Highest Voted 'ossec' Questions - Server Fault Stack Exchange

2

votes

1 answer

Just installed OSSEC, what next?

We need file integrity monitoring on our windows servers (a webserver and a database server) and before we drop money on Tripwire, I'm checking out OSSEC. I installed a local installation to test with on my ubuntu laptop, and it appears to be…

ossec

asked May 24 '11 at 17:16

Chris

21
3

2

votes

2 answers

Use OSSEC active response behind load balancer

We have OSSEC installed on some web servers running behind Amazon ELB. The problem is that when the active response triggers it blocks the IP address of the load balancer. Is there any way to use the active response to block clients sending suspect…

monitoring ossec

asked May 23 '11 at 12:01

Michael

21
3

1

vote

2 answers

OSSEC Ignore a Snap core loop device

Does any one know how to ignore a /dev/loop device in ossec . The Ubuntu 18 LTS has 2 loop drives /dev/loop0 87M 87M 0 100% /snap/core/4486 /dev/loop1 87M 87M 0 100% /snap/core/4917 ossec: output: 'df -P': /dev/loop0 …

ossec

asked Jul 12 '18 at 09:19

Bertos Garney

13
2

1

vote

1 answer

Retrieve pfSense/freeBSD logs with elk

I am attempting to centralize logs from different systems. I installed the Elastick Stack (Elasticsearch, Logstash, Kibana) and WAZUH OSSEC on one server (named elk). I have installed the OSSEC agent on three ubuntu server and I am able to check…

syslog logstash ossec elk

asked Apr 25 '18 at 10:04

eli0T

120
11

1

vote

1 answer

Disable OSSEC email for SSH maximum authentication attempts

I try to disable the email notifications for the OSSEC rule 5758. sshd ^error: maximum authentication attempts exceeded Maximum authentication attempts…

linux security debian-stretch ossec

asked Apr 24 '18 at 07:06

Dave

13
3

1

vote

1 answer

OSSEC Windows Agent Fails to Sync Configuration

This has proved an annoyance for the past several days, and I have yet to figure out the root cause. In a lab, I've setup two virtual machines, an OSSEC Server Appliance and a Windows 7 x64 Enterprise SP1 client. Both seem to work quite well when…

ossec

asked Oct 08 '17 at 06:27

dark_st3alth

151
2
8

1

vote

1 answer

How to run OSSEC over TCP

I've got ossec working fine with several clients/agents with the default UDP:1514. However, after adding tcp to the server's ossec.conf file, removing and re-adding the agents, and restarting ossec on all machines, the agent logs show they are…

ossec

asked Apr 17 '17 at 20:05

hotkarl

155
1
10

1

vote

1 answer

Can OSSEC's active-response handle things at a cluster level?

We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes an active-response (i.e. dynamic IP blocking)…

load-balancing cluster ossec

asked Feb 07 '17 at 16:48

JSL

21
3

1

vote

1 answer

OSSEC Exclude Sub-directory Alerts

I have added this rule to receive real-time alerts but I would like to modify it or add another rule so that I can exclude the sub-folder var/www/html/wp-content/cache

ossec

asked Sep 15 '16 at 21:21

JoaMika

479
2
9
20

1

vote

1 answer

keep ossec iptables rules after restarting OSSEC

I have 6 OSSEC installations (5 agents + 1 server, all Debian 8) all configured to block repeated offenders using iptables from 10 minutes to 1 month. I have the need to restart one or more of the servers from time to time. Every time the iptables…

iptables linux-networking ossec

asked Apr 01 '16 at 14:15

Ialokin

481
2
9

1

vote

1 answer

Install ossec ids on citrix xenserver dom0

I'm running citrix xen server on a server with two nic each with dedicated public ip and the management interface is directly connected to the www and protected with iptables that allow connections only from my static remote ip. My question is, I…

iptables xenserver citrix ossec

asked Sep 12 '15 at 08:34

Open Space

21
2

1

vote

1 answer

How to create custom notification for ossec

I am installing OSSEC for secure our servers, and I want to use slack instead of email for notification. Is there a way to send alerts via slack? Is there any way to add another notification system besides email? I think i can use active response…

ossec

asked Sep 10 '15 at 09:20

BaZZiliO

300
1
2
11

1

vote

0 answers

OSSEC error, file 'not found or unable to stat'

I can't seem to squash this error. I recently installed OSSEC on a Digital Ocean droplet, and I'm getting this message every 15 minutes or so. I've tried blocking the client IP addresses with UFW, tried searching the server for this POST_ip_port.php…

ossec

asked Jun 17 '15 at 21:02

workspdx

11
1

1

vote

2 answers

Deploying Ossec HIDS Windows Agent via GPO

I am trying to deploy OSSEC agent to about 100 Windows 7 boxes through GPO on our AD. I understand that I need to create and MSI from the EXE and import the specific client.keys file for the windows box. I was wondering if anyone has done this and…

windows active-directory group-policy ossec

asked Jun 25 '14 at 13:52

user227894

11
2

1

vote

1 answer

OSSec not working on server with multiple IPS

I had to add another IP address to our server (eth0:1 192.168.0.100) and all of the sudden ossec client stopped working. On the client side I'm seeing this: 2014/02/19 02:31:28 ossec-agentd: INFO: Trying to connect to server…

ossec

asked Feb 19 '14 at 02:47

MB.

375
2
5
12

Prev 1

2

3 4 5 Next

Questions tagged [ossec]