Questions tagged [ossec]

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.

Visit our website for the latest information. ossec.github.io

44 questions

votes

1 answer

wazuh, alert via email if no alert logged for 1 hour

I need to send an email if the fortigate firewall does not send a log to Wazuh for an hour. I tried some rules that chat-gpt generated but always endup with errors. The rule I used: …

wazuh ossec

asked Jun 13 '23 at 20:04

John Niyazi

votes

1 answer

wazuh-logtest able to decode the mariadb log but no decoder in archive.json file for the same log

I am trying to push logs from cloudwatch to my wazuh, I added following configurations to my ossec.conf file and restarted, but I was not seeing the logs in Wazuh Dashboard (Kibana) no …

wazuh ossec

asked Apr 25 '23 at 15:39

karmendra

2,206
8
31
49

votes

1 answer

Writing wazuh/ossec rules for windows eventchannel

I have been trying to get started with writing custom rules for wazuh and cannot seem to get my rules to fire. in ossec.conf i have both the default ruleset path and the user defined path set to etc/rules etc/rules And in…

wazuh ossec event-channel

asked Apr 13 '23 at 18:38

Lauri

votes

2 answers

Local database file for wazuh

I'm running wazuh on 4.3 (latest version) and I'm worried about the following situation: lets say i have syscheck configured to run at 5am. some changes are made during the day. the machine reboots at 2am. the machine now has lost all changes made…

wazuh ossec

asked Dec 22 '22 at 11:22

Pedro Pereira

votes

1 answer

Pushing OSSEC agent to 200 Windows servers

I'm given the task of setting up OSSEC for our environment. We have 200 windows servers all over the US that need to be monitored. I successfully installed the server on a ubuntu machine and, as a test, I installed the agent on a Windows box. As…

security monitoring ossec

asked Sep 22 '22 at 15:37

Zuzlx

1,246
14
33

votes

2 answers

gpg: no valid OpenPGP data found while adding Wazuh repository

I'm trying to add the Wazuh repository to download the official Wazuh packages as instructed in their documentation page in an Ubuntu VM. When I run the command specified in their documentation page: sudo curl -s…

ubuntu curl wazuh ossec apt-key

asked Jun 04 '22 at 21:41

flyingfishcattle

1,817
3
14
25

votes

1 answer

Wazuh child decoder not parsing field correctly

I am trying to parse a log as shown below with a child decoder in wazuh 4.x, for some reason its not parsing the needed field Log entry ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local Child Decoder

ossec wazuh

asked Nov 04 '21 at 04:06

Atul

votes

1 answer

OSSEC Agent -- Capturing hourly logs

I have an issue with capturing exchange logs from a customer production environment. The logs exist in a set of directories, and are labeled such as: -- .../dir1/http_2021101002-1.log -- .../dir1/http_2021101003-1.log --…

ossec wazuh

asked Oct 18 '21 at 19:35

Lyle Reger

votes

1 answer

wazuh manager - wazuh-db won't start

I am running Wazuh 4.1.5 and installing only the Wazuh manager on a Debian 10 box. Starting Wazuh leads to the error message wazuh-db did not start correctly And that is it. Is there a debug mode for the logging? My client is using Wazuh manager…

ossec wazuh

asked Jul 15 '21 at 16:43

user1309220

votes

1 answer

upgrading from ossec to wazuh - "local/standalone" mode?

I am currently running ossec 3.6 in local mode and forwarding data to Splunk. I cannot seem to find something similar in wazuh - am I missing something? We really don't want to have a manager as all our data goes to Splunk anyway. We'd like to…

splunk ossec wazuh

asked Jun 04 '21 at 11:57

user1309220

votes

3 answers

aws autoscaling AMI with OSSEC installed

so we've created an autoscaling group with an ami of our own, that ami have a server and an automated ossec service that reports to slack channel, the thing is that when a new instance is launched, the ossec send a lot of alerts because the files…

amazon-ec2 autoscaling ossec

asked Dec 27 '20 at 15:05

Diego

votes

1 answer

Wazuh Agent Connection Failure and corrupt payload error in log

I have given a Wazuh manager IP and user name and password. I installed the wazuh agent on my laptop but it is connected to the Manager IP. it is not returning the Authorization key and throw the errors in log file. Important Note: I am using VPS…

logging polling ossec wazuh

asked Nov 02 '20 at 08:45

Harris

votes

1 answer

OSSEC adding allowed fields from decoders to rules description

I am using OSSEC for HIDS. I have created a custom decoder and extracted fields from the log like srcip, dstip and protocol. Here is the log tested with the ./ossec-logtest Sep 2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK]…

ids ossec wazuh

asked Sep 02 '20 at 12:01

rana bhagath chand

votes

1 answer

OSSEC HIDS on AWS ECS

The question is more about architecture to choose then coding per se. I have my app deployed on AWS ECS (cluster made of ec2 instances running containers). How can I install OSSEC HIDS in that setup? As a side container for every app container or it…

amazon-web-services docker ossec

asked Jul 28 '20 at 09:33

Murakami

3,474
7
35
89

votes

1 answer

Check files integrity in a docker using OSSEC

Can OSSEC be used to check files which on inside a docker. From what I have read OSSEC can only monitor file integrity of the Host machine.

ossec

asked May 26 '20 at 16:52

kumar

8,207
20
85
176

Prev 1

3 Next