Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-25 Thread Gonzalo Sanchez
Hi, This is server A's configuration: */var/ossec/etc/ossec.conf* no secure rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml symantec-av_rules.xml symantec-ws_rules.xml pix_rules.xml

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-25 Thread dan (ddp)
On Mon, Nov 25, 2013 at 6:56 AM, Gonzalo Sanchez wrote: > Hi, > > This is server A's configuration: > > /var/ossec/etc/ossec.conf > > > > no > > > > secure > > > > rules_config.xml > pam_rules.xml > sshd_rules.xml > telnetd_rules.xml > syslog_rules.xml >

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-25 Thread Gonzalo Sanchez
I don't understand you. Can you put here configuration's changes? What files should I change? /var/ossec/etc/ossec.conf o /var/ossec/ossec-agent/etc/ossec.conf ? Thabks a lot El lunes, 25 de noviembre de 2013 14:16:10 UTC+1, dan (ddpbsd) escribió: > > On Mon, Nov 25, 2013 at 6:56 AM, Gonzalo Sa

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-25 Thread dan (ddp)
On Mon, Nov 25, 2013 at 8:28 AM, Gonzalo Sanchez wrote: > I don't understand you. > > Can you put here configuration's changes? Add a localfile entry for /var/ossec/logs/alerts/alerts/log. The log format should be ossecalert. > What files should I change? > /var/ossec/ossec-agent/etc/ossec.conf

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-25 Thread Gonzalo Sanchez
Hi, I added next lines on */var/ossec/ossec-agent/etc/ossec.conf *on Server A (hybrid mode)*:* ossecalert /var/ossec/logs/alerts/alerts.log And I restarted ossec with *ossec-control* Right Checking the /var/ossec/logs/ossec.log on server A, I detect the following log: *2013/11/2

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-26 Thread Gonzalo Sanchez
Can anyone answer the previous post? El lunes, 25 de noviembre de 2013 18:37:34 UTC+1, Gonzalo Sanchez escribió: > > Hi, > > I added next lines on */var/ossec/ossec-agent/etc/ossec.conf *on Server A > (hybrid mode)*:* > > > > ossecalert > /var/ossec/logs/alerts/alerts.log > > > And I

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-26 Thread dan (ddp)
It's been less than 24h since you asked. Hold your horses. On Nov 26, 2013 6:58 AM, "Gonzalo Sanchez" wrote: > Can anyone answer the previous post? > > El lunes, 25 de noviembre de 2013 18:37:34 UTC+1, Gonzalo Sanchez escribió: >> >> Hi, >> >> I added next lines on */var/ossec/ossec-agent/etc/oss

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-26 Thread dan (ddp)
On Mon, Nov 25, 2013 at 12:37 PM, Gonzalo Sanchez wrote: > Hi, > > I added next lines on /var/ossec/ossec-agent/etc/ossec.conf on Server A > (hybrid mode): > > > > ossecalert > /var/ossec/logs/alerts/alerts.log > > > And I restarted ossec with ossec-control > Right > > Checking the /va

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-26 Thread Gonzalo Sanchez
SELinux is not installed. I'm working with Debian 7. Checking permissions on */var/ossec/log/alerts on server A:* drwxr-x--- 3 ossec ossec 4,0K nov 25 12:36 2013 -rw-r- 2 ossec ossec 15K nov 26 15:33 alerts.log I think everything is correct, but problem persist. El martes, 26 de noviemb

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-26 Thread dan (ddp)
On Tue, Nov 26, 2013 at 9:38 AM, Gonzalo Sanchez wrote: > SELinux is not installed. I'm working with Debian 7. > > Checking permissions on /var/ossec/log/alerts on server A: > > drwxr-x--- 3 ossec ossec 4,0K nov 25 12:36 2013 > -rw-r- 2 ossec ossec 15K nov 26 15:33 alerts.log > > > I think ev

Re: [ossec-list] Hybrid mode. Does it really work?

2013-11-27 Thread dan (ddp)
On Wed, Nov 27, 2013 at 5:54 AM, Gonzalo Sanchez wrote: > Hi, > > How can I trace the process ossec-logcollector? > It's still beyond me, but try strace. > Thanks a lot > > El martes, 26 de noviembre de 2013 15:47:19 UTC+1, dan (ddpbsd) escribió: >> >> On Tue, Nov 26, 2013 at 9:38 AM, Gonzalo Sa