Skip to main content

Questions tagged [ossec]

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)

Filter by
Sorted by
Tagged with
0 votes
1 answer
2k views

OSSEC "unable to retrieve alerts"

I try to learn about Ossec, but, when i access to the Ossec web UI in the Main tab, Ossec shows me: "unable to retrieve alerts" I see the alerts.log file and i can read different problems. Why i ...
madrikeka's user avatar
0 votes
1 answer
2k views

how does OSSEC agent detects signature/alerts?

Can someone explain how does ossec agent in an active response config detects or responds to events (e.g scan attempt on web-server 404 status code). I know that the below xml block at the server ...
iloveyouga's user avatar
0 votes
1 answer
3k views

Ossec tests and verification

I have just installed OSSec accordingly as the server. When it asked for my email I put in my GMail address and for the SMTP I was not sure so I just set it as localhost first. Then it runs a number ...
new14's user avatar
  • 187
1 vote
1 answer
4k views

Generating alerts from ossec ( server- agent ) model

I'm very new to OSSEC. I use a server-agent model. I wish to generate alert for the following actions ( in agent side ): 1) Sample Alert for delation of logs I added the rules for these in agent's ...
batman's user avatar
  • 321
1 vote
4 answers
5k views

OSSEC is not running

I have an two ec2 instances. In one I have installed ossec server and in other I have installed ossec agent. Here are my server config INBOUND (security group/firewall) : port:514 source:0.0.0.0/...
batman's user avatar
  • 321
0 votes
1 answer
363 views

Email sending script from address is invalid

i am sending email notifications from OSSEC active response script firewall-drop.sh, but when the email is sent through it, the FROM address is like this [email protected] it should be ossec@mydomain....
Farhan's user avatar
  • 4,319
2 votes
1 answer
530 views

What is the purpose of filtering egressing traffic (CSF)?

For a while now I am using CSF as main firewall with LFD, and OSSEC as main IDS. (I like OSSEC over the overreacting builtin IDS of CSF). I tested it for small DoS attacks such a slowloris variants ...
BTZ's user avatar
  • 23
2 votes
1 answer
2k views

OSSEC agent behind NAT

I am working on an OSSEC deployment where I will have multiple agents behind 1 public IP. Below is an example of the setup Private Network OSSEC-Agent1 (192.168.1.10) OSSEC-Agent2 (...
Eric's user avatar
  • 1,393
10 votes
2 answers
5k views

OSSEC large scale deployment

We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I ...
lisa1987's user avatar
  • 891
2 votes
1 answer
344 views

Ossec fields to Oracle DB

I would like some recommendations for the following problem. I use Ossec for log analysis. What I want, is after extracting the fields to save them in an Oracle database. For example, if I have this ...
Nikolaidis Fotis's user avatar
0 votes
1 answer
1k views

ossec email alerts

Just installed ossec and sendmail however can't able to get alerts to my gmail from ossec. I am able to see the alerts on the sendmail localhost, however alerts seem to be not forwarding to gmail.
user117642's user avatar
3 votes
2 answers
5k views

OSSEC: Unblock an IP and increase tresshold

I just set up OSSEC, but I accidentally shut myself out already from my home ip. So does OSSEC have a function to unblock an IP after it is blocked or do I need to do this manually in iptables ? ...
Lucas Kauffman's user avatar
1 vote
2 answers
425 views

What dangers (and should I be worried) are there from attempted break-ins? (reported by OSSEC)

I've installed OSSEC on my server and I've been getting reports similar to the following: Jan 11 19:27:03 Daddy sshd[14459]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=...
Wayne Werner's user avatar
1 vote
0 answers
998 views

Where can I find information about inbuilt registry keys for Windows Server 2008 R2?

Is there a resource for looking up the description and/or usage of W2K8 R2 registry keys? I need to understand integrity checksum change messages appearing in OSSEC logs on Amazon EC2 instances. ...
xddsg's user avatar
  • 3,472
1 vote
2 answers
3k views

Do I need at least 1 Linux server to use OSSEC to monitor my Windows servers?

I don't know why this isn't more plainly obvious on the website: http://www.ossec.net/ But I can't tell if I need to install a 'server' portion on Linux and then an 'agent' on Windows and then ...
MetaGuru's user avatar
  • 916
0 votes
1 answer
2k views

OSSEC HIDS Notification emails every five minutes from server

My server is sending me the below error message to my email every five minutes: OSSEC HIDS Notification. 2011 Jun 17 16:30:03 Received From: ubuntu->/var/log/syslog Rule: 1002 fired (level 2) ->...
aarru's user avatar
  • 29
2 votes
1 answer
1k views

Just installed OSSEC, what next?

We need file integrity monitoring on our windows servers (a webserver and a database server) and before we drop money on Tripwire, I'm checking out OSSEC. I installed a local installation to test with ...
Chris's user avatar
  • 21
2 votes
2 answers
1k views

Use OSSEC active response behind load balancer

We have OSSEC installed on some web servers running behind Amazon ELB. The problem is that when the active response triggers it blocks the IP address of the load balancer. Is there any way to use the ...
Michael 's user avatar
3 votes
1 answer
139 views

PID ran away with all our MEM and SWAPPED hard - OSSEC RHEL

Forgive me for the length of this question... it is mostly details... only attempt to follow if you also enjoy reading log files... or drinking coffee. I'll state the questions first: 1) how the ...
Patrick R's user avatar
  • 2,975
7 votes
1 answer
7k views

OSSEC integrity checksum alert - what caused the change?

Recently installed OSSEC on Linux machine to test. Most results are expected, however yesterday I received emails with a number of notifications about Integrity checksum changing on files such as /...
Eureka Ikara's user avatar
0 votes
2 answers
801 views

HOw to know if files md5 chnaged by virus or system itself centos

I installed OSSSEC to very files have chnaged or not. But sometimes it is giving me false waring and integrity checksums like following files have chnaged. How can i makesure that files are chnaged ...
user avatar
1 vote
1 answer
213 views

HOw to view all Logs in OSSSEC system ubuntu

I have installed OSSEC It is working and sometime sending me alert email as well. But i want to see what can i type so that i can get view all the logs of what OSSEC has found in my system
user avatar
0 votes
1 answer
2k views

CAn not open port 1514 in ubuntu iptables

I am installing OSSEC and it says that i need to open port 1514 and 514 in firewall. Now i have added the rule for port 1514 but i still can't get coonect if i use telney like ossec-hids-2.5]# ...
user avatar

1
2