Skip to main content

Questions tagged [ossec]

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)

26 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
4 votes
1 answer
3k views

How/where does one get a version of the OSSEC agent-auth application that will run on Windows?

I have successfully configured an OSSEC server running on Ubuntu in AWS. I have also successfully automated Ubuntu AWS instances automatically installing the OSSEC agent and connecting to the OSSEC ...
Chris's user avatar
  • 81
2 votes
2 answers
1k views

Using OSSEC HIPS alongside rsyslog, overkill?

I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems: Difficult to aggregate and ...
Rijndael's user avatar
  • 173
1 vote
0 answers
420 views

OSSEC Multiple "Integrity Checksum Changed" Alerts

I know this question has been asked several times, but the answers do not seem to work. After installing OSSEC server on my Ubuntu Server 18.04 LTS machine, I've received hundreds of "Integrity ...
Leah96xxx's user avatar
1 vote
1 answer
176 views

Can OSSEC's active-response handle things at a cluster level?

We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes ...
JSL's user avatar
  • 21
1 vote
1 answer
555 views

keep ossec iptables rules after restarting OSSEC

I have 6 OSSEC installations (5 agents + 1 server, all Debian 8) all configured to block repeated offenders using iptables from 10 minutes to 1 month. I have the need to restart one or more of the ...
Ialokin's user avatar
  • 481
1 vote
1 answer
191 views

Install ossec ids on citrix xenserver dom0

I'm running citrix xen server on a server with two nic each with dedicated public ip and the management interface is directly connected to the www and protected with iptables that allow connections ...
Open Space's user avatar
1 vote
0 answers
246 views

OSSEC error, file 'not found or unable to stat'

I can't seem to squash this error. I recently installed OSSEC on a Digital Ocean droplet, and I'm getting this message every 15 minutes or so. I've tried blocking the client IP addresses with UFW, ...
workspdx's user avatar
1 vote
0 answers
998 views

Where can I find information about inbuilt registry keys for Windows Server 2008 R2?

Is there a resource for looking up the description and/or usage of W2K8 R2 registry keys? I need to understand integrity checksum change messages appearing in OSSEC logs on Amazon EC2 instances. ...
xddsg's user avatar
  • 3,472
0 votes
0 answers
56 views

Custom OSSEC decoder working in ossec-logtest but not when real OSSEC is used

I'm having some trouble using a custom decoder I defined for OSSEC 3.7.0. I only need to extract srcip, dstip and protocol from my iptables logs, but OSSEC's decoders also extract srcport and dstport, ...
m00nlightsh4dow's user avatar
0 votes
1 answer
104 views

Get OSSEC syscheck to alert on change to directory but not its contents

We are running OSSEC 3.2 on some Debian servers. We are using OSSEC's syscheck to alert us when certain files and directories change. I want syscheck to generate an alert when the directory /tmp ...
user35042's user avatar
  • 2,721
0 votes
0 answers
92 views

Can I use OSSEC in a home LAN to monitor for intrusion and malwares?

I'm not quite sure I understand what OSSEC does. But after HiddenWasp, I would like to make sure my Windows and Linux machines in my home are safe. (And harden my VPS) Does OSSEC support antimalware ...
HypeWolf's user avatar
  • 113
0 votes
1 answer
841 views

OSSEC Ignore Alert

I have OSSEC 2.94 setup and running on CentOS7. I have it sending a emails upon qualifying alert conditions. Everything appears to be functioning properly with regards to sending alerts. However, ...
MSF004's user avatar
  • 357
0 votes
0 answers
1k views

OSSEC - Not seeing alerts on the Server from file changes on the Agent

I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and ...
user8897013's user avatar
0 votes
1 answer
335 views

ossec 2.8.3 : getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

on ossec 2.8.3 I am trying to get alerts only for rdp autentications from windows agents. These events are shown in the clients event log Microsoft-Windows-TerminalServices-RemoteConnectionManager/...
golemwashere's user avatar
0 votes
1 answer
382 views

Snort and OSSEC Can't Run Simultaneously

I am trying to set up IDS on a system composed of AWS Ubuntu 16.04 instances. My HIDS is managed by OSSEC 2.8.1 and my NIDS is managed by Snort 2.9.9.0 (parsed by Barnyard2 version 2.1.14, which also ...
Eric Hendrickson's user avatar
0 votes
1 answer
312 views

Clam Unknown OSSEC Warning

There is a problem with Clam antivirus on my server. I am getting this notification from OSSEC once per day. I am not sure where to look or what the problem actually is. Could anyone point to the ...
JoaMika's user avatar
  • 509
0 votes
1 answer
518 views

How to make ossec send only one email for an alert?

I installed ossec with local installation and is working fine. It is sending email alerts fine but seems to be sending the same email over and over for an alert. For example, an alert email is sent ...
uday kiran's user avatar
0 votes
1 answer
2k views

OSSEC alerts without hosting SMTP

I've been searching without a solid solution yet. I need to send OSSEC email alerts from my OSSEC server, but without hosting an SMTP server (postfix, etc). I get rejected by the Google SMTP servers (...
eod's user avatar
  • 1
0 votes
0 answers
1k views

OSSEC Web UI 404 on initial setup

I'm trying to setup the OSSEC web UI on a fresh installation of OSSEC on Ubuntu 15.04 Server Edition. I setup the server with the default LAMP stack and OSSEC HIDS seems to have installed successfully....
Joseph Odell's user avatar
0 votes
1 answer
750 views

Change OSSEC alert emails "From" header

I'd like to know how to change the name in the "From" header for emails sent by OSSEC. I couldn't find any information about that. Alerts I receive from my server are quite well organized. And OSSEC ...
Sinklar's user avatar
  • 93
0 votes
1 answer
546 views

Is there a better way of handling ossec-logcollector?

I have been working to integrate application logs with the ossec logcollector. I have successfully created, decoded, command, rules etc, and everything works and fires triggers. However our ...
tike's user avatar
  • 643
0 votes
1 answer
53 views

How to filter errors 404 to show only those which are related to php files?

One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the ...
user avatar
0 votes
0 answers
473 views

ossec 2.7.1 won't update on servers

I'm trying to update ossec machines setup as servers from 2.6 and 2.7 to 2.7.1. I download the ossec-hids-2.7.1.tar.gz, extract it, and run the ./install.sh. It recognizes there's a previous version,...
dan's user avatar
  • 333
0 votes
2 answers
1k views

OSSEC as a SIEM

I am working on a log aggregation project and wanted to add some minor correlations/security intelligence to the mix. Currently I have logs from ~400 servers coming into a syslog-ng box. I was ...
Eric's user avatar
  • 1,393
0 votes
1 answer
2k views

Linux files permissions denied on log files

I have installed nxlog to send my logs to a graylog server. It works fine, but I have a denied permission on the logs of my HIDS Ossec. My process nxlog (launched by collector-sidecar) run as root : ...
Sorcha's user avatar
  • 1,345
0 votes
1 answer
639 views

ossec client.keys in the master is missing agent details frequently

I've setup ossec architecture for my client. Most of the agents that were actively reporting to ossec master, moves to disconnected status. On analysis I was able to find out that client.keys the ...
Bharath's user avatar