[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent

To: <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
From: "|SaMaN|" <saman@xxxxxxxxxxxx>
Date: Sun, 3 Sep 2006 08:58:39 +0300
Content-transfer-encoding: 7bit
Thread-index: AcbNbF+OCuiqtosOQFCoA8rCQ/QvTAAFjbbwAACitmAADnrESgAAMfaAAAEIHJEAAEMzUAALxEOgAEpstLA=
Okay I have installed slackware 10.0 instead of centos 4.3 64 bit and now on
I get multiple logon failure alerts from agents so I can confirm that your
64 bit support is not working well.

-----Original Message-----
From: |SaMaN| [mailto:saman@xxxxxxxxxxxx] 
Sent: Friday, September 01, 2006 9:27 PM
To: 'ossec-list@xxxxxxxxxxxxxxxx'
Subject: RE: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent


Okay guys, it is over, I am done in this world *suicides*

-----Original Message-----
From: |SaMaN| [mailto:saman@xxxxxxxxxxxx] 
Sent: Friday, September 01, 2006 4:48 PM
To: 'ossec-list@xxxxxxxxxxxxxxxx'
Subject: RE: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent

You are talking about agent side right ? Because rules folder are only on
server side.

Anyway in msauth_rules.xml

I changed <var name="MS_FREQ">6</var>   to <var name="MS_FREQ">3</var>

Then tried multiple (5 times) failed log on agent via remote desktop
connection and then I checked and saw them in the event viewer but I cant
see neither in agents ossec.log nor in servers ossec.log and alerts.log

Depends on lines below in msauth_rules.xml

  <rule id="18106" level="5">
    <if_sid>18105</if_sid>
    <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539</id>
    <group>authentication_failed</group>
    <description>Windows Logon Failure.</description>
  </rule>

  <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_sid>18106</if_matched_sid>
    <group>authentication_failed</group>
    <description>Multiple Windows Logon Failures.</description>
  </rule>

It must notify me via e-mail but nope it is not working :/

Check the image file. You will see 5 logon failures and event id is 529
which seems correct according to msauth_rules.xml. So where is the wrong
part ?

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On
Behalf Of Dennis Borkhus-Veto
Sent: Friday, September 01, 2006 3:42 PM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent

Did
You see this post 
Also check your windows rule file.  The events in it that were set to
trigger alerts where not ones that appear in my event logs.  But I did see
them in my ossec server log.
Dennis


-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx <ossec-list@xxxxxxxxxxxxxxxx>
To: ossec-list@xxxxxxxxxxxxxxxx <ossec-list@xxxxxxxxxxxxxxxx>
Sent: Fri Sep 01 07:12:53 2006
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent


That agent configuration is from windows 2000. Windows 2003 configurations
have WINDOWS folder so they set properly.

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On
Behalf Of Dennis Borkhus-Veto
Sent: Friday, September 01, 2006 3:06 PM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent

Isint the folder suppose to be windows for 2000 and 2003 instead of winnt

Dennis

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx <ossec-list@xxxxxxxxxxxxxxxx>
To: ossec-list@xxxxxxxxxxxxxxxx <ossec-list@xxxxxxxxxxxxxxxx>
Sent: Fri Sep 01 00:13:43 2006
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent


---------------------------------------
Here is the server's agent-info output
---------------------------------------

[root@10 agent-info]# cat *
Microsoft Windows Server 2003, Enterprise Edition Service Pack 1 (Build
3790) 
Microsoft Windows Server 2003, Enterprise Edition Service Pack 1 (Build
3790) 
Microsoft Windows 2000 Advanced Server Service Pack 4 (Build 2195) 
Microsoft Windows 2000 Advanced Server Service Pack 4 (Build 2195) 
Microsoft Windows 2000 Advanced Server Service Pack 4 (Build 2195) 
Microsoft Windows 2000 Advanced Server Service Pack 4 (Build 2195) 
Microsoft Windows 2000 Advanced Server Service Pack 4 (Build 2195) 
Microsoft Windows 2000 Advanced Server Service Pack 4 (Build 2195) 
Microsoft Windows Server 2003, Enterprise Edition Service Pack 1 (Build
3790) 

-----Original Message-----
Sent: Friday, September 01, 2006 8:08 AM
To: 'ossec-list@xxxxxxxxxxxxxxxx'
Subject: RE: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent

I hope you may find why I dont get event logs...

------------------------------------------------------
Here is the agent's ossec.conf
------------------------------------------------------

<!-- Agent Example Configuration -->

<!-- First, change the server-ip to the IP of your OSSEC HIDS server -->

<!-- Second, add any file that you may want to monitor. -->

<ossec_config>
 <client>
   <!-- IP address of the Ossec HIDS server -->
   <server-ip>10.1.X.X</server-ip>
 </client>

 <!-- One entry for each file to monitor -->
 <localfile>
   <location>Application</location>
   <log_format>eventlog</log_format>
 </localfile>

 <localfile>
   <location>Security</location>
   <log_format>eventlog</log_format>
 </localfile>

 <localfile>
   <location>System</location>
   <log_format>eventlog</log_format>
 </localfile>

 <localfile>
   <location>C:\WINNT/System32/LogFiles/W3SVC1/ex%y%m%d.log</location>
   <log_format>iis</log_format>
 </localfile>
</ossec_config>

<!-- Default syscheck config -->
<ossec_config>
 <syscheck>
   <frequency>7200</frequency>
   <directories check_all="yes">C:\WINNT,C:\Program Files</directories>

   <ignore>C:\WINNT/system32/LogFiles</ignore>
   <ignore>C:\WINNT/WINNTUpdate.log</ignore>
   <ignore>C:\WINNT/system32/wbem/Logs</ignore>
   <ignore>C:\WINNT/Prefetch</ignore>
   <ignore>C:\WINNT/PCHEALTH/HELPCTR/DataColl</ignore>
   <ignore>C:\WINNT/SoftwareDistribution/DataStore</ignore>
   <ignore>C:\WINNT/SoftwareDistribution/ReportingEvents.log</ignore>
   <ignore>C:\Program Files/ossec-agent</ignore>
   <ignore>C:\WINNT/Temp</ignore>
   <ignore>C:\WINNT/system32/config/systemprofile/Local Settings</ignore>
   <ignore>C:\WINNT/SchedLgU.Txt</ignore>
   <ignore>C:\WINNT/system32/config</ignore>
 </syscheck>
</ossec_config>



------------------------------------------------------
Here is the agent's ossec.log
------------------------------------------------------


2006/08/25 14:11:02 ossec-agent: Starting syscheckd thread.

2006/08/25 14:11:02 ossec-agent(1951): Analyzing event log: 'Application'.

2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'Security'.

2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'System'.

2006/08/25 14:11:04 ossec-agent(1950): Analyzing file:
'C:\WINNT/System32/LogFiles/W3SVC1/ex060825.log'.

2006/08/25 14:11:04 ossec-agent: Started (pid: 2328).

2006/08/26 00:00:59 ossec-agent(1103): Unable to open file
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.

2006/08/26 00:00:59 ossec-agent(1103): Unable to open file
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.

2006/08/26 00:40:00 ossec-agent(1904): Unable to read file:
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'

2006/08/28 16:51:01 ossec-agent: Starting syscheckd thread.

2006/08/28 16:51:01 ossec-agent: No previous counter available for
'SERVER3'.

2006/08/28 16:51:01 ossec-agent: Assigning counter for agent SERVER3: '0:0'.

2006/08/28 16:51:01 ossec-agent: Assigning sender counter: 4:6987

2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Application'.

2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Security'.

2006/08/28 16:51:05 ossec-agent(1951): Analyzing event log: 'System'.

2006/08/28 16:51:06 ossec-agent(1950): Analyzing file:
'C:\WINNT/System32/LogFiles/W3SVC1/ex060828.log'.

2006/08/28 16:51:06 ossec-agent: Started (pid: 2276).

2006/08/29 00:00:26 ossec-agent(1103): Unable to open file
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.

2006/08/29 00:00:26 ossec-agent(1103): Unable to open file
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.

------------------------------------------------------
Here is the server's tail -50 /var/log/alerts
------------------------------------------------------

** Alert 1157078973.3487: mail
2006 Sep 01 05:49:33 (SERVER1) 10.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\Program
Files/Microsoft SQL Server/MSSQL/Reporting
Services/LogFiles/ReportServerService__08_18_2006_00_07_40.log' has
changed.'
Src IP: (none)
User: (none)
File 'C:\Program Files/Microsoft SQL Server/MSSQL/Reporting
Services/LogFiles/ReportServerService__08_18_2006_00_07_40.log' was deleted.
Unable to retrieve checksum.

** Alert 1157078975.3948: mail
2006 Sep 01 05:49:35 (SERVER1) 10.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\Program
Files/Microsoft SQL Server/MSSQL/Reporting
Services/LogFiles/ReportServerService__main_08_17_2006_04_07_37.log' has
changed.'
Src IP: (none)
User: (none)
File 'C:\Program Files/Microsoft SQL Server/MSSQL/Reporting
Services/LogFiles/ReportServerService__main_08_17_2006_04_07_37.log' was
deleted. Unable to retrieve checksum.

** Alert 1157082734.4419: mail
2006 Sep 01 06:52:14 (Web) 195.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\Program
Files/Microsoft SQL Server/MSSQL/LOG/ERRORLOG' has changed again (2nd time)'
Src IP: (none)
User: (none)
Integrity checksum changed for: 'C:\Program Files/Microsoft SQL
Server/MSSQL/LOG/ERRORLOG'
Size changed from '2600' to '5359'
Old md5sum was: '32c498fc6c24e0e7e2b7fbc289d1d7ff'
New md5sum is : '0617850532a2ae5ceaee1dc4fdb08c41'
Old sha1sum was: '66826b34baa906044e3c8085fcf4844f6f8a61e8'
New sha1sum is : '63bf689581c50c2b282655ffb0fb536bdfbaebb0'

------------------------------------------------------
Here is the server's tail -50 /var/ossec/log/ossec.log
------------------------------------------------------

2006/08/28 06:14:04 ossec-maild: Started (pid: 5470).
2006/08/28 09:14:04 ossec-execd: Started (pid: 5474).
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'rules_config.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'pam_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'sshd_rules.xml'
2006/08/28 09:14:04 ossec-remoted: Started (pid: 5486).
2006/08/28 09:14:04 ossec-remoted: Started (pid: 5487).
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'telnetd_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'syslog_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file:
'arpwatch_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'pix_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'named_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'smbd_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file:
'pure-ftpd_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'proftpd_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file:
'hordeimp_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'web_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'apache_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'ids_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'squid_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file:
'firewall_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file:
'netscreenfw_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'postfix_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file:
'sendmail_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'imapd_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file:
'mailscanner_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'racoon_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'spamd_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'msauth_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Reading rules file: 'attack_rules.xml'
2006/08/28 09:14:04 ossec-analysisd: Total rules enabled: '382'
2006/08/28 09:14:04 ossec-analysisd: Ignoring file: '/etc/mtab'
2006/08/28 09:14:04 ossec-analysisd: Ignoring file: '/etc/mnttab'
2006/08/28 09:14:04 ossec-analysisd: Ignoring file: '/etc/hosts.deny'
2006/08/28 09:14:04 ossec-analysisd: Ignoring file: '/etc/mail/statistics'
2006/08/28 09:14:04 ossec-analysisd: Ignoring file: '/etc/random-seed'
2006/08/28 09:14:04 ossec-analysisd: Ignoring file: '/etc/adjtime'
...
2006/08/28 23:03:50 ossec-remoted(1407): Duplicated counter for
'10.100.X.X'.
2006/08/28 23:03:50 ossec-remoted: Duplicate error:  global: 7, local: 2250,
saved global: 8, saved local:9485
2006/08/28 23:03:50 ossec-remoted(1407): Duplicated counter for
'10.100.X.X'.
2006/08/28 23:03:50 ossec-remoted: Duplicate error:  global: 7, local: 2253,
saved global: 8, saved local:9683
2006/08/28 23:03:50 ossec-remoted(1407): Duplicated counter for
'10.100.X.X'.

------------------------------------------------------
Any idea how to fix those duplicate errors ?
------------------------------------------------------

------------------------------------------------------
Here is the server's /var/ossec/etc/ossec.conf
------------------------------------------------------

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>me@xxxxxxxxxx</email_to>
    <smtp_server>195.X.X.X</smtp_server>
    <email_from>ossecm@xxxxxxxx</email_from>
    <email_maxperhour>100</email_maxperhour>
    <logall>yes</logall>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>web_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <!-- <include>policy_rules.xml</include> -->
    <include>attack_rules.xml</include>
  </rules>

  <syscheck>
    <!-- Frequency that syscheck is executed - default every 2 hours -->
    <frequency>7200</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/rc.d/rc2.d</ignore>
    <ignore>/etc/rc.d/rc3.d</ignore>
    <ignore>/etc/rc.d/rc4.d</ignore>
    <ignore>/etc/rc.d/rc5.d</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution/DataStore</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution/ReportingEvents.log</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config/systemprofile/Local Settings</ignore>

  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
 
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>

  <active-response>
    <disabled>yes</disabled>
  </active-response>


  <remote>
    <connection>syslog</connection>
  </remote>

  <remote>
    <connection>secure</connection>
    <allowed-ips>195.X.X.0/24</allowed-ips>
    <allowed-ips>10.100.X.0/24</allowed-ips>
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>
  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/radius/radius.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>
</ossec_config>


-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On
Behalf Of Daniel Cid
Sent: Friday, September 01, 2006 5:12 AM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent


Please, don't :) I didn't reply because I had no clue about what was going
on..
Can you show us the following information:

-Your log from the windows agent (programs files\ossec\ossec.log)
-Your log from the server (/var/ossec/logs/ossec.log).
-The output of the files under /var/ossec/queue/agent-info/ (on the server)

Maybe with this information we can find out what is going on...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 8/31/06, |SaMaN| <saman@xxxxxxxxxxxx> wrote:
>
> Help me before I suicide.
>
> -----Original Message-----
> From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On
> Behalf Of |SaMaN|
> Sent: Thursday, August 31, 2006 11:56 AM
> To: ossec-list@xxxxxxxxxxxxxxxx
> Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
>
> Here is my agent configuration and windows auditing configurations in gif
> file. Still no alerts about application security system event logs.
>
>
> Agent configuration
> -------------------
>
> <!-- Agent Example Configuration -->
>
> <!-- First, change the server-ip to the IP of your OSSEC HIDS server -->
>
> <!-- Second, add any file that you may want to monitor. -->
>
> <ossec_config>
>  <client>
>    <!-- IP address of the Ossec HIDS server -->
>    <server-ip>10.1.1.2</server-ip>
>  </client>
>
>  <!-- One entry for each file to monitor -->
>  <localfile>
>    <location>Application</location>
>    <log_format>eventlog</log_format>
>  </localfile>
>
>  <localfile>
>    <location>Security</location>
>    <log_format>eventlog</log_format>
>  </localfile>
>
>  <localfile>
>    <location>System</location>
>    <log_format>eventlog</log_format>
>  </localfile>
>
>  <localfile>
>    <location>C:\WINNT/System32/LogFiles/W3SVC1/ex%y%m%d.log</location>
>    <log_format>iis</log_format>
>  </localfile>
> </ossec_config>
>
> <!-- Default syscheck config -->
> <ossec_config>
>  <syscheck>
>    <frequency>7200</frequency>
>    <directories check_all="yes">C:\WINNT,C:\Program Files</directories>
>
>    <ignore>C:\WINNT/system32/LogFiles</ignore>
>    <ignore>C:\WINNT/WINNTUpdate.log</ignore>
>    <ignore>C:\WINNT/system32/wbem/Logs</ignore>
>    <ignore>C:\WINNT/Prefetch</ignore>
>    <ignore>C:\WINNT/PCHEALTH/HELPCTR/DataColl</ignore>
>    <ignore>C:\WINNT/SoftwareDistribution/DataStore</ignore>
>    <ignore>C:\WINNT/SoftwareDistribution/ReportingEvents.log</ignore>
>    <ignore>C:\Program Files/ossec-agent</ignore>
>    <ignore>C:\Program Files/Trend</ignore>
>    <ignore>C:\Program Files/Common Files/Network Associates</ignore>
>    <ignore>C:\WINNT/Temp</ignore>
>    <ignore>C:\WINNT/system32/config/systemprofile/Local Settings</ignore>
>    <ignore>C:\WINNT/SchedLgU.Txt</ignore>
>    <ignore>C:\WINNT/system32/config</ignore>
>  </syscheck>
> </ossec_config>
>
>
> --------------------------------
>
> -----Original Message-----
> From: |SaMaN| [mailto:saman@xxxxxxxxxxxx]
> Sent: Monday, August 28, 2006 10:37 PM
> To: 'ossec-list@xxxxxxxxx'
> Subject: RE: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
>
> Auditing is enabled on all clients. I see only syscheck logs on alerts.log
> file. Why cant I get windows security, system or application logs ?
>
> -----Original Message-----
> From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On
> Behalf Of Daniel Cid
> Sent: Monday, August 28, 2006 10:07 PM
> To: ossec-list@xxxxxxxxxxxxxxxx
> Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
>
>
> Do you see anything in the /var/ossec/logs/alerts/alerts.log file? Also,
by
> default windows do not log login failures and other useful information.
Make
> sure that you enabled auditing for these events...
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 8/28/06, |SaMaN| <saman@xxxxxxxxxxxx> wrote:
> >
> > Hello,
> >
> > Latest snapshot has fixed my connection problem but I can just get
> > notification emails about syscheck results of clients. I tried
> > multiple logon failures on clients (windows 2000 and windows 2003
> > servers) but have not got any mails about security, system or
application
> logs. Any ideas?
> >
> > -----Original Message-----
> > From: Daniel Cid [mailto:daniel.cid@xxxxxxxxx]
> > Sent: Sunday, August 27, 2006 2:46 AM
> > To: ossec-list@xxxxxxxxxxxxxxxx
> > Cc: saman@xxxxxxxxxxxx
> > Subject: Re: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows
> > Agent
> >
> > I can feel your pain :) I always hate when this happen but next
> > version will have a better connection control and more information
> > about these problems.
> >
> > We had some issues with 64 bits machines that Martin fixed some time
ago.
> > Can you try the following snapshot on your server?
> >
> > http://www.ossec.net/files/snapshots/ossec-hids-060820.tar.gz
> >
> > Should fix it.. If not, can you give us more information?
> > http://www.ossec.net/en/faq.html#a2.2
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 8/26/06, |SaMaN| <saman@xxxxxxxxxxxx> wrote:
> > >
> > > Also I get notification mails about server but not any of clients
> > > that
> > makes
> > > me sick :/
> > >
> > > -----Original Message-----
> > > From: ossec-list@xxxxxxxxxxxxxxxx
> > > [mailto:ossec-list@xxxxxxxxxxxxxxxx] On Behalf Of |SaMaN|
> > > Sent: Saturday, August 26, 2006 10:14 PM
> > > To: ossec-list@xxxxxxxxxxxxxxxx
> > > Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
> > >
> > >
> > > Thanks for replying but there is also nothing in agent-info folder.
> > > Maybe because of SELinux ?
> > >
> > > -----Original Message-----
> > > From: ossec-list@xxxxxxxxxxxxxxxx
> > > [mailto:ossec-list@xxxxxxxxxxxxxxxx] On Behalf Of Marty E. Hillman
> > > Sent: Saturday, August 26, 2006 8:42 PM
> > > To: ossec-list@xxxxxxxxxxxxxxxx
> > > Subject: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
> > >
> > > I had this problem on mine  My problem was that I needed to allow
> > > the IP
> > of
> > > the ossec server to pass email through our spam filters on the email
> > server.
> > > The nature of the headers made them untrusted.
> > >
> > > Hope this helps.
> > >
> > >
> > > -----Original Message-----
> > > From: ossec-list@xxxxxxxxxxxxxxxx on behalf of |SaMaN|
> > > Sent: Sat 8/26/2006 1:38 AM
> > > To: ossec-list@xxxxxxxxx
> > > Subject: [ossec-list] Centos 4.3 64 Bit Server and Windows Agent
> > >
> > > Hello,
> > >
> > >
> > >
> > > I have installed latest ossec on both servers and agents. When I run
> > tcpdump
> > > on server I can see communication lines between server and agents
> > > after I
> > do
> > > multiple wrong logons on agent but the problem is no logs no emails
> > > no alerts? What is wrong ?
> > >
> > >
> > >
> > >
> >
> >
>
>
Prev by Date: [ossec-list] Re: New user questions
Next by Date: [ossec-list] Re: Snort vs. OSSEC
Previous by thread: [ossec-list] Re: Centos 4.3 64 Bit Server and Windows Agent
Next by thread: [ossec-list] OSSEC2MYSQL - Agents being reported as 127.0.0.1
Index(es):
- Date
- Thread
OSSEC home | Main Index | Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.