I'm exploring the use of OSSEC and I've got a question the docs I've read
aren't yet answering. I think it's going to be quicker to just ask...
I have a single Linux box which runs in the DMZ. It has a few services,
with Apache and Squid being the main ones. I want to put OSSEC on it
primarily
Goodness, I'm nowhere near clued up enough to suggest how to improve things
just yet. I haven't read enough of it!
But note that neither yours nor Jan's posts actually answer my question
(although I completely appreciate your good intentions).
When I look at the basic information, here:
http:/
I have an application which OSSEC fits perfectly with, at least as far as
the security aspects of the problem are concerned - which is about 80% of
my problem. However I'd also like some additional log monitoring, which
isn't so much security related as normal system usage. I'd like to take
act
I'm trying to get syscheck to work. Actually, not so much work as show any
signs of life. :)
I've pared the task down to getting it to indicate something - anything -
has changed in a directory I've created on the local installation machine:
/etc/test.
My ossec.conf has this:
180
n
The ossec-init.conf file in the CentOS RPMs I picked up has the TYPE set to
'server'. I don't need that - I only need a local installation, so I
removed those RPMs and installed from the tar ball, specifying 'local'.
However, given that I need to install on lots of machines I'd rather use
those
OK, thanks. Is there a list anywhere of the main differences between the
two configurations? I spent most of yesterday trawling through the docs
trying to work out what might be enabled in the "server" configuration
which I wouldn't want in a "local" configuration.
On Wednesday, 22 October 2014
Right, time to have another look at this. I've switched to the AtomiCorp
RPMs for CentOS, so everything should be in place. I've tried modifying a
file in a monitored directory and alerts.log shows nothing.
I suppose the first thing to ask is whether the system check works for
local installatio
>
> Was the file already in the syscheck database?
>
Yes.
> Did a syscheck scan run after you modified the file?
>
I don't know. That's the issue I'm confused about. How can I tell?
> The FAQ says that in order to run a system check you use the command:
> >
> > # /var/ossec/bin/agent_co
Aha, replying to self... It worked.
There's no clue it's found something from the ossec-syscheck stdout, even
when you run it in foreground with -vv. I'd spent an hour wading through
the code trying to see what it was doing, when the alerts log suddenly
popped up a message about one of the file
The problem was I didn't realise how slowly the scans happen, or how
quietly. When I saw the message in the log saying "INFO: Starting syscheck
scan." I kind of expected something to happen - disk activity, log messages
to start chugging by, etc. In fact, none of that happens. There's no clue
i
Mine does..what sort of information are you looking for?
-Derek Morris
On Wed, Sep 22, 2010 at 3:54 PM, Christopher Moraes
wrote:
> Hi everyone,
>
> I'm preparing a recommendation to use OSSEC in my organization. Does
> anyone know where I can find references of other organi
ped
out tremendously in my travels.
Hope I have shared a story that others can relate to!!
-- Derek
t;> the biggest area for improvement? What are we missing? . We have already
>> talked a bit about key management and distributing the windows agent. What
>> else doesn't work too well? Any rules fp too much? Now is the time to get it
>> all out.
>>
>> --
>> Michael Starks
>> [I] Immutable Security
>> http://www.immutablesecurity.com
>>
>
>
--
- Derek
I do too. Even different categories.
- Derek
On Jan 21, 2011 2:52 PM, "ash kumar" wrote:
> 1. Daily Reports: I still get blank daily reports. What may be the
problems?
> 2. Ad hoc Reports: is there are way I can take results of ossec-reportd
and
> mail in a presentable f
le format, just summary information periodically?
>
> I don't understand, could you explain a bit more?
>
> > Any assistance would be greatly appreciated
> > Ash
>
--
- Derek
First off this is a nice tool to see being worked on. My question to the
group is has anyone got this working properly. I have tons of Undefined
Variables and no graphs. Any guidance is appreciated.
hs you remember that could do with changing I will
> happily have a look..
>
> On Friday, September 14, 2012 11:40:15 AM UTC+1, Xme wrote:
>>
>> I used it since the first release. The first installation was quite
>> "funny" and I had to fix lot of paths in
Andy,
You are a gentleman and a scholar, thanks for the help! Worked perfectly.
Again I have to add my applause on this project, its really nice to have
this for a great product like Ossec. Best of luck and regards!!
- Derek
On Mon, Sep 17, 2012 at 4:43 AM, techsupp...@ecsc.co.uk <
techs
I ran into this problem a couple years ago. What did was move the dhcp logs and
config to something like c:\dhcp the in the ossec config call out as you did
each log file. There is something about being buried in system32 that ossec can
work with well, on win2008.
In my local_rules.xml I have these entries, not sure if they will help:
18104
^682|^4778|^1149
Remote Desktop Connection Established
sysadmin,
18104
^683|^4779
Remote Desktop Connection Disconnected
sysadmin,
On Monday, October 7, 2013 6:24:38 PM UTC-
Carlos, I used to see these all the time, I found what IPs there were
coming in from and blocked at the FW level. Its usually some attack just
cycling through easy picking names, sometimes you would see them hit in
alphabetical order too. Dictionary attack of sorts. Hope this helps
On Monday, S
What we do is move the DHCP files out to a different directory like C:\DHCP
and it works fine on 2008 and 2012.
On Tuesday, October 23, 2012 3:34:47 PM UTC-4, Brian Sims wrote:
>
> I see there is an MS DHCP parser, but I'm not having much success in
> getting it to work in a stable fashion.
Would be happy to share my local_rules.xml and the msauth.xml "tweeked"
version I use. Let me know
On Monday, February 23, 2015 at 3:28:39 PM UTC-5, Stephen Carr wrote:
>
> Hey there all, I’m wading into the realm of Domain Controller security
> logs and what is possible for filtering events to
I'm trying to automate the install of 3000+ 2.8 windows agents. I know
there is a silent switch to install the agent, but is there a way to import
the extracted key during the install also?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
I have a security onion installation, and am utilizing ossec and i need to
up the max number of agents. I've found that you can run make setmaxagents
and recompile to up the limit, but i'm wondering if running that will mess
with any of my other settings. I asked the same question on the securit
I'm looking to get clarification on how OSSEC would work in a situation
where the agent might not always have access to the centralized server.
Would the alerts/fim notifications get queued up, and the next time the
server and agent are able to communicate those alerts/notifications get
sent? o
errant _ the service started
up like a charm. However, nothing useful was logged to ossec.log to tell me
what had gone wrong.
-Derek
From: ossec-list@googlegroups.com [ossec-l...@googlegroups.com] On Behalf Of
Peter M. Abraham [peter.abra...@dynamicnet.net
Is there a simple way to show the last time an agent connected to the
server? I'm looking for a way to identify agents that haven't been used for
say 2 months.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group
gt;
>
>
>
> On Tue, Aug 2, 2016 at 11:37 AM, Victor Fernandez
> wrote:
>
>> Hi Derek.
>>
>> You can do that by watching the modification time (with ls or stat) of
>> the agent's information file at /var/ossec/queue/agent-info. For
>> example, if t
So here is what I have in my local_rules.xml for Ossec for my RDP:
18104
^682|^4778|^1149
**Remote Desktop Connection Established**
sysadmin,
18104
^683|^4779
**Remote Desktop Connection Disconnected**
sysadmin,
Then on my servers in the ossec.conf fil
Jesus, sure let me pull one up of a connect and disconnect for RDP:
CONNECTION TO SERVER VIA RDP FROM REMOTE WORKSTATION: (SANITIZED OF COURSE)
__
OSSEC HIDS Notification.
2016 Aug 12 07:48:23
Received From: (servername) IP.IP.IP.IP->WinEvtLog
ones. should i just modify the msauth_rules.xml files as required or is
there a different best practice?
Thanks
Derek
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails f
I am trying to add some rules to my local_rules.xml file, and I've noticed
that after I add the rules, restart the ossec service, after a while maybe
10-30 minutes or so (I didn't time it) the rule is gone from the
local_rules.xml file. Is this normal behavior? where did my rules go?
Thanks for
I'm running this on a security onion setup with a master and sensor
servers. I am modifying the local_rules file on each sensor server so maybe
this is why it's not acting right?
On Wed, Aug 31, 2016 at 9:33 AM, dan (ddp) wrote:
> On Wed, Aug 31, 2016 at 10:26 AM, Derek Day wr
i'll try that. Thanks for the advice.
On Wed, Aug 31, 2016 at 9:37 AM, dan (ddp) wrote:
> On Wed, Aug 31, 2016 at 10:36 AM, Derek Day wrote:
> > I'm running this on a security onion setup with a master and sensor
> servers.
> > I am modifying the local_rules file on
Just an update in case anyone else does the same thing. Dan's advice was
correct. Add the rule you wish to add to the master server and not directly
to the sensor and it will propagate out. Not sure why I didn't think of
that to begin with.
Thank you Dan
On Wed, Aug 31, 2016 at 9:38
If i have a system that has an ossec agent running, and the system needs to
be rebuilt or replaced, using same name and addresses space etc, just a pc
refresh. do i need to generate a new ID and client.keys on the server side
or can i use the same id/client.keys that was previously created for t
I have it even higher on my servers both 32 adn 64 bit, running around 90%.
After a few minutes it settles down though. I would like to know what it is too!
> I have some servers (both 32 & 64bit) Windows 2003 R2 servers that after
> reboot the ossec service & lsass.exe start to take over the cpu
I really like the new UI, just installed the new version. Any one have a quick
tip on how to change the font throughout the UI to Tahoma??
- Derek
Thanks Tim, I went through and found it. How bout changign that line at the top
that is orange to red and when you hover over MAIN, SEARCH, INTEG CHECKING thats
orange too. Any ideas???
> Saw your message when browsing the mailing list online (don't have a
> valid account to reply to the list th
This would make my life easier as well!!
>
> Oh great OSSEC oracles,
>
> Has anyone created a decoder that extracts the source IP addresses from
> authentitation failures under Windows? I have OSSEC monitoring our
> Windows AD domain controllers, but I only wish to be alerted if there
> are multi
Yes i have a few times..what kinda probs you having!? I would like to help ya if
i can.
- Derek Morris
[EMAIL PROTECTED]
>
> Did anyone install OSSEC1.4 server with web UI 0.3 on Fedora 8 yet.
>
> My install is working fine on Fedora 6.I just installed web interface
> 0.3 tod
Daniel,
I would like to help in beta testing if you need.
- Derek Morris
>
> Hi Lists (ossec-list and dev),
>
> Just some updates for those who are not following our site/blog lately.
>
>
> -The OSSEC book was officially released last month and is available on
> all
me too
> Hi list, I have a problem with ossec very strange. Receipt much quantity of
> mails informing that agent disconnected. Reviewing the equipment and network
> performance not encounter problems.
> Someone knows it can be happening?
>
> Cheers,
> Martin
>
Can anyone help me out with setting this Ossec agent and MS Exchange 2007 to
start showing some alerts and messages in Ossec.
- Derek
Any good come from this!?
-Derek
>>
>> So they only log local connections to the outside? Or received
>> connections too? do you have a few
>> more entries showing these different situations?
>>
>> Btw, from these logs, is there anything important th
I just went through an upgrade, really easy, the 1.5 version sees the older
version and just does the upgrade, you may have to re-edit your rules after the
upgrade, but that is easy.
-Derek
>
> Hi everyone,
> I'm looking for upgrade instructions for upgrading from version 1.4 to
Thats a good idea, i have been wondering about a changelog myself
>
> Greetings:
>
> RE: http://www.ossec.net/main/downloads/
>
> Please consider adding links to the latest Unix and Windows builds
> which were created to resolve various problems (i.e. Windows
> disconnects), etc.
>
> Please incl
The 1.5.x with the changes would be nice too. Even for the snapshots you release
a changelog or cvs log would be good.
-Derek
>
> Hi,
>
> That's a very good idea. Another suggestion I received was to release
> small versions with these
> fixes (like v1.5.1, 1.5.2, etc
I just want to say Congratulations to you!!
-Derek Morris
> Hi Lists,
>
> I have very good news to share with you. Hope you all like it :)
>
> First, from now I will be working full time on OSSEC, being fully
> sponsored (and paid) by Third Brigade (http://www.thirdbrigade.
That would be great, are you going to make it open to the ossec community?
-Derek
> Greetings,
> I am interested in possibly creating a new OSSEC web interface. What
> sort of back-end database does OSSEC use today? I thought it was mysql,
> but I think I'm w
What is the procedure to use MySql as the database for ossec?
- Derek
Got it the fix was to add mysql to the PATH variable
-Derek
>
> http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput
>
> Cheers,
>
> Dale
>
> On Thu, Jun 26, 2008 at 8:37 AM, Derek J. Morris
> <[EMAIL PROTECTED]> wrote:
>>
>> What is the pro
Tried and no luck..
make setdb
Error: MySQL client libraries not installed.
Error: PostgreSQL client libraries not installed.
Error: DB libraries not installed.
And mysql is install and working properly for many other apps.
Any help is appreciated!
-Derek
>
> http://www.ossec.ne
Thanks for the response, came down to adding mysql bin path to the PATH
variable. worked after that.
>
> Derek,
>
> Try downloading the MySQL client development libraries for your distro.
> On debian, the deb looks something _like_ "apt-get install
> libmysqlclient15-d
How has the transition over to Third Brigade gone for Ossec?
You can use my info to scale up
14 windows agents
2 linux agents
1 ossec server > Dell GX240 P4 1.7..512MB RAM, 40 GB hard drive, 10/100 intel
nic..running FC8..apache,php,mysql,wildfire,nagios to monitor same boxes
DOESNT EVEN BREAK A SWEAT. Hope that helps ya!
-D. Morris
>
> Hi what hardware
Any movement toward and new WUI anytime soon?
-Derek Morris
PS running ossec1.6 on Fedora8 with 14 windows agents working flawlessly.
>
> Hi list,
>
> Direct from: http://www.ossec.net/main/ossec-v16-released
>
> "
> We are pleased to announce the general availab
Any news on an update to the WUI? What sort of changes are going to happen?
- Derek J. Morris
- CIO of DigitalMorris
level 7...also a level 2 bumped up to a level 8 and so on.
- Derek Morris
I see the changelog for the version releases but not for the snapshots that get
put out? Is there one or can one be created.
Derek Morris
President of DigitalMorris Technologies
http://www.ossec.net/files
> Is there a place on the OSSEC site to down load OSSEC 1.6 ? All I can
> find is OSSEC 1.6.1.
>
>
>
> Thanks
>
>
>
> Dennis Carter GSNA
>
> Information Security Analyst
>
> Pinellas County Business Technology Services
>
> 727-464-4527
>
> [EMAIL PROTECTED]
>
>
>
>
>
>
Anyone have MSAUTH Custom rules written they would like to share out?
-Derek Morris
>
> In the most current msauth-rules.xml, eventid 680 is disabled, stating
> that it is a duplicate. Unfortunately that is not the case. A failed
> 680 event is how a Windows 2003 Server AD contro
I agree that would be a huge help for me and my deployment as well.
> Any idea on how I can get Access to show real value instead of %%1538
> and so on?
>
> thanks
>
> On Oct 31, 12:06 pm, [EMAIL PROTECTED] wrote:
>> Looking at the logs my Windows-Ossec agent send:
>>
>> 2008/10/31 12:57:21 oss
This translation through OSSEC would be really nice feature. I hope it can
happen!
- Derek Morris
>
> Oh, come on! Don't you guys know out of the top of your heads that
> %%1538 means READ_CONTROL? :)
>
> That's how the event log gives to us when we read from it. Th
Any word on some updates on Ossec and the WUI coming down the pipe? Big fan of
the app and would love to see it keep getting better!
Derek J. Morris
DigitalMorris Technologies
I get a permission denied when running this? Any thoughts:
cat /var/ossec/logs/alerts/2008/Nov/ossec-alerts-20.log |grep -E
"\*\*.*authentication_failed" -A 6 | ./ossec_report_contrib.pl -t user
i get::: -bash: /var/ossec/logs/alerts/2008/Nov/ossec-alerts-20.log: Permission
denied
Will this feature be built into the WebUI coming soon? These are great but using
them through the WebUI would be very nice to have.
-Derek Morris
As do I, 4 of them.
>
> I have v1.6.1 running in a 64-bit Windows 2003 environment with no
> problems.
>
> On Dec 3, 6:37 am, [EMAIL PROTECTED] wrote:
>> Installing v1.6.1 agent on 64-bit Windows 2003 server appears to have
>> corrupted the event logs and sent the server into endless reboot
>> cy
Anyone else having high CPU usage for the ossec-agent on a Windows 2008 Server?
Installed the latest and greatest agent and the server is latest and greatest
snapshot too. Any help is great!!
-Derek
Anyone using the nagios plugin called: check_ossec.sh ...if so how did you
implement that?
Hi Bill,
Whats the syntax look like in the config files for nagios??
> http://checkossec.googlecode.com/files/check_ossec.tgz
>
> A Nagios check for connected/disconnected OSSEC agents. We've found it to be
> incredibly useful to have. Hope it's useful to all of you.
>
>
> Bill
>
>
> --
>
> Thi
How do i get this to output to a file to be read later?
Ex:
zcat /var/ossec/logs/alerts/2009/Feb/*.gz | ./src/monitord/ossec-reportd -n
"Month Summary"
;
Nothing fancy but functional.
-Derek
>
> Hi Derek. Did you get an answer to this? I too am having trouble
> outputting it to anything other than the screen. Roch
>
> On 2/13/09, Derek J. Morris wrote:
>>
>> How do i get this to output to a file to be read later?
&g
Any updates to the UI coming down the pipe. Been about a year since 0.3 was put
out. Just curious!
I have been clearing Windows App, Sec and System logs all day today and not one
alert. I have it set for 8 and email on 8's. I am running V2.0 on server and
windows clients. Where can I look to see whats wrong?
-Derek
I have been clearing Windows App, Sec and System logs all day today and not one
alert. I have it set for 8 and email on 8's. I am running V2.0 on server and
windows clients. Where can I look to see whats wrong?
-Derek
The event is not even in the ossec.log on the local machine, this happens on
Windows 2003 and 2008. That rule is set fine, havent changed it. Any help would
be appreciated.
-Derek
>
> Hi Derek,
>
> It should certainly have fired something. This is the rule we have
> looking f
its in /var/ossec/bin
> Hi,
>
> I installed ossec v2 on Redhat Linux in /usr/local directory and it is
> installed successfully. But I don't see /usr/local//bin/ossec-control
> to start the ossec. Any help is appreciated.
>
> Thanks,
>
The event is not even in the ossec.log on the local machine, this happens on
Windows 2003 and 2008. That rule is set fine, havent changed it. Any help would
be appreciated.
-Derek
>
> Hi Derek,
>
> It should certainly have fired something. This is the rule we have looking for
Yes everything is set fine in the windows end. I get nothing on the ossec side.
>
> Derek,
>
> Can you confirm after clearing your log that there is a new log in the Windows
> Event Log that says the log has been cleared?
> Auditing might not be turned on in Windows for
The event is not even in the ossec.log on the local machine, this happens on
Windows 2003 and 2008. That rule is set fine, havent changed it. Any help would
be appreciated.
-Derek
>
> Hi Derek,
>
> It should certainly have fired something. This is the rule we have looking for
I should have done this before but i cycled ossec server and all the agents and
got it going now. I appreciate you looking into it.
-Derek
> Hi Derek,
>
> I am not able to reproduce it in here... When I clear the event log,
> the first event I get is:
>
>
> ** Alert 1
Any one hear for this user on this decoder?
>
> Hey,
>
> Yes, that sounds very interesting. Please share with us :) If you need
> any help, just ask.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Tue, Mar 17, 2009 at 12:23 AM, wrote:
>>
>> I've taken some time and created a
I just attempted to run the "Monthly Summary" Report, and it pegged my memory
and cpu and got nothing output. Any help would be appreciated!
My monthly summary report wont run. I get:
2009/05/02 00:15:01 ossec-reportd: INFO: Started (pid: 22713).
2009/05/02 00:18:18 shared-libs(1102): ERROR: Not enough Memory. Exiting.
cd /var/ossec/
zcat /var/ossec/logs/alerts/2009/Mar/*.gz | ./src/monitord/ossec-reportd -n
"Month Summary"
>
> Hi Derek,
>
> What command (and arguments) are you using? It seems that it is trying
> to allocate
> more than what you have available.
>
> Thanks,
I put this in based on instructions but cant get the log to be read. Am I
missing anything here
-Derek Morris
> To those who have been waiting for this. I'm sorry! I got side tracked with
> a bunch of other projects and I forgot to send this to the list. I'm in the
> proc
Here is the code I use to run this:
cd /var/ossec/
zcat /var/ossec/logs/alerts/2009/Mar/*.gz | ./src/monitord/ossec-reportd -n
"Month Summary"
>
> Hi Derek,
>
> What command (and arguments) are you using? It seems that it is trying to
allocate
> more than what you h
.
-Derek
>
> phish phreek wrote:
>> In the last rules file I emailed to the list, I choose IDs in the 12200
>> range since the named rules were in the 12100 range. I've left the ipv4
>> rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in
>> the 1
Here is the code I use to run this:
cd /var/ossec/
zcat /var/ossec/logs/alerts/2009/Mar/*.gz | ./src/monitord/ossec-reportd -n
"Month Summary"
>
> Hi Derek,
>
> What command (and arguments) are you using? It seems that it is trying to
allocate
> more than what you h
Getting errors now:
2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
2009/05/20 10:42:33 ossec-agent(1951): INFO: Analyzing event log: 'System'.
2009/05/20 10:42:34 ossec-agent(1103):
\system32\dhcp\DhcpSrvLog-Tue.log
syslog
c:\windows\system32\dhcp\DhcpSrvLog-Wed.log
syslog
C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log
syslog
C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log
syslog
> Hi Derek,
>
> How did you set your entry for this log?
Haha, yes i do :)!!
> Do you have this log file in the box?
>
> C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log
>
> thanks,
>
> On Thu, May 28, 2009 at 11:36 AM, Derek J. Morris
> wrote:
>> Made that change and still getting error in log on that server:
>>
>&g
Installed the snapshot on my ossec server, restarted the ossec service on the
windows server that is running dhcp too, results in log from windows server:
2009/05/28 13:46:15 ossec-execd(1350): INFO: Active response disabled. Exiting.
2009/05/28 13:46:15 ossec-agent(1410): INFO: Reading authentic
now. Hope this helps!! Any questions
about it feel free to email me.
-Derek
> Ok, the IPv6 logs decoder was working. However, the IPv4 decoder was not.
> The prematch that you had in the IPv4 was looking for a 4 digit year field
> instead of a 2 digit year. Looking back at the log samples I
in couple months.
-Derek Morris
server has 1.5gb of physical RAM, log directory is: 190MB.
-Derek
>
> Looks like you have too many logs on a machine that isn't quite big enough.
> reportd (recent ossec snapshot) is working on OpenBSD 4.5 (recent snapshot),
> and an old Centos box for me.
>
> How big is
t trying a smaller subset of logs works just fine.
>
> On Tue, Jun 2, 2009 at 9:46 AM, Derek J. Morris
> wrote:
>>
>> server has 1.5gb of physical RAM, log directory is: 190MB.
>>
>> -Derek
>>
>>>
>>> Looks like you have too many logs on a ma
Is there anyway to see what has changed in the snapshots for the Windows Agent
and the Server? I dont see any changelog with some good detail in it.
-Derek
1 - 100 of 123 matches
Mail list logo