[ossec-list] Re: Ossec Active Response support windows machine nr linux machine??

Hi, Sure, it supports both Windows and Linux machines. You can check here the default script for each SO. Also, for further information, I will leave here a lin

Re: [ossec-list] Re: OSSEC JSON complete log format

Hi Dan, Sure, it is from Wazuh but as an OSSEC based platform, OSSEC users can use the rules and decoders that have been developed for Wazuh too. In a nutshell, the decoders and rules that are by default in Wazuh but are not in OSSEC can be used in this tool too. The documentation regarding cu

Re: [ossec-list] Re: OSSEC JSON complete log format

On Mon, Dec 28, 2020 at 9:31 AM Yana Zaeva wrote: > > Hi Kyriakos, > > Sorry for the late response. There default JSON decoder that OSSEC uses > (which you can find the path /var/ossec/ruleset/decoders/ > 0006-json_decoders.xml) should parse all the information present in a log. > For example,

[ossec-list] Re: OSSEC JSON complete log format

Hi Kyriakos, Sorry for the late response. There default JSON decoder that OSSEC uses (which you can find the path */var/ossec/ruleset/decoders/* *0006-json_decoders.xml) *should parse all the information present in a log. For example, using the tool *ossec-logtest* which you can find in */var/

[ossec-list] Re: OSSEC agents spooling

Hello Buser85, When the OSSEC agent goes offline, it will stop performing checks and collecting events locally. Therefore, no events are going to be generated regarding FIM, and no further disk space should be consumed. The logs stored at the *ossec.log* should only be reporting the inability t

[ossec-list] Re: Ossec and Monitoring Windows Defender Operational Logs

Hello Jack, I realize this is a rather dated thread but I wanted to provide an answer for those that may land here through their search engine of preference. In order to collect events from Windows Defenders you may use the following configuration: Microsoft-Windows-Windows Defende

[ossec-list] Re: ossec-Maild High CPU Usage

Hi, On Wednesday, April 1, 2020 at 11:58:13 AM UTC-5, SHADO wrote: > > Installed OSSEC on Ubuntu 18.04 LTS and just noticed that ossec-Maild is > causing the CPU to experience high CPU usage. > > Restarting the service or rebooting the system only provides temporary for > the CPU. > > Any sugge

Re: [ossec-list] Re: OSSEC 3.3.0 Install CentOS 8

I understand that, it's just that your original post was a little... concise. As a non-developer/newbie it took me a little while to understand the where and the how. I just fleshed it out for other non-ossec veterans. If I sounded upset with you I apologize. I was feeling misled by the "Do

Re: [ossec-list] Re: OSSEC 3.3.0 Install CentOS 8

On Tue, Dec 31, 2019 at 2:16 PM Natassia M Stelmaszek wrote: > Dan, > > I'm sorry that I didn't respond sooner but I had to devote time to other > projects. > > So it looks like I was right, this is a defective (or perhaps deficient > would be more accurate) package. In order to get it to compil

[ossec-list] Re: OSSEC 3.3.0 Install CentOS 8

Oh silly me! I realize now that I foolishly assumed that the documentation linked from the ? official ? web site www.ossec.net would be accurate and current. If any of you were unlucky enough to make the same mistake I refer you to: https://ossec-documentation.readthedocs.io/en/latest/index.

[ossec-list] Re: OSSEC 3.3.0 Install CentOS 8

Dan, I'm sorry that I didn't respond sooner but I had to devote time to other projects. So it looks like I was right, this is a defective (or perhaps deficient would be more accurate) package. In order to get it to compile I had to download the source code from pcre.org and expand it into the

[ossec-list] Re: OSSEC v2.9.2 and Analogi - Database have incorrect schema

I just wanted to reply to this thread since it was related to the issues I ran into upgrading from OSSEC 2.4 to 3.2 (yep i know) - I did a search for all files in analogi with SELECT then filtered by "data." and replaced "data." with "alert." (including that period). >From the analogi root: 1

Re: [ossec-list] Re: OSSEC seems to be dropping alerts...

On Mon, Apr 8, 2019 at 1:18 PM Ian Brown wrote: > > Also, I'm aware of the email_maxperhour setting (12 seems low for a default > setting?), however, as you can see in the alert info above, the alert was > created a week ago and was never delivered. > > Is there a command to show the ossec email

[ossec-list] Re: OSSEC seems to be dropping alerts...

Also, I'm aware of the email_maxperhour setting (12 seems low for a default setting?), however, as you can see in the alert info above, the alert was created a week ago and was never delivered. Is there a command to show the ossec email queue, or a file/folder location I can check? Is there a

[ossec-list] Re: OSSEC Conference 2019

If you haven't looked at the line-up for the 2019 OSSEC Conference, you're missing out! It's amazing. I've been using OSSEC for a long time, and I'm blown away by the presenter list. If you're an OSSEC user and you can make it to this conference, you're doing yourself a disservice by not going. You

[ossec-list] Re: OSSEC Add-on and Splunk 7.x.x

Not sure what changed overnight but now seeing all alerts from OSSEC servers and agents. Let the data analysis begin! On Wednesday, January 16, 2019 at 8:12:14 AM UTC-7, steve sauer wrote: > > Is anybody using the the OSSEC *Add-on* in Splunk 7.x.x. It seems rather > limited in what it parses

Re: [ossec-list] Re: Ossec (Ossim and active response anabled)

On Sun, Jan 13, 2019 at 1:44 PM Giorgio Biondi wrote: > > Hi, > > I have some experience with ossec server but few with ossim. > My target is replace ossim-server and replace it with ossim.. > > But Ossim come with this configuration (and have AR disabled) - follow > ossec.conf on ossim.. > > [s

[ossec-list] Re: Ossec (Ossim and active response anabled)

Hi Brian, good starting point.. thanks for your time and hint.. All the best. Il giorno lunedì 14 gennaio 2019 15:00:45 UTC+1, Brian Candler ha scritto: > > I would be inclined to trying removing the > no block entirely. > > But really, for support of ossim you're best asking on the AlienVau

[ossec-list] Re: Ossec (Ossim and active response anabled)

I would be inclined to trying removing the no block entirely. But really, for support of ossim you're best asking on the AlienVault forums: https://www.alienvault.com/forums/ - scroll down to "OSSIM (OPEN SOURCE)" This is because the XML file you're editing is an ossim file, not an ossec on

[ossec-list] Re: Ossec (Ossim and active response anabled)

Hi, I have some experience with ossec server but few with ossim. My target is replace ossim-server and replace it with ossim.. But Ossim come with this configuration (and have AR disabled) - follow ossec.conf on ossim.. no AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$R

[ossec-list] Re: Ossec (Ossim and active response anabled)

Well, I'd guess you have a configuration error - maybe some missing options in the active response configuration. Would you care to post any configuration files you have created or changed, e.g. ossec.conf and local_internal_options.conf ? -- --- You received this message because you are sub

[ossec-list] Re: ossec syscheck encountered some problem

Like I said, it's only a guess. I would first test it by increasing the limits just temporarily: e.g. sysctl fs.inotify.max_user_watches=524288 If that works then you can make the change permanent by updating /etc/sysctl.conf -- --- You received this message because you are subscribed to t

[ossec-list] Re: ossec syscheck encountered some problem

Hi Brian, Thanks for your reply. So, what I need to do is increase the limit of the inotify right? as below: echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf On Friday, 28 December 2018 16:58:46 UTC+8, Brian Candler wrote: > > As a guess, maybe you've hit a limit on the nu

[ossec-list] Re: ossec syscheck encountered some problem

As a guess, maybe you've hit a limit on the number of inotify watches. https://github.com/guard/listen/wiki/Increasing-the-amount-of-inotify-watchers -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop re

[ossec-list] Re: OSSEC & Logstash

Thank you for your work on this awesome conf file. I have been working with it latley but noticed today that the new version of logstash 6.6 looks like it will not be supporting the multiline codec anymore? I hope I am wrong, can you confirm this? On Saturday, March 8, 2014 at 4:02:35 PM UTC

[ossec-list] Re: Ossec and dovecot - never ending story

Hi Dan, NOW work fine: [root@serverossec etc]# ../bin/ossec-logtest 2018/11/14 17:38:53 ossec-testrule: INFO: Reading local decoder file. 2018/11/14 17:38:53 ossec-testrule: INFO: Started (pid: 6990). ossec-testrule: Type one log per line. Nov 12 18:51:51 mailserver dovecot Nov 12 18:51:49 imap-

[ossec-list] Re: Ossec and dovecot - never ending story

> > Hi Dan, > now the new decoder work [root@serverossec etc]# ../bin/ossec-logtest 2018/11/14 15:51:13 ossec-testrule: INFO: Reading local decoder file. 2018/11/14 15:51:13 ossec-testrule: INFO: Started (pid: 64288). ossec-testrule: Type one log per line. Nov 12 18:51:51 mailserver dovecot No

Re: [ossec-list] Re: Ossec and dovecot - never ending story

On Tue, Nov 13, 2018 at 5:01 PM Giorgio Biondi wrote: > *Hi * > > > *I find many of this entry im my dovecot.log in my mailserver (iredmail):* > > Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in > 5 secs): user=, method=PLAIN, rip=114.99.51.25, > lip=10.12.14.11, TLS, s

[ossec-list] Re: Ossec and dovecot - never ending story

*Hi * *I find many of this entry im my dovecot.log in my mailserver (iredmail):* Nov 13 22:42:42 imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs): user=, method=PLAIN, rip=114.99.51.25, lip=10.12.14.11, TLS, session= *I see this in the Splunk interface installed on my ossec

Re: [ossec-list] Re: OSSEC-WUI Available Agents

On Thu, Nov 1, 2018 at 9:09 AM Rodolfo Peña wrote: > > Hi, Frank > > although my log files say that the agent (a Mac running OSSEC on a virtual > box as an agent), connects to a server (OSSEC running as server on a virtual > box on another Mac), when I list the agents, via agent_control -l, the

[ossec-list] Re: OSSEC-WUI Available Agents

Hi, Frank although my log files say that the agent (a Mac running OSSEC on a virtual box as an agent), connects to a server (OSSEC running as server on a virtual box on another Mac), when I list the agents, via agent_control -l, the agent shows as "Never connected." Agents running on Windows X

Re: [ossec-list] Re: ossec-dbd(5203): Table ossec.server doesn't exist

Thank you Daniel if somebody's interesting to contribute on this. it would be an upturn on databases deployment. Τη Τετάρτη, 17 Οκτωβρίου 2018 - 2:25:50 μ.μ. UTC+3, ο χρήστης dan (ddpbsd) έγραψε: > > On Wed, Oct 17, 2018 at 7:14 AM angelOs > wrote: > > > > Why doesn't generate tables automat

Re: [ossec-list] Re: ossec-dbd(5203): Table ossec.server doesn't exist

On Wed, Oct 17, 2018 at 7:14 AM angelOs wrote: > > Why doesn't generate tables automatically; is this a configuration or to > create the tables manually? > Previously the documentation mentioned loading the schema manually. It's just easier than loading the logic and whatnot to load the tables m

[ossec-list] Re: ossec-dbd(5203): Table ossec.server doesn't exist

Why doesn't generate tables automatically; is this a configuration or to create the tables manually? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-l

[ossec-list] Re: Ossec Agent Disconnect but it is not reporting

Hello I am just wondering has anyone experienced this? Any information about how to solve this issue please let me know. Thanks Chuck On Wednesday, September 19, 2018 at 11:09:51 AM UTC-4, charle...@decisivedge.com wrote: > > Hello All > > I wanted to know if anyone has experienced that when

Re: [ossec-list] Re: OSSEC installation on CoreOS

On Wed, May 30, 2018 at 12:37 PM, wrote: > +1 on this question; really would like to know how someone did this; SDK, > toolbox, etc? > What challenges does CoreOS present that aren't a problem for a normal linux distribution? > On Thursday, November 9, 2017 at 11:37:35 AM UTC-5, SET wrote: >> >

[ossec-list] Re: OSSEC installation on CoreOS

+1 on this question; really would like to know how someone did this; SDK, toolbox, etc? On Thursday, November 9, 2017 at 11:37:35 AM UTC-5, SET wrote: > > Hello, > Has anyone used OSSEC on CoreOS? How is it installed? Does it make > sense to use OSSEC on CoreOS? > Would be interested if y

[ossec-list] Re: OSSEC and TLS

Thanks Bill. This makes complete sense. In fact it is something I had tested (searching through log for a match). I was curious if there is a way to have OSSEC perform TLS version checks rather than introducing a script/program that looks for TLS, writes to a log and then have OSSEC parse throu

[ossec-list] Re: OSSEC and TLS

Easiest is to write a local rule using the Match directive Example Found TLS version Lower than V1.2 You can use ossec-logtest to verify the results was it helpful? On Friday, May 4, 2018 at 7:23:08 PM UTC-4, DG wrote: > > Hi, > > I am a total newb to ossec so I apologize ahead of time. I hav

[ossec-list] Re: OSSEC-LOGTEST alert differance

Hello You will need to configure the frequency and timeframe in the rule 13 (http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html). You can see some examples here: https://github.com/ossec/ossec-hids/blob/72641d6f22c63b97f290ae22d47a79032b56d0fd/etc/rules/sshd_rules.xml#L49

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

So what is the difference, between say, the parameter in the ossec.conf file on the Server and the agent.conf file that eventually gets uploaded to the Agent? I was under the impression that the frequency setting in ossec.conf would be used locally if the Server were performing syschecks on it

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

That goes on the manager ossec.conf The manager takes care of analyzing syscheck data received from the agents, and generate alerts. I hope it helps Santiago Bassett @santiagobassett > On Feb 23, 2018, at 9:59 AM, temp.email@gmail.com wrote: > > Hi Santiago, I just came across your post.

Re: [ossec-list] Re: OSSEC: Real time file monitoring not starting

Hi Santiago, I just came across your post. Are you saying that the auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, the latter will eventually be placed on the Agent. I thought that /var/ossec/etc/

[ossec-list] Re: Ossec and Oracle Logs

Hey Chuck, I have not actually tried to decode any Oracle logs. But have you used the ossec-logtest utility? I have used it to debug several application logging issue. You can pipe entire logs into it to see how ossec handles it. But for me, I start off simple. Start ossec-logtest, then

[ossec-list] Re: ossec / alienvault - issues getting application logs to AlienVault

You need to make sure the numbers you picked for your new rules exist in a DS group and you have the correct translation statements in your .cfg.local file for the plugin. Also, to ensure you get a hit with the rule, your level has to be > 0 to be written to alerts.log You are closing in sir!

RE: [ossec-list] Re: ossec-remoted high CPU

edi 22 décembre 2017 08:43 To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Re: ossec-remoted high CPU Well, I will update all my 2.9.0 Windows agents to the last version. Cordialement / Regards Sylvain Crouet Security Officer - Security is everybody’s responsibility Mobi

[ossec-list] Re: OSSEC v2.9.2 and Analogi - Database have incorrect schema

I've noticed a similar issue. I recently updated from an OSSEC 2.8.x install to a 2.9.x install. With my 2.8.x install, I had been using Analogi for quite some time. I encountered some issues enabling MySQL support during the update as this feature is not documented well and all the available d

RE: [ossec-list] Re: ossec-remoted high CPU

Behalf Of dan (ddp) Sent: jeudi 21 décembre 2017 13:57 To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Re: ossec-remoted high CPU On Wed, Dec 20, 2017 at 4:48 AM, Sylvain Crouet wrote: > Hello, > > > > I updated the shared agent.conf file to discard some Windows events.

Re: [ossec-list] Re: ossec-remoted high CPU

.2. > > Any idea? > > > > Cordialement / Regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]

Re: [ossec-list] Re: ossec-remoted high CPU

rity Officer - *Security is everybody’s responsibility* > > Mobile +33 (0) 7 75 24 10 28 > > > > *From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On > Behalf Of *Sylvain Crouet > *Sent:* mardi 19 décembre 2017 17:24 > *To:* ossec-list@googlegroups.

RE: [ossec-list] Re: ossec-remoted high CPU

@googlegroups.com] On Behalf Of Sylvain Crouet Sent: mardi 19 décembre 2017 17:24 To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Re: ossec-remoted high CPU Done, very informative indeed. Thank you Brett. Cordialement / Regards Sylvain Crouet Security Officer - Security is everybody’s

RE: [ossec-list] Re: ossec-remoted high CPU

2017 14:42 To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Re: ossec-remoted high CPU Do true inside your global ossec.conf directive on the ossec server. This will log everything to /var/ossec/logs/archives/archives.log. I would do that for 5 minutes then disable it and look though

Re: [ossec-list] Re: ossec-remoted high CPU

responsibility* > > Mobile +33 (0) 7 75 24 10 28 > > > > *From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On > Behalf Of *Brett Simpson > *Sent:* jeudi 14 décembre 2017 18:38 > *To:* ossec-list > *Subject:* [ossec-list] Re: ossec-remoted high C

RE: [ossec-list] Re: ossec-remoted high CPU

@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Brett Simpson Sent: jeudi 14 décembre 2017 18:38 To: ossec-list Subject: [ossec-list] Re: ossec-remoted high CPU I would suggest you turn on debug on one of the agents and see what the agent is trying to send versus what the server actually

[ossec-list] Re: ossec-remoted high CPU

I would suggest you turn on debug on one of the agents and see what the agent is trying to send versus what the server actually keeps. I had issues with a few event IDs generating thousands of events per second that weren't even used by the ossec server so I used a line like this on the agent to

[ossec-list] Re: OSSEC syscheck on defined Agent

You need to clarify, are these servers agents? If so then you need to look into config-profile for the agent configuration. Define different profiles in the manager's /var/ossec/etc/shared/agent.conf and specify the appropriate profile for the agent it it's ossec.conf using config-profile. On

[ossec-list] Re: Ossec Windows Agent trying to connect forever

Wait a minute, is this a new install, how did you get the key installed on the client? If there's an automated way to do that please post in a reply. On Tuesday, November 14, 2017 at 7:26:55 AM UTC-6, Julia Vitoria Cardoso wrote: > > Hi, i have a test setup with a windows agent and a server Cen

[ossec-list] Re: Ossec Windows Agent trying to connect forever

Although the context was AliewnVault this solution worked for me in an internally-installed manager-client environment: http://www.itinthedatacenter.com/wordpress/?p=369 On Tuesday, November 14, 2017 at 7:26:55 AM UTC-6, Julia Vitoria Cardoso wrote: > > Hi, i have a test setup with a windows age

Re: [ossec-list] Re: ossec-wui search results shows totals, but no details of results

rectory. > > It is working now for me. > > -JL > > -Original Message- > From: ossec...@googlegroups.com [mailto: > ossec...@googlegroups.com ] On Behalf > Of John Lewis > Sent: Tuesday, April 24, 2007 8:50 AM > To: 'Daniel Cid'; ossec...@googlegro

Re: [ossec-list] Re: ossec-keepalive bug is back in v2.7-beta1

On Oct 9, 2017 8:02 AM, "Rohit Sethi" wrote: I had ossec installed initially with agent limit of 256 (default). Now due to business requirements i had to increase the limit to 2048 , i went to the /src directory and ran set max agent command and set the limit to 2048 , after that i ran install.sh

[ossec-list] Re: ossec-keepalive bug is back in v2.7-beta1

I had ossec installed initially with agent limit of 256 (default). Now due to business requirements i had to increase the limit to 2048 , i went to the /src directory and ran set max agent command and set the limit to 2048 , after that i ran install.sh and upgraded ossec , i see all the agents

[ossec-list] Re: OSSEC 2.9.2 Slack integration integrity check alert no hostname

Update: i'm aware that the ossec,syscheck Alert does state the hostname, however when performing multiple updates/upgrades on several agents, its rather hard to keep track of which alert belong to which ossec/syscheck. Den måndag 11 september 2017 kl. 13:56:41 UTC+2 skrev Fredrik Hilmersson: > >

[ossec-list] Re: ossec-keepalive

Thanks for the answer, that clarifies my understanding. Sounds like you would like to see the alert details so here they are ("our-demo" below is an agent, not the server): OSSEC HIDS Notification. 2017 Aug 27 08:20:39 Received From: (our-demo) 10.nnn.nnn.nnn->ossec-keepalive Rule: 1002 fired

Re: [ossec-list] Re: OSSEC regular expression example for agent.conf

On Aug 28, 2017 2:46 PM, "Leroy Tennison" wrote: I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? Rules and decoders are the only places that come to mind at the moment. On Monday, August 28, 2017 at 9:4

[ossec-list] Re: OSSEC regular expression example for agent.conf

I wondered about that but verify-agent-conf didn't complain so I thought it was valid. I guess that means regex is only valid in rules? On Monday, August 28, 2017 at 9:40:53 AM UTC-5, Leroy Tennison wrote: > > I'm having trouble getting an ignore expression to actually ignore a > change and sus

[ossec-list] Re: OSSEC 2.9.2 release

Great job! Much appreciated. Den torsdag 10 augusti 2017 kl. 01:09:46 UTC+2 skrev dan (ddpbsd): > > OSSEC 2.9.2 has been released. This is mostly a bug-fix/rules update > release. > Thank you to everyone who has contributed time and effort into the > project, it is truly appreciated! > > Get i

[ossec-list] Re: OSSEC create a decoder (31101)

Thank you! I did add what you gave me in the local_decoder.xml as you said. >From here I will try learn how to proceed to create a custom decoder, so as you said a modified web-accesslog doesn't get overwritten with updates. kind regards Den fredag 4 augusti 2017 kl. 15:40:15 UTC+2 skrev Fredri

[ossec-list] Re: OSSEC Alert rule for powershell

Hello Daryl Here you'll find some decoders (in same repository, folder rules are the rules) for Sysmon. Although the decoders are built for Wazuh, it's possible to use them with some modification. T

[ossec-list] Re: OSSEC Alert rule for powershell

Hello Daryl Here you'll find some decoders (in same repository, folder rules are the rules) for Sysmon. Although the decoders are built for Wazuh, it's possible to use them with some modification. T

[ossec-list] Re: ossec blocked all ips? everywhere?

In case that you want to block all connections, you can create an active response script to add a specific rule in iptables. On Wednesday, July 12, 2017 at 1:03:01 PM UTC+2, Jesus Linares wrote: > > I think, by default, OSSEC has the active-response for blocking an IP if > an alert higher than 6

[ossec-list] Re: ossec blocked all ips? everywhere?

I think, by default, OSSEC has the active-response for blocking an IP if an alert higher than 6 is fired. I recommend to disable this setting. Regards. On Tuesday, July 11, 2017 at 8:37:21 PM UTC+2, Cristian Lorenzetto wrote: > > is there a condition where ossec blocks all incoming connections

Re: [ossec-list] Re: ossec reports

I have the following stanzas in my config: yes s...@x.com mail.X.com. oss...@ossec.x.com # Database section here syscheck Daily report: File changes s...@x.com m...@x.com I am getting OSSEC Notification emails now

[ossec-list] Re: ossec reports

Hi Sean, Have you configured the global email options in the section? You should have something like this: yes m...@test.com mail.test.com. he...@test.com ... In case you want to use an email that uses SMTP authentication you will need to confi

[ossec-list] Re: OSSEC rule match time and timeframe

I did end up doing this, user and hostname. However this isn't the 'optimal' solution as I do prefer to get alerts from the user + hostname at other times then ignoring it every half an hour. I will look more into the element time later on, and see if there's a way to achieve what I were trying

[ossec-list] Re: OSSEC 2.9.0 don't works with Prelude SIEM

Many thanks, it works! On Sunday, July 9, 2017 at 2:50:59 PM UTC+3, Roman Romanov wrote: > > Hello, > > after upgrading from OSSEC 2.8.2 to OSSEC 2.9.0: > cd ossec-hids-2.9.0/src > make setprelude > I have an error: > # make setprelude > make: *** No rule to make target 'setprelude'. Stop. > > Th

[ossec-list] Re: OSSEC log analysis settings for apache access/error.log

Thank you for your answers.Now It triggers that rule 31152 normally.I was overwrited the rule frequency in local rules and forgot that.Sorry for that mistake. On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: > > I added config below to etc/shared/agent.conf in ossec-server home > d

Re: [ossec-list] Re: OSSEC log analysis settings for apache access/error.log

On Fri, Jul 7, 2017 at 4:15 AM, Kazim Koybasi wrote: > Yes OSSEC mentioning about log files and says analyzing log file. I tried > with apache log format and without logformat settings and results is > same.What could be a workaround for that? > Provide a log sample of a log you expect to fire an

[ossec-list] Re: OSSEC log analysis settings for apache access/error.log

Hi Kazim, - Review the ossec.log of your agent: is it monitoring the file? are there errors?. - The log file must exist before OSSEC is started. - Try with the format "syslog". - Copy some logs to /var/ossec/bin/ossec-logtest and check if an alert would be generated. Just som

[ossec-list] Re: OSSEC log analysis settings for apache access/error.log

Yes OSSEC mentioning about log files and says analyzing log file. I tried with apache log format and without logformat settings and results is same.What could be a workaround for that? On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: > > I added config below to etc/shared/agent.conf

Re: [ossec-list] Re: OSSEC log analysis settings for apache access/error.log

On Thu, Jul 6, 2017 at 5:05 PM, Kazim Koybasi wrote: > Thanks for quick response. > > Server has running apache , I restarted apache it show log that it monitors > all apache config and I connect with my browser and made multple 404 error > codes from same server . default log level is 7 for ossec

[ossec-list] Re: OSSEC log analysis settings for apache access/error.log

Thanks for quick response. Server has running apache , I restarted ossec server and agent. It show logs that it monitors all apache config and I connect with my browser and made multple 404 error codes from same server . default log level is 7 for ossec. OSSEC exact configuration like below and

[ossec-list] Re: OSSEC log analysis settings for apache access/error.log

Thanks for quick response. Server has running apache , I restarted apache it show log that it monitors all apache config and I connect with my browser and made multple 404 error codes from same server . default log level is 7 for ossec. OSSEC exact configuration like below and my server hosts 7

Re: [ossec-list] Re: OSSEC rule not firing

On Wed, Jul 5, 2017 at 11:41 AM, Bob Boklewski wrote: > Also, what does the "if_sid" match too? I am trying to understand how to > create custom rules and it seems this "if_sid" is unique and defined > somewhere. I see that rule id and description can be whatever you want and > "id" is the event

[ossec-list] Re: OSSEC rule not firing

Also, what does the "if_sid" match too? I am trying to understand how to create custom rules and it seems this "if_sid" is unique and defined somewhere. I see that rule id and description can be whatever you want and "id" is the event id number you want to monitor. Any help is much appreciat

[ossec-list] Re: OSSEC rule match time and timeframe

Hi Fredrik, do you want to ignore the rule 5501 if it is fired by your script?. is it not enough with the hostname and the user?. Regards. On Monday, July 3, 2017 at 12:10:18 PM UTC+2, Fredrik Hilmersson wrote: > > Hello, > > Lets say I have a script which runs once every half an hour. With a

[ossec-list] Re: OSSEC ignore ip issue

Of course my bad, this is how I did set it up. sshd MYIP no_email_alert Ignore rule 5715 for host 5501 agent server hostname (ex. webserver01) no_email_alert Ignore rule 5501 for host Den onsdag 21 juni 2017 kl. 12:00:04 UTC+2 skrev Jesus Linares: > > What hostname?. > > If you s

[ossec-list] Re: OSSEC ignore ip issue

What hostname?. If you share your rules, you may help other user with the same issue. Regards. On Tuesday, June 20, 2017 at 2:31:57 PM UTC+2, Fredrik Hilmersson wrote: > > Thanks alot Jesus, > > did solve it by creating two local rules one for rule 5715 matching the > srcip, > and one rule to m

[ossec-list] Re: OSSEC ignore ip issue

Thanks alot Jesus, did solve it by creating two local rules one for rule 5715 matching the srcip, and one rule to match the hostname to ignore the 5501. Kind regards, Fredrik Den tisdag 20 juni 2017 kl. 14:09:39 UTC+2 skrev Jesus Linares: > > Hi Fredrik, > > when you create a new ssh connection

[ossec-list] Re: OSSEC ignore ip issue

Hi Fredrik, when you create a new ssh connection, the following alerts are generated: ** Alert 1497960059.10786: - syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 ip-10-0-0-10->/var/log/auth.log Rule: *5715 *(level 3) -> 'sshd: authentication success.'*Src IP: 10.10.10.10

[ossec-list] Re: OSSEC ignore ip issue

Hey Jesus, I'm only overwriting rule 5501 to increase its alert level to 7 (as I test to use only send alert if 7 or < ). I did test the following: 5501 Remote IP Ignoring host remote IP also: 5501 Remote IP no_email_alert Ignoring host remote IP However, I still get alert

[ossec-list] Re: OSSEC ignore ip issue

Your second rule is ignoring only alerts with level 2 and with your IP. I think you could use *if_sid*. Why are you overwriting the rule 5501?. Regards. On Monday, June 19, 2017 at 12:00:29 PM UTC+2, Fredrik Hilmersson wrote: > > Hello, > > So I got the following custom rule on the ossec serv

[ossec-list] Re: OSSEC Agent Logs Showing Error

Hi, it looks like you have other instance of *authd *running: 2017/06/16 06:06:33 ossec-authd: Unable to bind to port 1515 Kill the authd and run it again. Then register your agent and restart it. I hope it helps. On Friday, June 16, 2017 at 2:50:01 PM UTC+2, Arvind Lavania wrote: > > Hi, > >

[ossec-list] Re: OSSEC - windows event

Hello Irshad You have configurated your manager in order to recorder all events in archives.log. In this file, you have all the events and there is the event you want to see on the GUI. But, an event could be or not an alert. And if you want to see it on the GUI must be an alert. This is the

[ossec-list] Re: OSSEC-LOGTEST yet Alert Generated yet: **Alert to be generated

Hello. This is a very old thread. But I am facing some similar issues. Can you post your rules that you did for that to work. Thnaks. On Friday, April 13, 2012 at 10:04:21 PM UTC+4, tomcelica wrote: > > Any Ideas what my next step is? No Alert logged even though rule > tests and seems to work

[ossec-list] Re: OSSEC - windows event

The logs are being pushed to archives.log and not ossec.log On Thursday, June 15, 2017 at 11:09:01 AM UTC+4, Irshad Rahimbux wrote: > > > Hi, > > I have done the following changes in my configuration files as follows: > > > OAlerts > eventchannel > > > Logs are being pushed to ossec.

[ossec-list] Re: OSSEC - windows event

Hi, I have done the following changes in my configuration files as follows: OAlerts eventchannel Logs are being pushed to ossec.log on server as follows: 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Mi

[ossec-list] Re: OSSEC rule to avoid alerts for apt-daily

Hi Fredrik, you want to do something like: "if Starting daily apt activities -> disable syscheck for that agent". I think there is no way to do it. The rule engine doesn't allow rules like "if event A (starting apt) and event B (syscheck) -> rule to ignore event". You can create a rule to igno

[ossec-list] Re: OSSEC - windows event

Hi Irshad, sorry, I thought was the same problem than Akash. I would like to be able to retrieve logs from windows machine to my OSSIM Do you meand OSSEC, right?. Review the ossec.log of your agent. Maybe the location is wrong or there are no events. I hope it helps. Regards. On Thursday,

[ossec-list] Re: OSSEC - windows event

ANy one can provide some help? @Jesus Linares... the link you provided is not helping much. It's for another issue. On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote: > > https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo > > On Tuesday, May 30, 2017 at 4:34:46 PM UT

[ossec-list] Re: OSSEC - windows event

https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote: > > > Hi All, > > I am also facing the same problem.I am not getting alert of > creation/deletion of file from windows agent > to my manager(linux). Agent show connec

  1   2   3   4   5   6   7   8   9   10   >