Skip to main content

Questions tagged [ossec]

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)

Filter by
Sorted by
Tagged with
0 votes
0 answers
56 views

Custom OSSEC decoder working in ossec-logtest but not when real OSSEC is used

I'm having some trouble using a custom decoder I defined for OSSEC 3.7.0. I only need to extract srcip, dstip and protocol from my iptables logs, but OSSEC's decoders also extract srcport and dstport, ...
m00nlightsh4dow's user avatar
0 votes
1 answer
38 views

How to make OSSEC send email when it is stopped?

OSSEC sends an email when it is started, but not when it is stopped. So, if someone would somehow get access to the server, he could just stop the OSSEC and do whatever he wants without me knowing it. ...
Mika's user avatar
  • 141
1 vote
0 answers
420 views

OSSEC Multiple "Integrity Checksum Changed" Alerts

I know this question has been asked several times, but the answers do not seem to work. After installing OSSEC server on my Ubuntu Server 18.04 LTS machine, I've received hundreds of "Integrity ...
Leah96xxx's user avatar
0 votes
1 answer
104 views

Get OSSEC syscheck to alert on change to directory but not its contents

We are running OSSEC 3.2 on some Debian servers. We are using OSSEC's syscheck to alert us when certain files and directories change. I want syscheck to generate an alert when the directory /tmp ...
user35042's user avatar
  • 2,721
0 votes
0 answers
92 views

Can I use OSSEC in a home LAN to monitor for intrusion and malwares?

I'm not quite sure I understand what OSSEC does. But after HiddenWasp, I would like to make sure my Windows and Linux machines in my home are safe. (And harden my VPS) Does OSSEC support antimalware ...
HypeWolf's user avatar
  • 113
0 votes
1 answer
639 views

ossec client.keys in the master is missing agent details frequently

I've setup ossec architecture for my client. Most of the agents that were actively reporting to ossec master, moves to disconnected status. On analysis I was able to find out that client.keys the ...
Bharath's user avatar
0 votes
1 answer
841 views

OSSEC Ignore Alert

I have OSSEC 2.94 setup and running on CentOS7. I have it sending a emails upon qualifying alert conditions. Everything appears to be functioning properly with regards to sending alerts. However, ...
MSF004's user avatar
  • 357
1 vote
2 answers
516 views

OSSEC Ignore a Snap core loop device

Does any one know how to ignore a /dev/loop device in ossec . The Ubuntu 18 LTS has 2 loop drives /dev/loop0 87M 87M 0 100% /snap/core/4486 /dev/loop1 87M 87M 0 100% /snap/...
Bertos Garney's user avatar
1 vote
2 answers
2k views

Retrieve pfSense/freeBSD logs with elk

I am attempting to centralize logs from different systems. I installed the Elastick Stack (Elasticsearch, Logstash, Kibana) and WAZUH OSSEC on one server (named elk). I have installed the OSSEC ...
eli0T's user avatar
  • 110
1 vote
1 answer
400 views

Disable OSSEC email for SSH maximum authentication attempts

I try to disable the email notifications for the OSSEC rule 5758. <rule id="5758" level="8"> <decoded_as>sshd</decoded_as> <match>^error: maximum authentication attempts ...
Dave's user avatar
  • 13
0 votes
1 answer
2k views

Linux files permissions denied on log files

I have installed nxlog to send my logs to a graylog server. It works fine, but I have a denied permission on the logs of my HIDS Ossec. My process nxlog (launched by collector-sidecar) run as root : ...
Sorcha's user avatar
  • 1,345
0 votes
0 answers
1k views

OSSEC - Not seeing alerts on the Server from file changes on the Agent

I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and ...
user8897013's user avatar
2 votes
1 answer
5k views

How can I make the OSSEC server service start automatically on reboot?

I am running CentOS7 with OSSEC 2.9.2. Is there a way to make OSSEC automatically start the server after a reboot? Currently it appears to require that I run the ossec-control start after every ...
JadedCore's user avatar
  • 121
-3 votes
1 answer
106 views

How can ossec handle a virus that already spread into the deepest system? [closed]

As far as I know, OSSEC is a Open Source HIDS. It's a "Detection System". I read in journals, it collect logs and flag any anomaly that had been found in a system ( e.g. Debian Server ) and do some ...
Gagantous's user avatar
1 vote
1 answer
3k views

OSSEC Windows Agent Fails to Sync Configuration

This has proved an annoyance for the past several days, and I have yet to figure out the root cause. In a lab, I've setup two virtual machines, an OSSEC Server Appliance and a Windows 7 x64 ...
dark_st3alth's user avatar
0 votes
1 answer
335 views

ossec 2.8.3 : getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

on ossec 2.8.3 I am trying to get alerts only for rdp autentications from windows agents. These events are shown in the clients event log Microsoft-Windows-TerminalServices-RemoteConnectionManager/...
golemwashere's user avatar
0 votes
1 answer
2k views

How to stop certain processes from polluting the messages log

We have a certain process related to Azure that is running that is constantly writing out the following to our logs: Aug 18 06:54:28 log-ids-vm rsyslogd-3000: omazuremds error at connect(). errno=No ...
Pat's user avatar
  • 133
0 votes
1 answer
382 views

Snort and OSSEC Can't Run Simultaneously

I am trying to set up IDS on a system composed of AWS Ubuntu 16.04 instances. My HIDS is managed by OSSEC 2.8.1 and my NIDS is managed by Snort 2.9.9.0 (parsed by Barnyard2 version 2.1.14, which also ...
Eric Hendrickson's user avatar
0 votes
1 answer
67 views

OSSEC Treat Multiple Files as One

A while back I posted about using OSSEC as a sudo SIEM as far as sending logs from various servers to one OSSEC server and using the correlation to trip alerts. Overall that solution worked very well ...
Eric's user avatar
  • 1,393
0 votes
2 answers
377 views

wazuh agent won't send file events unless restarted

Have a wazuh (ossec fork) server and an agent (testing for now). the server gets all the info from the agent (login attempts and so on) but one thing - file changes (creation, deletion and so on). ...
donald's user avatar
  • 233
0 votes
1 answer
312 views

Clam Unknown OSSEC Warning

There is a problem with Clam antivirus on my server. I am getting this notification from OSSEC once per day. I am not sure where to look or what the problem actually is. Could anyone point to the ...
JoaMika's user avatar
  • 509
1 vote
1 answer
816 views

How to run OSSEC over TCP

I've got ossec working fine with several clients/agents with the default UDP:1514. However, after adding tcp to the server's ossec.conf file, removing and re-adding the agents, and restarting ossec on ...
hotkarl's user avatar
  • 165
1 vote
1 answer
176 views

Can OSSEC's active-response handle things at a cluster level?

We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes ...
JSL's user avatar
  • 21
0 votes
1 answer
422 views

ossec updated to 2.9.0 on centos 6 via atomic repo - won't start

I've had the atomic repo and ossec installed for a few years. It recently updated to 2.9.0 from 2.8.3 and it removed /var/ossec/bin/ossec-control. Now ossec won't start. I ran "yum whatprovides */...
dan's user avatar
  • 333
0 votes
2 answers
1k views

ossec realtime file monitoring only reports on first change but fullow up changes are only reported by scheduled follow up scans

we currently have some ossec agents running on windows and real time monitoring for files activated - with the following configuration on the agent site: <syscheck> <!-- Frequency that ...
dalini's user avatar
  • 29
1 vote
1 answer
541 views

OSSEC Exclude Sub-directory Alerts

I have added this rule to receive real-time alerts but I would like to modify it or add another rule so that I can exclude the sub-folder var/www/html/wp-content/cache <directories report_changes="...
JoaMika's user avatar
  • 509
0 votes
1 answer
518 views

How to make ossec send only one email for an alert?

I installed ossec with local installation and is working fine. It is sending email alerts fine but seems to be sending the same email over and over for an alert. For example, an alert email is sent ...
uday kiran's user avatar
1 vote
1 answer
555 views

keep ossec iptables rules after restarting OSSEC

I have 6 OSSEC installations (5 agents + 1 server, all Debian 8) all configured to block repeated offenders using iptables from 10 minutes to 1 month. I have the need to restart one or more of the ...
Ialokin's user avatar
  • 481
0 votes
2 answers
2k views

Has anyone used any custom decoders with OSSEC?

I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS ...
user53029's user avatar
  • 649
4 votes
1 answer
10k views

Postfix Send only Without a FQDN

I'm using OSSEC and Nagios to build a sort of HID system on our network. Everything is going smoothly so far; however I cannot get OSSEC to send email alerts. What I'm trying to do right now is get ...
Ryan's user avatar
  • 143
4 votes
1 answer
3k views

How/where does one get a version of the OSSEC agent-auth application that will run on Windows?

I have successfully configured an OSSEC server running on Ubuntu in AWS. I have also successfully automated Ubuntu AWS instances automatically installing the OSSEC agent and connecting to the OSSEC ...
Chris's user avatar
  • 81
0 votes
1 answer
2k views

OSSEC alerts without hosting SMTP

I've been searching without a solid solution yet. I need to send OSSEC email alerts from my OSSEC server, but without hosting an SMTP server (postfix, etc). I get rejected by the Google SMTP servers (...
eod's user avatar
  • 1
1 vote
1 answer
191 views

Install ossec ids on citrix xenserver dom0

I'm running citrix xen server on a server with two nic each with dedicated public ip and the management interface is directly connected to the www and protected with iptables that allow connections ...
Open Space's user avatar
1 vote
1 answer
480 views

How to create custom notification for ossec

I am installing OSSEC for secure our servers, and I want to use slack instead of email for notification. Is there a way to send alerts via slack? Is there any way to add another notification system ...
BaZZiliO's user avatar
  • 320
0 votes
0 answers
1k views

OSSEC Web UI 404 on initial setup

I'm trying to setup the OSSEC web UI on a fresh installation of OSSEC on Ubuntu 15.04 Server Edition. I setup the server with the default LAMP stack and OSSEC HIDS seems to have installed successfully....
Joseph Odell's user avatar
1 vote
0 answers
246 views

OSSEC error, file 'not found or unable to stat'

I can't seem to squash this error. I recently installed OSSEC on a Digital Ocean droplet, and I'm getting this message every 15 minutes or so. I've tried blocking the client IP addresses with UFW, ...
workspdx's user avatar
0 votes
2 answers
2k views

How do I get OSSEC manage_agents to read a file?

According to the help docs of manage_clients: -f Bulk generate client keys from file. (Manager only). contains lines in IP,NAME format. So I tried this: root@ossec-server:/...
Kit Sunde's user avatar
  • 946
6 votes
4 answers
9k views

OSSEC disk space usage

A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff folder. I wanted to try ...
Sinklar's user avatar
  • 93
0 votes
1 answer
750 views

Change OSSEC alert emails "From" header

I'd like to know how to change the name in the "From" header for emails sent by OSSEC. I couldn't find any information about that. Alerts I receive from my server are quite well organized. And OSSEC ...
Sinklar's user avatar
  • 93
2 votes
2 answers
10k views

OSSEC won't start, Error: queue not accessible

I'm trying to set up OSSEC on a CemtOS 6.5 server. This is to be installed as an agent, not a server or local instance. The package successfully installed and I created the clients.key file, but when ...
Liam's user avatar
  • 164
0 votes
1 answer
210 views

OSSEC - Multiple VM's on a single DELL blade (XenServer Hypervisor)

I have a DELL blade with ~100 VM's (with a Citrix XenServer 6.1 hypervisor), all with ossec agent connected to a ossec server outside that same blade. I have a bit of a problem: they all run rootkit ...
Ricardo's user avatar
  • 61
0 votes
1 answer
546 views

Is there a better way of handling ossec-logcollector?

I have been working to integrate application logs with the ossec logcollector. I have successfully created, decoded, command, rules etc, and everything works and fires triggers. However our ...
tike's user avatar
  • 643
1 vote
2 answers
2k views

Deploying Ossec HIDS Windows Agent via GPO

I am trying to deploy OSSEC agent to about 100 Windows 7 boxes through GPO on our AD. I understand that I need to create and MSI from the EXE and import the specific client.keys file for the windows ...
user227894's user avatar
0 votes
1 answer
53 views

How to filter errors 404 to show only those which are related to php files?

One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the ...
user avatar
2 votes
2 answers
1k views

Using OSSEC HIPS alongside rsyslog, overkill?

I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems: Difficult to aggregate and ...
Rijndael's user avatar
  • 173
1 vote
1 answer
575 views

OSSec not working on server with multiple IPS

I had to add another IP address to our server (eth0:1 192.168.0.100) and all of the sudden ossec client stopped working. On the client side I'm seeing this: 2014/02/19 02:31:28 ossec-agentd: INFO: ...
MB.'s user avatar
  • 395
0 votes
0 answers
473 views

ossec 2.7.1 won't update on servers

I'm trying to update ossec machines setup as servers from 2.6 and 2.7 to 2.7.1. I download the ossec-hids-2.7.1.tar.gz, extract it, and run the ./install.sh. It recognizes there's a previous version,...
dan's user avatar
  • 333
3 votes
1 answer
2k views

Suppress OSSEC email for failed root ssh

I'm running OSSEC as a HIDS on a Ubuntu 12.10 server, and it routinely (3-4x a day) sends me a notification like this: (note the last octet of the IP address has been changed to 'xxx' to protect the ...
tkrajcar's user avatar
  • 163
0 votes
2 answers
1k views

OSSEC as a SIEM

I am working on a log aggregation project and wanted to add some minor correlations/security intelligence to the mix. Currently I have logs from ~400 servers coming into a syslog-ng box. I was ...
Eric's user avatar
  • 1,393
2 votes
4 answers
2k views

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
Dev's user avatar
  • 21