Hi oahmet, oahmet wrote:
Hi again, I just checked my 0.9 installed debian box and everything seems normal. Alert e-mails are coming with correct date (timezone values). Is it possible to send us a sample alert e-mail with full headers? (just copy&paste from /var/spool/mail).
Here you are: Return-path: <ossecm@xxxxxxxxxxxxxxxxxxxxx> Date: Sun, 06 Aug 2006 01:42:49 +0000 (HKT) From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxx> Subject: OSSEC Notification - localhost - Alert level 8 To: Martin.Leung@xxxxxx The above is from Fedora Core 5.Also, I think I found a typo at point 3.5 of the installation script. The script says syslog collector port is 514 but it seems to be 1514 instead.
ossec-rem 621 ossecr 4u IPv4 10883705 UDP *:1514
PS: I'll also add /var/adm/messages to config file on solaris systems. Regards, Ahmet Ozturk. Ahmet Ozturk wrote:Hi Martin, Let me answer your first 2 questions: 1. I'm not sure if you can throttle the syscheck cpu usage directly (you may use nice command for a running process, but I don't know
Thanks for the idea. I will modify the ossec-control script to reduce its priority.
a way to automate this). syscheckd starts to run every 2 hours by default, you may want to change this. (see <frequency> and other options in ossec.conf)(http://www.ossec.net/en/manual.html#syscheck_options)
The frequency is what I concern. I would prefer to have it run when my server is free. It could be some time early in the morning or when the CPU usage drops below certain level.
2. For active-response issue, please check the <location> optionin ossec.conf file on the server. if it has the value "local" it will executethe active-response on the agent that generated the alert. If you want to use active-response only on your server, this value should be set to"analysis-server". (http://www.ossec.net/en/manual.html#active-response-config)
Tried but I got the following error: [etc]# /etc/init.d/ossec restart Stopping OSSEC: [ OK ]Starting OSSEC: 2006/08/06 00:38:39 ossec-analysisd(1302): Invalid active response location: 'analysis-server'.
2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting.
2006/08/06 00:38:39 ossec-analysisd(1202): Configuration problem. Exiting.
[FAILED]
Rgds.
Martin
I'll also check the timezone issue this night. Regards, Ahmet Ozturk. Martin Leung wrote:Hi, Just tried ossec 0.9 and have some queries: 1. The syscheck daemon takes up significant CPU time on my box. Can it be throttled or scheduled at a fixed time? 2. I enabled active-response on server but disabled on agent machine. However, agent host still responses to attack using policy on server. Is it a bug or feature? 3. The time zone fix stated at: http://www.ossec.net/ossec-list/2006-June/msg00019.html seems has side-effect. On my Fedora 4 box, the mail header becomes +0000 (HKT). I reverted the change and it works (becomes +0800). 4. On Solaris, it may worth to include /var/adm/message to the default monitor list. BTW, OSSEC is great. Easy to install and useful. Rgds. Martin
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature