OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. (from www.ossec.net)
Questions tagged [ossec]
73 questions
0
votes
1 answer
Snort and OSSEC Can't Run Simultaneously
I am trying to set up IDS on a system composed of AWS Ubuntu 16.04 instances. My HIDS is managed by OSSEC 2.8.1 and my NIDS is managed by Snort 2.9.9.0 (parsed by Barnyard2 version 2.1.14, which also manages the Syslog forwarding).
On this instance…
Eric Hendrickson
- 1
- 1
0
votes
1 answer
OSSEC Treat Multiple Files as One
A while back I posted about using OSSEC as a sudo SIEM as far as sending logs from various servers to one OSSEC server and using the correlation to trip alerts. Overall that solution worked very well but I've recently had to divide out the logs for…
Eric
- 1,373
- 3
- 17
- 33
0
votes
1 answer
wazuh agent won't send file events unless restarted
Have a wazuh (ossec fork) server and an agent (testing for now). the server gets all the info from the agent (login attempts and so on) but one thing - file changes (creation, deletion and so on). upon agent restarting, all the information is being…
donald
- 233
- 3
- 10
0
votes
1 answer
Clam Unknown OSSEC Warning
There is a problem with Clam antivirus on my server. I am getting this notification from OSSEC once per day. I am not sure where to look or what the problem actually is. Could anyone point to the right direction?
Received From:->/var/log/syslog
…
JoaMika
- 479
- 2
- 9
- 20
0
votes
1 answer
ossec updated to 2.9.0 on centos 6 via atomic repo - won't start
I've had the atomic repo and ossec installed for a few years. It recently updated to 2.9.0 from 2.8.3 and it removed /var/ossec/bin/ossec-control. Now ossec won't start.
I ran "yum whatprovides */ossec-control" and its saying…
dan
- 323
- 1
- 5
- 16
0
votes
2 answers
ossec realtime file monitoring only reports on first change but fullow up changes are only reported by scheduled follow up scans
we currently have some ossec agents running on windows and real time monitoring for files activated - with the following configuration on the agent site:
…
dalini
- 19
- 5
0
votes
1 answer
How to make ossec send only one email for an alert?
I installed ossec with local installation and is working fine. It is sending email alerts fine but seems to be sending the same email over and over for an alert.
For example, an alert email is sent for
Rule: 1002 fired (level 2) -> "Unknown problem…
uday kiran
- 1
- 2
0
votes
2 answers
Has anyone used any custom decoders with OSSEC?
I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS server has the OSSEC agent installed. In order for…
user53029
- 619
- 2
- 14
- 34
0
votes
1 answer
OSSEC alerts without hosting SMTP
I've been searching without a solid solution yet. I need to send OSSEC email alerts from my OSSEC server, but without hosting an SMTP server (postfix, etc). I get rejected by the Google SMTP servers (according to OSSEC errors/tcpdump). I'm not aware…
eod
- 1
- 1
0
votes
0 answers
OSSEC Web UI 404 on initial setup
I'm trying to setup the OSSEC web UI on a fresh installation of OSSEC on Ubuntu 15.04 Server Edition. I setup the server with the default LAMP stack and OSSEC HIDS seems to have installed successfully. When I try to install the OSSEC Web UI, I…
Joseph Odell
- 11
- 3
0
votes
2 answers
How do I get OSSEC manage_agents to read a file?
According to the help docs of manage_clients:
-f Bulk generate client keys from file. (Manager only).
contains lines in IP,NAME format.
So I tried this:
root@ossec-server:/var/ossec/etc# /var/ossec/bin/manage_agents -f…
Kit Sunde
- 946
- 3
- 12
- 31
0
votes
1 answer
Change OSSEC alert emails "From" header
I'd like to know how to change the name in the "From" header for emails sent by OSSEC. I couldn't find any information about that.
Alerts I receive from my server are quite well organized. And OSSEC and is the only one I was not able to customize…
Sinklar
- 93
- 1
- 6
0
votes
1 answer
OSSEC - Multiple VM's on a single DELL blade (XenServer Hypervisor)
I have a DELL blade with ~100 VM's (with a Citrix XenServer 6.1 hypervisor), all with ossec agent connected to a ossec server outside that same blade.
I have a bit of a problem: they all run rootkit check at the same time, and their vDISK's are on…
Ricardo
- 61
- 8
0
votes
1 answer
Is there a better way of handling ossec-logcollector?
I have been working to integrate application logs with the ossec logcollector.
I have successfully created, decoded, command, rules etc, and everything works and fires triggers.
However our application rotates logs, and doesn't create log until that…
tike
- 633
- 1
- 5
- 18
0
votes
1 answer
How to filter errors 404 to show only those which are related to php files?
One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the OSSEC server (OSSIM), flooding it as well.
I want…
user149678