up and running, using the R
Hi Andy,
On Mon, Jan 10, 2011 at 5:18 PM, NetSyphon wrote:
> Hello List,
> Does OSSEC do any sort of log replay on either windows or *nix, so that if
> an agent is stopped and started that it will "replay" to catch up? I'm
> trying to prove that OSSEC is at least a better option than something l
gt;
Splunk has some nice features.
> On Mon, Jan 10, 2011 at 5:32 PM, dan (ddp) wrote:
>>
>> Hi Andy,
>>
>> On Mon, Jan 10, 2011 at 5:18 PM, NetSyphon wrote:
>> > Hello List,
>> > Does OSSEC do any sort of log replay on either windows or *nix, so th
On Mon, Jan 10, 2011 at 5:48 PM, Billy McCarthy wrote:
>
>
> On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) wrote:
>>
>> Is ossec-remoted running on the manager?
>> After adding the agent through the manage_agents application, did you
>> restart the OSSEC processes
On Mon, Jan 10, 2011 at 5:37 PM, Michael Starks
wrote:
> On Mon, 10 Jan 2011 17:32:09 -0500, "dan (ddp)" wrote:
>>
>> Hi Andy,
>>
>> On Mon, Jan 10, 2011 at 5:18 PM, NetSyphon wrote:
>>>
>>> Hello List,
>>> Does OSSEC do any sor
On Mon, Jan 10, 2011 at 6:15 PM, Billy McCarthy wrote:
>
>
> On Mon, Jan 10, 2011 at 3:02 PM, dan (ddp) wrote:
>>
>> On Mon, Jan 10, 2011 at 5:48 PM, Billy McCarthy
>> wrote:
>> >
>> >
>> > On Mon, Jan 10, 2011 at 2:15 PM, dan (ddp) wrot
On Mon, Jan 10, 2011 at 6:48 PM, Billy McCarthy wrote:
>
>
> On Mon, Jan 10, 2011 at 3:23 PM, dan (ddp) wrote:
>>
>> is only necessary for syslog connection types.
>>
>> It's very odd that there's no logs in the manager's ossec.log that
>>
Hi Patrick,
On Tue, Jan 11, 2011 at 11:54 AM, Patrick Melvin
wrote:
> Hello, I've run into another issue after "resolving" the last one.
> The OSSEC server is not sending logs remotely to a log collector.
> ossec-csyslogd shows in the logs that it starts ok, and is configured
> to forward logs vi
c/syntax/head_ossec_config.reports.html
Posting the ossec.conf (changing anything sensitive like passwords or
IP addresses) might be helpful in tracking this down. Also check the
ossec.log on the manager for any errors or messages that might provide
a hint.
> Thanks,
> Patrick
>
>
>
e was necessary in ossec_rules.xml?
If it's just a local change, you should make it in local_rules.xml so
it won't be overwritten during upgrades.
>
> On Tue, Jan 11, 2011 at 3:38 PM, dan (ddp) wrote:
>> On Tue, Jan 11, 2011 at 3:24 PM, Patrick Melvin
>> wrote:
>>
is helpful if the stock rules change so you won't
have to go through and modify your rule changes to match.
> On Tue, Jan 11, 2011 at 4:17 PM, dan (ddp) wrote:
>> On Tue, Jan 11, 2011 at 5:13 PM, Patrick Melvin
>> wrote:
>>> Hi Dan, as I was typing answers to your
On Wed, Jan 12, 2011 at 9:59 AM, NewRules wrote:
> Hi,
>
> I just make a fresh install the version 2.5.1 of ossec on an AIX
> server. But when I try to start OSSEC i get this :
>
>> ./bin/ossec-control start
>> Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
>> 2011/01/12 15:49:03 ossec-analys
No, this isn't possible in OSSEC currently.
On Wed, Jan 12, 2011 at 1:00 PM, Hugo Ferreira wrote:
> Hello,
>
> Is it possible to filter which alerts are send to the email by the alert
> text?
>
> Example:
>
> Send via email every alert with level 10 or higher except those who have the
> string “X
Hi Saket,
On Wed, Jan 12, 2011 at 9:14 PM, Saket wrote:
> Hi,
>
> I noticed that when I send alerts to a syslog server all the logs show
> up in the following format:
>
> Date Time Hostname ossec: Alert Level etc
>
> I need to know if its possible to change ossec: to something else?
>
On Thu, Jan 13, 2011 at 11:21 AM, Dave S wrote:
> I've used Splunk, and it's a great event analyzer but it's a *very*
> heavy client; even the "light" installation. So it's not something I'd
> want to install on every average desktop in my enterprise.
> That's why I appreciated ossec because the c
On Thu, Jan 13, 2011 at 4:37 AM, carlopmart wrote:
> On 01/12/2011 06:44 PM, Daniel Cid wrote:
>>
>> Yes, and it has worked well for me.
>>
>> One caveat is that the rids (message ids) will have to be
>> exchanged/synced between each manager in the
>> HA. A simple solution is to disable the id che
On Thu, Jan 13, 2011 at 10:28 AM, Devendra Agrawal
wrote:
> Hi,
>
> How can i urge the Ossec mysql Database?
Without digging into the sql, you can drop the database and recreate it.
Hi anderscooter,
On Fri, Jan 14, 2011 at 11:16 AM, anderscooter wrote:
> We are connecting to the server, but get these message 'Unable to send
> message to server". I enabled debugging but I cannot seem to find a
> reason for the messages. This is only happening on a couple servers
> and cannot
Hi Bill,
On Fri, Jan 14, 2011 at 1:10 PM, Bill wrote:
> First, my apologies if this was already answered elsewhere. I did look but
> didn't find anything.
>
> Was anyone able to help with the ignores? I'm running into the same sort of
> problem, and have tried multiple variations on the ignore
On Fri, Jan 14, 2011 at 2:05 PM, Christopher Moraes
wrote:
>>
>>
>> Integrity checksum changed for: 'C:\Program Files/Microsoft SQL
>> Server/MSSQL/LOG/ERRORLOG.1'
>
> If you want to ignore files like ERRORLOG.1, I think your regex should be
> "ERRORLOG.*"
>
sregex does not support '*": http://ww
On Fri, Jan 14, 2011 at 1:53 PM, Bill wrote:
> I'll give that a try - that makes sense as the whole file name really starts
> at C:
> There are others that also don't get ignored, I only showed the errorlog
> example for brevity. Shouldn't the first ignore line have prevented it?
>
> Thanks,
Hi Shawn,
On Fri, Jan 14, 2011 at 2:17 PM, Jefferson, Shawn
wrote:
> Hi,
>
> I don't believe that will work either... wildcards like that aren't
> supported in the sregex are they?
>
> Putting "|ERRORLOG." should ignore all files with ERROLOG. in the name, so
> ERRORLOG.1, ERRORLOG.2, etc.. At le
Hi Bill,
On Fri, Jan 14, 2011 at 2:33 PM, Bill wrote:
> Recursing directories could be part of it, though I have another
> that also doesn't work for files in a specific directory.
> c:\program files\Hughes Network Systems\PDReceiver\db
>
> But I receive:
>
> Integrity checksum changed for: 'C:\
Hi Bill,
On Fri, Jan 14, 2011 at 4:29 PM, Bill wrote:
> First and foremost, thanks to all who replied here. I'm backing off of the
> directory ignores and just going with filenames in the regex ignore as those
> seem to work more consistently.
>
> Shawn, I don't think that case and slash vs. ba
On Fri, Jan 14, 2011 at 4:52 PM, anderscooter wrote:
> It looks like the problem at remote sites with large security logs and
> every so often one of the message updates fail. We really don't need
> to monitor the Windows Event logs. Is the only way to do this in the
> Windows Agent config or can
Hi Marcus,
On Fri, Jan 14, 2011 at 7:18 PM, Marcus Maciel wrote:
> This is not good and wrong anyone can take time to comment ?
>
> http://www.networkworld.com/community/node/70632
>
> Thanks,
>
The article isn't about OSSEC, it's about a comment made by a Trend
Micro executive.
In my opinion th
will says things
>> like this over and over again with the same "Audit Success IDs" and it
>> looks like its all the WinEvtLogs.
>>
>> 2011/01/14 14:03:17 ossec-agent: DEBUG: Attempting to send message to
>> server.
>> 2011/01/14 14:03:17 ossec-agent:
Hi Chris,
On Wed, Jan 19, 2011 at 1:29 PM, Chris wrote:
> I need to ignore all added files in a directory under under a folder
> named .svn. I added the rule below to local_rules.xml and restarted
> the ossec server, but not the agents. It still seems to be emailing
> alerts. Did I get the syn
Hi Tyler,
On Wed, Jan 19, 2011 at 1:17 PM, wrote:
> I’ve been looking into the functional overlap between SPLUNK and OSSEC, and
> it seems that SPLUNK can accomplish many of the same tasks as OSSEC. I’ve
> used the OSSEC app for SPLUNK, so they must partner well, but I can’t find
> very many di
Hi Henry,
On Wed, Jan 19, 2011 at 3:55 AM, Henry wrote:
> I have installed the ossec with server and agents, I was able to
> connect the agent with the server, but shortly, it appears on the
> client is down with client log file
>
> 2011/01/15 01:02:04 ossec-syscheckd(1224): ERROR: Error sending
Hi Patrick,
On Wed, Jan 19, 2011 at 4:14 PM, Patrick Melvin
wrote:
> Hello, I haven't had much luck finding these answers searching with
> google, but I may not be using the correct search terms. The
> questions below are in regards to File Integrity Monitoring Scans.
>
> 1) Does the Server or A
Hi Mike,
On Thu, Jan 20, 2011 at 12:50 PM, Mike Smith wrote:
> Hello,
>
> I would like to know how i can get ossec to alert me any time a find with
> the extention of .asp is placed with the c:\inetoub directory running
> windows server 2003.
>
> c:\inetpub/*.asp or how do you do
> it with a file
You're still possibly missing the beginning of the error chain. The
first message there says "socket busy," so something bad has happened.
But we don't know what. It might be useful to figure out which
processes are running on the agent when the error messages start. My
guess is that one of them is
Hi Jason,
On Fri, Jan 21, 2011 at 10:26 PM, Jason 'XenoPhage' Frisvold
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Jan 12, 2011, at 12:44 PM, Daniel Cid wrote:
>> Yes, and it has worked well for me.
>>
>> One caveat is that the rids (message ids) will have to be
>> exchanged/s
Hi Ash,
On Fri, Jan 21, 2011 at 1:40 PM, ash kumar wrote:
> 1. Daily Reports: I still get blank daily reports. What may be the problems?
What email server and client are you using? I think there is an issue
with some servers where the entire message is included in the subject
line for some reaso
Hi Mike,
On Sun, Jan 23, 2011 at 5:30 PM, Mike Smith wrote:
> Hello,
>
> I have been trying to get this messsage to the mailing list, but seem to be
> using the wrong address.
>
They're making it to the list.
> How do I use a wild card like this c:\inetpub/* or can I use it like this
> c:\inetp
Hi Solomon,
On Mon, Jan 24, 2011 at 9:06 AM, Solomon Joshua wrote:
> Hello,
>
> Can OSSEC aggregate and display the Syslogs from any device in one location?
> Can the data be collected/displayed based on IP Address, Name, Part of
> message, Lookup by device or by message (raw string search)?
>
>
lem?? Can be solved by changing some settings in
> the agent or something?? I searched and investigated, in both MySQL and
> OSSEC, but nothing resolve the problem.
> I hope I was clear sufficiently for the understand the problem.
> Thanks.
>
These logs appear to be multi-line logs. T
601 - 700 of 1980 matches
Mail list logo
