Questions tagged [ossec]
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)
73
questions
0
votes
0
answers
56
views
Custom OSSEC decoder working in ossec-logtest but not when real OSSEC is used
I'm having some trouble using a custom decoder I defined for OSSEC 3.7.0. I only need to extract srcip, dstip and protocol from my iptables logs, but OSSEC's decoders also extract srcport and dstport, ...
0
votes
1
answer
38
views
How to make OSSEC send email when it is stopped?
OSSEC sends an email when it is started, but not when it is stopped. So, if someone would somehow get access to the server, he could just stop the OSSEC and do whatever he wants without me knowing it. ...
- 141
1
vote
0
answers
420
views
OSSEC Multiple "Integrity Checksum Changed" Alerts
I know this question has been asked several times, but the answers do not seem to work.
After installing OSSEC server on my Ubuntu Server 18.04 LTS machine, I've received hundreds of "Integrity ...
- 11
0
votes
1
answer
104
views
Get OSSEC syscheck to alert on change to directory but not its contents
We are running OSSEC 3.2 on some Debian servers. We are using OSSEC's syscheck to alert us when certain files and directories change.
I want syscheck to generate an alert when the directory /tmp ...
- 2,721
0
votes
0
answers
92
views
Can I use OSSEC in a home LAN to monitor for intrusion and malwares?
I'm not quite sure I understand what OSSEC does. But after HiddenWasp, I would like to make sure my Windows and Linux machines in my home are safe. (And harden my VPS)
Does OSSEC support antimalware ...
- 113
0
votes
1
answer
639
views
ossec client.keys in the master is missing agent details frequently
I've setup ossec architecture for my client. Most of the agents that were actively reporting to ossec master, moves to disconnected status. On analysis I was able to find out that client.keys the ...
- 1
0
votes
1
answer
841
views
OSSEC Ignore Alert
I have OSSEC 2.94 setup and running on CentOS7. I have it sending a emails upon qualifying alert conditions. Everything appears to be functioning properly with regards to sending alerts. However, ...
- 357
1
vote
2
answers
516
views
OSSEC Ignore a Snap core loop device
Does any one know how to ignore a /dev/loop device in ossec .
The Ubuntu 18 LTS has 2 loop drives
/dev/loop0 87M 87M 0 100% /snap/core/4486
/dev/loop1 87M 87M 0 100% /snap/...
1
vote
2
answers
2k
views
Retrieve pfSense/freeBSD logs with elk
I am attempting to centralize logs from different systems.
I installed the Elastick Stack (Elasticsearch, Logstash, Kibana) and WAZUH OSSEC on one server (named elk).
I have installed the OSSEC ...
- 110
1
vote
1
answer
400
views
Disable OSSEC email for SSH maximum authentication attempts
I try to disable the email notifications for the OSSEC rule 5758.
<rule id="5758" level="8">
<decoded_as>sshd</decoded_as>
<match>^error: maximum authentication attempts ...
- 13
0
votes
1
answer
2k
views
Linux files permissions denied on log files
I have installed nxlog to send my logs to a graylog server. It works fine, but I have a denied permission on the logs of my HIDS Ossec.
My process nxlog (launched by collector-sidecar) run as root :
...
- 1,345
0
votes
0
answers
1k
views
OSSEC - Not seeing alerts on the Server from file changes on the Agent
I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and ...
- 503
2
votes
1
answer
5k
views
How can I make the OSSEC server service start automatically on reboot?
I am running CentOS7 with OSSEC 2.9.2. Is there a way to make OSSEC automatically start the server after a reboot? Currently it appears to require that I run the ossec-control start after every ...
- 121
-3
votes
1
answer
106
views
How can ossec handle a virus that already spread into the deepest system? [closed]
As far as I know, OSSEC is a Open Source HIDS. It's a "Detection System". I read in journals, it collect logs and flag any anomaly that had been found in a system ( e.g. Debian Server ) and do some ...
- 89
1
vote
1
answer
3k
views
OSSEC Windows Agent Fails to Sync Configuration
This has proved an annoyance for the past several days, and I have yet to figure out the root cause.
In a lab, I've setup two virtual machines, an OSSEC Server Appliance and a Windows 7 x64 ...
- 161
0
votes
1
answer
335
views
ossec 2.8.3 : getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
on ossec 2.8.3 I am trying to get alerts only for rdp autentications from windows agents.
These events are shown in the clients event log
Microsoft-Windows-TerminalServices-RemoteConnectionManager/...
- 744
0
votes
1
answer
2k
views
How to stop certain processes from polluting the messages log
We have a certain process related to Azure that is running that is constantly writing out the following to our logs:
Aug 18 06:54:28 log-ids-vm rsyslogd-3000: omazuremds error at connect(). errno=No ...
- 133
0
votes
1
answer
382
views
Snort and OSSEC Can't Run Simultaneously
I am trying to set up IDS on a system composed of AWS Ubuntu 16.04 instances. My HIDS is managed by OSSEC 2.8.1 and my NIDS is managed by Snort 2.9.9.0 (parsed by Barnyard2 version 2.1.14, which also ...
- 101
0
votes
1
answer
67
views
OSSEC Treat Multiple Files as One
A while back I posted about using OSSEC as a sudo SIEM as far as sending logs from various servers to one OSSEC server and using the correlation to trip alerts. Overall that solution worked very well ...
- 1,393
0
votes
2
answers
377
views
wazuh agent won't send file events unless restarted
Have a wazuh (ossec fork) server and an agent (testing for now). the server gets all the info from the agent (login attempts and so on) but one thing - file changes (creation, deletion and so on). ...
- 233
0
votes
1
answer
312
views
Clam Unknown OSSEC Warning
There is a problem with Clam antivirus on my server. I am getting this notification from OSSEC once per day. I am not sure where to look or what the problem actually is. Could anyone point to the ...
- 509
1
vote
1
answer
816
views
How to run OSSEC over TCP
I've got ossec working fine with several clients/agents with the default UDP:1514. However, after adding tcp to the server's ossec.conf file, removing and re-adding the agents, and restarting ossec on ...
- 165
1
vote
1
answer
176
views
Can OSSEC's active-response handle things at a cluster level?
We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes ...
- 21
0
votes
1
answer
422
views
ossec updated to 2.9.0 on centos 6 via atomic repo - won't start
I've had the atomic repo and ossec installed for a few years. It recently updated to 2.9.0 from 2.8.3 and it removed /var/ossec/bin/ossec-control. Now ossec won't start.
I ran "yum whatprovides */...
- 333
0
votes
2
answers
1k
views
ossec realtime file monitoring only reports on first change but fullow up changes are only reported by scheduled follow up scans
we currently have some ossec agents running on windows and real time monitoring for files activated - with the following configuration on the agent site:
<syscheck>
<!-- Frequency that ...
- 29
1
vote
1
answer
541
views
OSSEC Exclude Sub-directory Alerts
I have added this rule to receive real-time alerts but I would like to modify it or add another rule so that I can exclude the sub-folder var/www/html/wp-content/cache
<directories report_changes="...
- 509
0
votes
1
answer
518
views
How to make ossec send only one email for an alert?
I installed ossec with local installation and is working fine. It is sending email alerts fine but seems to be sending the same email over and over for an alert.
For example, an alert email is sent ...
1
vote
1
answer
555
views
keep ossec iptables rules after restarting OSSEC
I have 6 OSSEC installations (5 agents + 1 server, all Debian 8) all configured to block repeated offenders using iptables from 10 minutes to 1 month.
I have the need to restart one or more of the ...
- 481
0
votes
2
answers
2k
views
Has anyone used any custom decoders with OSSEC?
I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS ...
- 649
4
votes
1
answer
10k
views
Postfix Send only Without a FQDN
I'm using OSSEC and Nagios to build a sort of HID system on our network. Everything is going smoothly so far; however I cannot get OSSEC to send email alerts.
What I'm trying to do right now is get ...
- 143
4
votes
1
answer
3k
views
How/where does one get a version of the OSSEC agent-auth application that will run on Windows?
I have successfully configured an OSSEC server running on Ubuntu in AWS.
I have also successfully automated Ubuntu AWS instances automatically installing the OSSEC agent and connecting to the OSSEC ...
- 81
0
votes
1
answer
2k
views
OSSEC alerts without hosting SMTP
I've been searching without a solid solution yet. I need to send OSSEC email alerts from my OSSEC server, but without hosting an SMTP server (postfix, etc). I get rejected by the Google SMTP servers (...
- 1
1
vote
1
answer
191
views
Install ossec ids on citrix xenserver dom0
I'm running citrix xen server on a server with two nic each with dedicated public ip and the management interface is directly connected to the www and protected with iptables that allow connections ...
- 21
1
vote
1
answer
480
views
How to create custom notification for ossec
I am installing OSSEC for secure our servers, and I want to use slack instead of email for notification.
Is there a way to send alerts via slack? Is there any way to add another notification system ...
- 320
0
votes
0
answers
1k
views
OSSEC Web UI 404 on initial setup
I'm trying to setup the OSSEC web UI on a fresh installation of OSSEC on Ubuntu 15.04 Server Edition. I setup the server with the default LAMP stack and OSSEC HIDS seems to have installed successfully....
- 11
1
vote
0
answers
246
views
OSSEC error, file 'not found or unable to stat'
I can't seem to squash this error. I recently installed OSSEC on a Digital Ocean droplet, and I'm getting this message every 15 minutes or so. I've tried blocking the client IP addresses with UFW, ...
- 11
0
votes
2
answers
2k
views
How do I get OSSEC manage_agents to read a file?
According to the help docs of manage_clients:
-f Bulk generate client keys from file. (Manager only).
contains lines in IP,NAME format.
So I tried this:
root@ossec-server:/...
- 946
6
votes
4
answers
9k
views
OSSEC disk space usage
A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff folder.
I wanted to try ...
- 93
0
votes
1
answer
750
views
Change OSSEC alert emails "From" header
I'd like to know how to change the name in the "From" header for emails sent by OSSEC. I couldn't find any information about that.
Alerts I receive from my server are quite well organized. And OSSEC ...
- 93
2
votes
2
answers
10k
views
OSSEC won't start, Error: queue not accessible
I'm trying to set up OSSEC on a CemtOS 6.5 server. This is to be installed as an agent, not a server or local instance. The package successfully installed and I created the clients.key file, but when ...
- 164
0
votes
1
answer
210
views
OSSEC - Multiple VM's on a single DELL blade (XenServer Hypervisor)
I have a DELL blade with ~100 VM's (with a Citrix XenServer 6.1 hypervisor), all with ossec agent connected to a ossec server outside that same blade.
I have a bit of a problem: they all run rootkit ...
- 61
0
votes
1
answer
546
views
Is there a better way of handling ossec-logcollector?
I have been working to integrate application logs with the ossec logcollector.
I have successfully created, decoded, command, rules etc, and everything works and fires triggers.
However our ...
- 643
1
vote
2
answers
2k
views
Deploying Ossec HIDS Windows Agent via GPO
I am trying to deploy OSSEC agent to about 100 Windows 7 boxes through GPO on our AD. I understand that I need to create and MSI from the EXE and import the specific client.keys file for the windows ...
- 11
0
votes
1
answer
53
views
How to filter errors 404 to show only those which are related to php files?
One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the ...
user149678
2
votes
2
answers
1k
views
Using OSSEC HIPS alongside rsyslog, overkill?
I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems:
Difficult to aggregate and ...
- 173
1
vote
1
answer
575
views
OSSec not working on server with multiple IPS
I had to add another IP address to our server (eth0:1 192.168.0.100) and all of the sudden ossec client stopped working.
On the client side I'm seeing this:
2014/02/19 02:31:28 ossec-agentd: INFO: ...
- 395
0
votes
0
answers
473
views
ossec 2.7.1 won't update on servers
I'm trying to update ossec machines setup as servers from 2.6 and 2.7 to 2.7.1.
I download the ossec-hids-2.7.1.tar.gz, extract it, and run the ./install.sh. It recognizes there's a previous version,...
- 333
3
votes
1
answer
2k
views
Suppress OSSEC email for failed root ssh
I'm running OSSEC as a HIDS on a Ubuntu 12.10 server, and it routinely (3-4x a day) sends me a notification like this: (note the last octet of the IP address has been changed to 'xxx' to protect the ...
- 163
0
votes
2
answers
1k
views
OSSEC as a SIEM
I am working on a log aggregation project and wanted to add some minor correlations/security intelligence to the mix.
Currently I have logs from ~400 servers coming into a syslog-ng box. I was ...
- 1,393
2
votes
4
answers
2k
views
Simple application level file integrity monitoring & Intrusion detection (IDS)
We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
- 21