Comments (4)
ok I have used ossec-vagrant to repo reproduce your set and here is what i get in my alerts:
** Alert 1395434447.14224: mail - local,syslog,
2014 Mar 21 20:40:47 precise32->/var/log/auth.log
Rule: 100126 (level 10) -> 'Unexpected user logged into a Secure machine'
Src IP: 10.0.2.2
User: vagrant
Mar 21 20:40:46 precise32 sshd[8698]: Accepted publickey for vagrant from 10.0.2.2 port 55963 ssh2
Now I made a mistake the first time in testing and just want to make sure you have restarted the ossec master ? This would explain why log test is working and the server is not. I have read the code paths and they are the same for both programs.
from ossec-hids.
Sorry just finished redoing this test and still get the expect test working. You made sure to restart which i missed on my first read.
Given this I would like to see a more complete view of the setup. I know you might not want to post this on the interview so you can send it directly if you would like http://github.com/jrossi has how to email me.
Could you send the following:
- Full contacts of master servers /var/ossec/etc/* /var/ossec/rules/* /var/ossec/lists/
- Full contacts of A agents servers /var/ossec/etc/*
- Anything else you think I could use
- OS Name and versions
from ossec-hids.
Closing this as I could not reproduce. See my questions above if you are still having this problem. Thank you
from ossec-hids.
Hi had the same problem yesterday. I also wanted to use a hostname match.
After debugging a little bit, I figured out, that in src/analysisd/analysisd.c the hostname (the cdb key)
lf->hostname had different values in logtest and analysisd.
So in logtest it was "myhost"
but in analysisd it was "(myhost.mydomain) myip->/var/log/auth.log"
Sebastian
from ossec-hids.
Related Issues (20)
- [HELP]
- Problem with decoders HOT 1
- ossec-analysisd leaks memory.
- Journald read in 1001 seconds bursts HOT 8
- Link doesn't exists
- Missing security policy. Cannot report security bugs and vulnerabilities. HOT 5
- Support for ossec in AmazonLinux2023 HOT 2
- 3.7 don;t have new files alerts HOT 2
- [Request] Provide binaries for arm64 Debian Bookworm/Trixie/Sid HOT 4
- Building from source on a staging server. How to transfer the build package to a production server? HOT 1
- Monitoring logs of journald not working
- ossec installation error HOT 1
- INSTALLATION OF OSSEC ERROR MAKEFILE:1017 HOT 3
- Wazuh agent not being initialized on RHEL and centos agents with the following error.
- OSSEC File Deletion not captured
- Ossec agent installation issue
- updates.atomicorp.com certificate expired HOT 1
- will be always true, due to checking above.
- will be always true due to checking above.
- Active response doesn't work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ossec-hids.