Skip to main content

Questions tagged [ossec]

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)

Filter by
Sorted by
Tagged with
10 votes
2 answers
5k views

OSSEC large scale deployment

We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I ...
lisa1987's user avatar
  • 891
7 votes
1 answer
7k views

OSSEC integrity checksum alert - what caused the change?

Recently installed OSSEC on Linux machine to test. Most results are expected, however yesterday I received emails with a number of notifications about Integrity checksum changing on files such as /...
Eureka Ikara's user avatar
6 votes
4 answers
9k views

OSSEC disk space usage

A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff folder. I wanted to try ...
Sinklar's user avatar
  • 93
4 votes
1 answer
10k views

Postfix Send only Without a FQDN

I'm using OSSEC and Nagios to build a sort of HID system on our network. Everything is going smoothly so far; however I cannot get OSSEC to send email alerts. What I'm trying to do right now is get ...
Ryan's user avatar
  • 143
4 votes
1 answer
3k views

How/where does one get a version of the OSSEC agent-auth application that will run on Windows?

I have successfully configured an OSSEC server running on Ubuntu in AWS. I have also successfully automated Ubuntu AWS instances automatically installing the OSSEC agent and connecting to the OSSEC ...
Chris's user avatar
  • 81
3 votes
1 answer
2k views

Suppress OSSEC email for failed root ssh

I'm running OSSEC as a HIDS on a Ubuntu 12.10 server, and it routinely (3-4x a day) sends me a notification like this: (note the last octet of the IP address has been changed to 'xxx' to protect the ...
tkrajcar's user avatar
  • 163
3 votes
2 answers
5k views

OSSEC: Unblock an IP and increase tresshold

I just set up OSSEC, but I accidentally shut myself out already from my home ip. So does OSSEC have a function to unblock an IP after it is blocked or do I need to do this manually in iptables ? ...
Lucas Kauffman's user avatar
3 votes
1 answer
139 views

PID ran away with all our MEM and SWAPPED hard - OSSEC RHEL

Forgive me for the length of this question... it is mostly details... only attempt to follow if you also enjoy reading log files... or drinking coffee. I'll state the questions first: 1) how the ...
Patrick R's user avatar
  • 2,975
2 votes
1 answer
5k views

How can I make the OSSEC server service start automatically on reboot?

I am running CentOS7 with OSSEC 2.9.2. Is there a way to make OSSEC automatically start the server after a reboot? Currently it appears to require that I run the ossec-control start after every ...
JadedCore's user avatar
  • 121
2 votes
2 answers
1k views

Use OSSEC active response behind load balancer

We have OSSEC installed on some web servers running behind Amazon ELB. The problem is that when the active response triggers it blocks the IP address of the load balancer. Is there any way to use the ...
Michael 's user avatar
2 votes
2 answers
10k views

OSSEC won't start, Error: queue not accessible

I'm trying to set up OSSEC on a CemtOS 6.5 server. This is to be installed as an agent, not a server or local instance. The package successfully installed and I created the clients.key file, but when ...
Liam's user avatar
  • 164
2 votes
1 answer
1k views

Just installed OSSEC, what next?

We need file integrity monitoring on our windows servers (a webserver and a database server) and before we drop money on Tripwire, I'm checking out OSSEC. I installed a local installation to test with ...
Chris's user avatar
  • 21
2 votes
4 answers
2k views

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
Dev's user avatar
  • 21
2 votes
1 answer
530 views

What is the purpose of filtering egressing traffic (CSF)?

For a while now I am using CSF as main firewall with LFD, and OSSEC as main IDS. (I like OSSEC over the overreacting builtin IDS of CSF). I tested it for small DoS attacks such a slowloris variants ...
BTZ's user avatar
  • 23
2 votes
1 answer
344 views

Ossec fields to Oracle DB

I would like some recommendations for the following problem. I use Ossec for log analysis. What I want, is after extracting the fields to save them in an Oracle database. For example, if I have this ...
Nikolaidis Fotis's user avatar
2 votes
1 answer
2k views

OSSEC agent behind NAT

I am working on an OSSEC deployment where I will have multiple agents behind 1 public IP. Below is an example of the setup Private Network OSSEC-Agent1 (192.168.1.10) OSSEC-Agent2 (...
Eric's user avatar
  • 1,393
2 votes
2 answers
1k views

Using OSSEC HIPS alongside rsyslog, overkill?

I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems: Difficult to aggregate and ...
Rijndael's user avatar
  • 173
1 vote
2 answers
425 views

What dangers (and should I be worried) are there from attempted break-ins? (reported by OSSEC)

I've installed OSSEC on my server and I've been getting reports similar to the following: Jan 11 19:27:03 Daddy sshd[14459]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=...
Wayne Werner's user avatar
1 vote
4 answers
5k views

OSSEC is not running

I have an two ec2 instances. In one I have installed ossec server and in other I have installed ossec agent. Here are my server config INBOUND (security group/firewall) : port:514 source:0.0.0.0/...
batman's user avatar
  • 321
1 vote
1 answer
480 views

How to create custom notification for ossec

I am installing OSSEC for secure our servers, and I want to use slack instead of email for notification. Is there a way to send alerts via slack? Is there any way to add another notification system ...
BaZZiliO's user avatar
  • 320
1 vote
1 answer
213 views

HOw to view all Logs in OSSSEC system ubuntu

I have installed OSSEC It is working and sometime sending me alert email as well. But i want to see what can i type so that i can get view all the logs of what OSSEC has found in my system
user avatar
1 vote
2 answers
516 views

OSSEC Ignore a Snap core loop device

Does any one know how to ignore a /dev/loop device in ossec . The Ubuntu 18 LTS has 2 loop drives /dev/loop0 87M 87M 0 100% /snap/core/4486 /dev/loop1 87M 87M 0 100% /snap/...
Bertos Garney's user avatar
1 vote
2 answers
2k views

Retrieve pfSense/freeBSD logs with elk

I am attempting to centralize logs from different systems. I installed the Elastick Stack (Elasticsearch, Logstash, Kibana) and WAZUH OSSEC on one server (named elk). I have installed the OSSEC ...
eli0T's user avatar
  • 110
1 vote
1 answer
400 views

Disable OSSEC email for SSH maximum authentication attempts

I try to disable the email notifications for the OSSEC rule 5758. <rule id="5758" level="8"> <decoded_as>sshd</decoded_as> <match>^error: maximum authentication attempts ...
Dave's user avatar
  • 13
1 vote
1 answer
816 views

How to run OSSEC over TCP

I've got ossec working fine with several clients/agents with the default UDP:1514. However, after adding tcp to the server's ossec.conf file, removing and re-adding the agents, and restarting ossec on ...
hotkarl's user avatar
  • 165
1 vote
1 answer
541 views

OSSEC Exclude Sub-directory Alerts

I have added this rule to receive real-time alerts but I would like to modify it or add another rule so that I can exclude the sub-folder var/www/html/wp-content/cache <directories report_changes="...
JoaMika's user avatar
  • 509
1 vote
1 answer
575 views

OSSec not working on server with multiple IPS

I had to add another IP address to our server (eth0:1 192.168.0.100) and all of the sudden ossec client stopped working. On the client side I'm seeing this: 2014/02/19 02:31:28 ossec-agentd: INFO: ...
MB.'s user avatar
  • 395
1 vote
1 answer
4k views

Generating alerts from ossec ( server- agent ) model

I'm very new to OSSEC. I use a server-agent model. I wish to generate alert for the following actions ( in agent side ): 1) Sample Alert for delation of logs I added the rules for these in agent's ...
batman's user avatar
  • 321
1 vote
2 answers
3k views

Do I need at least 1 Linux server to use OSSEC to monitor my Windows servers?

I don't know why this isn't more plainly obvious on the website: http://www.ossec.net/ But I can't tell if I need to install a 'server' portion on Linux and then an 'agent' on Windows and then ...
MetaGuru's user avatar
  • 916
1 vote
0 answers
420 views

OSSEC Multiple "Integrity Checksum Changed" Alerts

I know this question has been asked several times, but the answers do not seem to work. After installing OSSEC server on my Ubuntu Server 18.04 LTS machine, I've received hundreds of "Integrity ...
Leah96xxx's user avatar
1 vote
1 answer
3k views

OSSEC Windows Agent Fails to Sync Configuration

This has proved an annoyance for the past several days, and I have yet to figure out the root cause. In a lab, I've setup two virtual machines, an OSSEC Server Appliance and a Windows 7 x64 ...
dark_st3alth's user avatar
1 vote
1 answer
176 views

Can OSSEC's active-response handle things at a cluster level?

We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes ...
JSL's user avatar
  • 21
1 vote
1 answer
555 views

keep ossec iptables rules after restarting OSSEC

I have 6 OSSEC installations (5 agents + 1 server, all Debian 8) all configured to block repeated offenders using iptables from 10 minutes to 1 month. I have the need to restart one or more of the ...
Ialokin's user avatar
  • 481
1 vote
1 answer
191 views

Install ossec ids on citrix xenserver dom0

I'm running citrix xen server on a server with two nic each with dedicated public ip and the management interface is directly connected to the www and protected with iptables that allow connections ...
Open Space's user avatar
1 vote
0 answers
246 views

OSSEC error, file 'not found or unable to stat'

I can't seem to squash this error. I recently installed OSSEC on a Digital Ocean droplet, and I'm getting this message every 15 minutes or so. I've tried blocking the client IP addresses with UFW, ...
workspdx's user avatar
1 vote
0 answers
998 views

Where can I find information about inbuilt registry keys for Windows Server 2008 R2?

Is there a resource for looking up the description and/or usage of W2K8 R2 registry keys? I need to understand integrity checksum change messages appearing in OSSEC logs on Amazon EC2 instances. ...
xddsg's user avatar
  • 3,472
1 vote
2 answers
2k views

Deploying Ossec HIDS Windows Agent via GPO

I am trying to deploy OSSEC agent to about 100 Windows 7 boxes through GPO on our AD. I understand that I need to create and MSI from the EXE and import the specific client.keys file for the windows ...
user227894's user avatar
0 votes
2 answers
2k views

How do I get OSSEC manage_agents to read a file?

According to the help docs of manage_clients: -f Bulk generate client keys from file. (Manager only). contains lines in IP,NAME format. So I tried this: root@ossec-server:/...
Kit Sunde's user avatar
  • 946
0 votes
1 answer
2k views

OSSEC HIDS Notification emails every five minutes from server

My server is sending me the below error message to my email every five minutes: OSSEC HIDS Notification. 2011 Jun 17 16:30:03 Received From: ubuntu->/var/log/syslog Rule: 1002 fired (level 2) ->...
aarru's user avatar
  • 29
0 votes
1 answer
2k views

How to stop certain processes from polluting the messages log

We have a certain process related to Azure that is running that is constantly writing out the following to our logs: Aug 18 06:54:28 log-ids-vm rsyslogd-3000: omazuremds error at connect(). errno=No ...
Pat's user avatar
  • 133
0 votes
1 answer
422 views

ossec updated to 2.9.0 on centos 6 via atomic repo - won't start

I've had the atomic repo and ossec installed for a few years. It recently updated to 2.9.0 from 2.8.3 and it removed /var/ossec/bin/ossec-control. Now ossec won't start. I ran "yum whatprovides */...
dan's user avatar
  • 333
0 votes
2 answers
2k views

Has anyone used any custom decoders with OSSEC?

I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS ...
user53029's user avatar
  • 649
0 votes
1 answer
3k views

Ossec tests and verification

I have just installed OSSec accordingly as the server. When it asked for my email I put in my GMail address and for the SMTP I was not sure so I just set it as localhost first. Then it runs a number ...
new14's user avatar
  • 187
0 votes
1 answer
1k views

ossec email alerts

Just installed ossec and sendmail however can't able to get alerts to my gmail from ossec. I am able to see the alerts on the sendmail localhost, however alerts seem to be not forwarding to gmail.
user117642's user avatar
0 votes
2 answers
801 views

HOw to know if files md5 chnaged by virus or system itself centos

I installed OSSSEC to very files have chnaged or not. But sometimes it is giving me false waring and integrity checksums like following files have chnaged. How can i makesure that files are chnaged ...
user avatar
0 votes
1 answer
38 views

How to make OSSEC send email when it is stopped?

OSSEC sends an email when it is started, but not when it is stopped. So, if someone would somehow get access to the server, he could just stop the OSSEC and do whatever he wants without me knowing it. ...
Mika's user avatar
  • 141
0 votes
2 answers
377 views

wazuh agent won't send file events unless restarted

Have a wazuh (ossec fork) server and an agent (testing for now). the server gets all the info from the agent (login attempts and so on) but one thing - file changes (creation, deletion and so on). ...
donald's user avatar
  • 233
0 votes
2 answers
1k views

ossec realtime file monitoring only reports on first change but fullow up changes are only reported by scheduled follow up scans

we currently have some ossec agents running on windows and real time monitoring for files activated - with the following configuration on the agent site: <syscheck> <!-- Frequency that ...
dalini's user avatar
  • 29
0 votes
1 answer
210 views

OSSEC - Multiple VM's on a single DELL blade (XenServer Hypervisor)

I have a DELL blade with ~100 VM's (with a Citrix XenServer 6.1 hypervisor), all with ossec agent connected to a ossec server outside that same blade. I have a bit of a problem: they all run rootkit ...
Ricardo's user avatar
  • 61
0 votes
1 answer
363 views

Email sending script from address is invalid

i am sending email notifications from OSSEC active response script firewall-drop.sh, but when the email is sent through it, the FROM address is like this [email protected] it should be ossec@mydomain....
Farhan's user avatar
  • 4,319