Questions tagged [ossec]
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)
26
questions with no upvoted or accepted answers
4
votes
1
answer
3k
views
How/where does one get a version of the OSSEC agent-auth application that will run on Windows?
I have successfully configured an OSSEC server running on Ubuntu in AWS.
I have also successfully automated Ubuntu AWS instances automatically installing the OSSEC agent and connecting to the OSSEC ...
- 81
2
votes
2
answers
1k
views
Using OSSEC HIPS alongside rsyslog, overkill?
I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems:
Difficult to aggregate and ...
- 173
1
vote
0
answers
420
views
OSSEC Multiple "Integrity Checksum Changed" Alerts
I know this question has been asked several times, but the answers do not seem to work.
After installing OSSEC server on my Ubuntu Server 18.04 LTS machine, I've received hundreds of "Integrity ...
- 11
1
vote
1
answer
176
views
Can OSSEC's active-response handle things at a cluster level?
We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes ...
- 21
1
vote
1
answer
555
views
keep ossec iptables rules after restarting OSSEC
I have 6 OSSEC installations (5 agents + 1 server, all Debian 8) all configured to block repeated offenders using iptables from 10 minutes to 1 month.
I have the need to restart one or more of the ...
- 481
1
vote
1
answer
191
views
Install ossec ids on citrix xenserver dom0
I'm running citrix xen server on a server with two nic each with dedicated public ip and the management interface is directly connected to the www and protected with iptables that allow connections ...
- 21
1
vote
0
answers
246
views
OSSEC error, file 'not found or unable to stat'
I can't seem to squash this error. I recently installed OSSEC on a Digital Ocean droplet, and I'm getting this message every 15 minutes or so. I've tried blocking the client IP addresses with UFW, ...
- 11
1
vote
0
answers
998
views
Where can I find information about inbuilt registry keys for Windows Server 2008 R2?
Is there a resource for looking up the description and/or usage of W2K8 R2 registry keys?
I need to understand integrity checksum change messages appearing in OSSEC logs on Amazon EC2 instances.
...
- 3,472
0
votes
0
answers
56
views
Custom OSSEC decoder working in ossec-logtest but not when real OSSEC is used
I'm having some trouble using a custom decoder I defined for OSSEC 3.7.0. I only need to extract srcip, dstip and protocol from my iptables logs, but OSSEC's decoders also extract srcport and dstport, ...
0
votes
1
answer
104
views
Get OSSEC syscheck to alert on change to directory but not its contents
We are running OSSEC 3.2 on some Debian servers. We are using OSSEC's syscheck to alert us when certain files and directories change.
I want syscheck to generate an alert when the directory /tmp ...
- 2,721
0
votes
0
answers
92
views
Can I use OSSEC in a home LAN to monitor for intrusion and malwares?
I'm not quite sure I understand what OSSEC does. But after HiddenWasp, I would like to make sure my Windows and Linux machines in my home are safe. (And harden my VPS)
Does OSSEC support antimalware ...
- 113
0
votes
1
answer
841
views
OSSEC Ignore Alert
I have OSSEC 2.94 setup and running on CentOS7. I have it sending a emails upon qualifying alert conditions. Everything appears to be functioning properly with regards to sending alerts. However, ...
- 357
0
votes
0
answers
1k
views
OSSEC - Not seeing alerts on the Server from file changes on the Agent
I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and ...
- 503
0
votes
1
answer
335
views
ossec 2.8.3 : getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
on ossec 2.8.3 I am trying to get alerts only for rdp autentications from windows agents.
These events are shown in the clients event log
Microsoft-Windows-TerminalServices-RemoteConnectionManager/...
- 744
0
votes
1
answer
382
views
Snort and OSSEC Can't Run Simultaneously
I am trying to set up IDS on a system composed of AWS Ubuntu 16.04 instances. My HIDS is managed by OSSEC 2.8.1 and my NIDS is managed by Snort 2.9.9.0 (parsed by Barnyard2 version 2.1.14, which also ...
- 101
0
votes
1
answer
312
views
Clam Unknown OSSEC Warning
There is a problem with Clam antivirus on my server. I am getting this notification from OSSEC once per day. I am not sure where to look or what the problem actually is. Could anyone point to the ...
- 509
0
votes
1
answer
518
views
How to make ossec send only one email for an alert?
I installed ossec with local installation and is working fine. It is sending email alerts fine but seems to be sending the same email over and over for an alert.
For example, an alert email is sent ...
0
votes
1
answer
2k
views
OSSEC alerts without hosting SMTP
I've been searching without a solid solution yet. I need to send OSSEC email alerts from my OSSEC server, but without hosting an SMTP server (postfix, etc). I get rejected by the Google SMTP servers (...
- 1
0
votes
0
answers
1k
views
OSSEC Web UI 404 on initial setup
I'm trying to setup the OSSEC web UI on a fresh installation of OSSEC on Ubuntu 15.04 Server Edition. I setup the server with the default LAMP stack and OSSEC HIDS seems to have installed successfully....
- 11
0
votes
1
answer
750
views
Change OSSEC alert emails "From" header
I'd like to know how to change the name in the "From" header for emails sent by OSSEC. I couldn't find any information about that.
Alerts I receive from my server are quite well organized. And OSSEC ...
- 93
0
votes
1
answer
546
views
Is there a better way of handling ossec-logcollector?
I have been working to integrate application logs with the ossec logcollector.
I have successfully created, decoded, command, rules etc, and everything works and fires triggers.
However our ...
- 643
0
votes
1
answer
53
views
How to filter errors 404 to show only those which are related to php files?
One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the ...
user149678
0
votes
0
answers
473
views
ossec 2.7.1 won't update on servers
I'm trying to update ossec machines setup as servers from 2.6 and 2.7 to 2.7.1.
I download the ossec-hids-2.7.1.tar.gz, extract it, and run the ./install.sh. It recognizes there's a previous version,...
- 333
0
votes
2
answers
1k
views
OSSEC as a SIEM
I am working on a log aggregation project and wanted to add some minor correlations/security intelligence to the mix.
Currently I have logs from ~400 servers coming into a syslog-ng box. I was ...
- 1,393
0
votes
1
answer
2k
views
Linux files permissions denied on log files
I have installed nxlog to send my logs to a graylog server. It works fine, but I have a denied permission on the logs of my HIDS Ossec.
My process nxlog (launched by collector-sidecar) run as root :
...
- 1,345
0
votes
1
answer
639
views
ossec client.keys in the master is missing agent details frequently
I've setup ossec architecture for my client. Most of the agents that were actively reporting to ossec master, moves to disconnected status. On analysis I was able to find out that client.keys the ...
- 1