[ossec-list] Re: about agent.conf and ossec.conf ?which will have priority?

OK ,i will try and send the result in there On Thursday, March 28, 2013 1:29:07 PM UTC+8, peng lin wrote: > > i see ossec have > Centralized<http://www.ossec.net/doc/manual/agent/agent-configuration.html> > configuration > if in agent.conf i will check a file . And in

[ossec-list] about agent.conf and ossec.conf ?which will have priority?

i see ossec have Centralized configuration if in agent.conf i will check a file . And in agent's ossec.conf i ignore this file which one will take effect ? other if in agent.conf i will ignroe file a and in agent's ossec.conf

Re: [ossec-list] two questions....can log/files monitor deep layer files ? syscheck ignore deep layer files ?

On Saturday, December 22, 2012 8:38:28 PM UTC+8, peng lin wrote: > > I understand both syscheck and localfile 's functions and there are > different . > When I use syscheck, I hope I can ignore some certain files in the current > folder and the subdirectories instead

Re: [ossec-list] two questions....can log/files monitor deep layer files ? syscheck ignore deep layer files ?

some certain files in the current folder and the subdirectories and don't need to note down the path in the configure file. On Thursday, December 20, 2012 9:31:36 PM UTC+8, dan (ddpbsd) wrote: > On Thu, Dec 20, 2012 at 1:04 AM, peng lin > > wrote: > > image, i have a this la

[ossec-list] two questions....can log/files monitor deep layer files ? syscheck ignore deep layer files ?

image, i have a this layer foder . etc/ etc/a etc/betc/a/1 etc/a/1/1 etc/b/1 etc/c etc/yy.log etc/aaa and so on. like this etc|-a-1cc.log |-b-1---dd.xxx |-yy.log |-aaa if i want check all of .log file how to write in ossec.conf ? i hav

[ossec-list] Re: can use 2.7 replace ossim 's ossec ?

and select "Upgrade" > as it will find the previous version. > > On Monday, December 10, 2012 9:13:07 PM UTC-8, peng lin wrote: >> >> can use 2.7 replace ossim 's ossec ? >> is that everyone do it ? >> >

[ossec-list] can use 2.7 replace ossim 's ossec ?

can use 2.7 replace ossim 's ossec ? is that everyone do it ?

[ossec-list] Re: Log monitoring cost how much Bandwidth ?

Thursday, December 6, 2012 1:49:20 PM UTC+8, peng lin wrote: > Log monitoring cost how much Bandwidth ? > if i use this to monitor agent 's syslog , did agent will send all of his > syslog to server ? > and server only process the syslog which agent send not store , or will &

Re: [ossec-list] about hybrid mode question ----i finish it

) wrote: > On Wed, Dec 5, 2012 at 6:18 AM, peng lin > > wrote: > > when i use netstat -antlup i saw a ossec-remoted in server > > so in hybrid server i run ./ossec-remoted so agent can connect to hybrid > > mode. > > but why ossec-remoted not run auto ? is it a bug ?

[ossec-list] Log monitoring cost how much Bandwidth ?

Log monitoring cost how much Bandwidth ? if i use this to monitor agent 's syslog , did agent will send all of his syslog to server ? and server only process the syslog which agent send not store , or will copy it store to another place then process it

[ossec-list] Re: hostname is confused

OSSEC which your hightlight is your ossec server ? i think the alert is generate by your server . On Thursday, December 6, 2012 7:10:44 AM UTC+8, Scott wrote: > Am I doing something wrong? Most of my ossec alerts have the server's > hostname instead of the sending system's hostname. > > If I cal

[ossec-list] another question about report

i see ossec have report function. if i want use this funcion,i should config it in every agent's conf file,or only to config server (or hybrid)'s conf file. ex. i holp see alert report and file change report . how should i set up ? every agent or server ?

[ossec-list] about hybrid mode question ----i finish it

when i use netstat -antlup i saw a ossec-remoted in server so in hybrid server i run ./ossec-remoted so agent can connect to hybrid mode. but why ossec-remoted not run auto ? is it a bug ?

[ossec-list] Recent summary of the issues and new questions about hybrid mode

1 can't restart windows agent in server AR should be enabled on all agents for the remote restart feature to work what is AR ? Is that a file in /var/ossec/etc/shard/ar ? how it use to do. and how to enabled. I not notes it in windows,but can resolve this problom. 2 About hybrid mode .

[ossec-list] some errer of agent to connect hybrid mode server.

12/12/05 14:49:04 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2012/12/05 14:49:06 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'. 2012/12/05 14:49:06 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'. 2012/12/05 14:49:06 ossec-logcollector(1950): INF

[ossec-list] i understand hybrid mode ,but how to create key to give hybrid ?

hybrid can create key to agent ,, how server ceeate key to hybrid ? and how hybrid will import the key ?

Re: [ossec-list] can't restart windows agent in server ?

i did it , and it work. change active response disable yes to no On Wednesday, December 5, 2012 10:35:33 AM UTC+8, peng lin wrote: > oh? In linux ,i need't enable active response. > in windows i must enable it ,so that in server can restart > windows'agent ? > On Tue

[ossec-list] VERY THANKS TO Dan

VERY THANKS TO Dan i looks this group ,a lot of questions is your answered. and your sloved my lots of questions. Thank you for such a spirit of sharing. my english is not good .so just for THANK YOU

Re: [ossec-list] can't restart windows agent in server ?

oh? In linux ,i need't enable active response. in windows i must enable it ,so that in server can restart windows'agent ? On Tuesday, December 4, 2012 9:48:33 PM UTC+8, dan (ddpbsd) wrote: > On Tue, Dec 4, 2012 at 1:08 AM, peng lin > > wrote: > > can't r

Re: [ossec-list] where is hybrid mode ?

On Tuesday, December 4, 2012 9:48:07 PM UTC+8, dan (ddpbsd) wrote: > > On Mon, Dec 3, 2012 at 9:37 PM, peng lin > > wrote: > > how to install with hybrid mode ? > > is that use this ? to layer Deploy? > >

[ossec-list] can't restart windows agent in server ?

can't restart windows agent in server ? i think in server to restart all linux client is ok,but can't restart it in windows. (i can't see any about restart information in windows /ossec/logs) what happen ?

[ossec-list] where is hybrid mode ?

how to install with hybrid mode ? is that use this ? to layer Deploy? server | | --- hybridhybrid | | | | agent agent

Re: [ossec-list] manage_agents -f :Unable to open file

E > > The documentation has been updated to reflect this, but hasn't been pushed > live yet. > On Nov 26, 2012 11:15 PM, "peng lin" > > wrote: > >> how to use -f ？ i have some error： >> # ./manage_agents -f test.csv >> Bulk load file: test.c

[ossec-list] manage_agents -f :Unable to open file

how to use -f ？ i have some error： # ./manage_agents -f test.csv Bulk load file: test.csv Opening: [test.csv] Failed.: No such file or directory 2012/11/27 11:45:14 manage_agents(1103): ERROR: Unable to open file 'test.csv'. in test.csv #vi test.csv 192.168.1.1,IDS1 Is that something wrong ?

[ossec-list] ossec connect to mysql error ?

hi,i upgrade to ossec 2.7 final . both 2.7 final and 2.7 bete2 ,i used mysql to store message,everything seems ok,mysql have datas, but sometimes , i saw this error: 2012/11/21 10:03:38 ossec-dbd(5203): ERROR: Error executing query 'SELECT id FROM location WHERE name = 'ossec-hids->/var/log/se

Re: [ossec-list] alert new file when it created?

On Friday, November 9, 2012 9:23:56 PM UTC+8, dan (ddpbsd) wrote: > > On Fri, Nov 9, 2012 at 12:41 AM, peng lin > > wrote: > > in my ossec.conf , i write > > yes > > > report_changes="yes">/103 > > Is realtime available for your mystery

[ossec-list] alert new file when it created?

in my ossec.conf , i write yes /103 in my ossec_rule.xml,i write ossec syscheck_new_entry File added to the system. syscheck, ossec syscheck_new_entry File added to the system. syscheck, but in directory 103, when i set a new file ,i can't see any of alert . Is that something my config wrong