Hello All,
I am currently working on a central ossec.conf file which contains our
Windows and Linux configurations for all clients. Here are a few background
details:
1. We currently only have a few Linux deployments and roughly 6 Windows
deployments as a POC
2. All clients have a custom confi
Just a note, I have had /var/ossec/etc/shared/agent.conf go from having
content back to being blank a number of times here without having any
interaction on the server. Has anyone else experienced this?
On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote:
>
> On Wed, Feb 1, 2
Our OSSEC server is running the newest version of Security Onion which has
it built in
On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote:
>
> On Wed, Feb 1, 2017 at 1:12 PM, >
> wrote:
> > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having
> > content
Hello All,
I have pointed my Symantec AV logs to our OSSEC server via syslog over port
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have
created a custom decoder and parser, and can confirm that it is working:
**Phase 2: Completed decoding.
decoder: 'Symantec'
**
It's very strange...I have enabled already enabled syslog over 514 from our
symantec server to the OSSEC server, and I see the logs coming into our
ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC
alerts files and do not see the log anywhere on the server... Where shoul
Hello, yes:
root@xx:/var/log# netstat -tuna | grep 514
tcp0 0 0.0.0.0:514 0.0.0.0:*
udp0 0 0.0.0.0:514 0.0.0.0:*
syslog
161.182.xxx.xxx
161.182.xxx.xxx
On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>
>
Here is the output:
udp0 0 0.0.0.0:514 0.0.0.0:*
21090/syslog-ng
This is the only instance...
On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Mar 14, 2017 at 3:37 PM, >
> wrote:
> > Hello, yes:
> >
> > ro
Hi All,
So I am currently still troubleshooting, but noticed that the syslog-ng
process was listening on 514 TCP, but also had an entry for 514 UDP, which
is the protocol I've set within my ossec.conf. Could this be part of the
issue? My guess is that I only want 514 udp listening.
On Thursday
