Stack Overflow
Stack Overflow

Questions tagged [ossec]

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.

Visit our website for the latest information. ossec.github.io

44 questions
11
votes
1 answer

How to to retrieve OSSEC's log alerts into Elasticsearch (ELK)?

I have tried this tutorial. But it didn't catch the OSSEC log (alerts, syslog, etc), it just give me this message for my Kibana apps. Couldn't find any Elasticsearch data You'll need to index some data into Elasticsearch before you can create an…
Gagantous
  • 432
  • 6
  • 29
  • 69
8
votes
1 answer

OSSEC email notification failed to send an email

I am getting an error when trying to get the ossec features: email notification. I used my Gmail account for this case. I have tried this tutorial, but i couldn't get any email from that. I got the error log inside with warn Mail not accepted by…
Gagantous
  • 432
  • 6
  • 29
  • 69
3
votes
3 answers

Can fscanf buffer overflow when %d is used?

I ran the Fortify Static Code Analyzer on the ossec-hids repo and it reported the following Buffer Overflow: Format String finding for src/analysisd/stats.c:415: The format string argument to fscanf() at stats.c line 415 does not properly limit the…
Shane Bishop
  • 3,905
  • 4
  • 17
  • 47
2
votes
3 answers

Wazuh Agent not connecting

I have two questions. My Immediate problem is WAZUH-AGENT never connects to WAZUH-MANAGER A. That makes me think, While installing Wazuh Manager, where do we provide WAZUH MANAGER IP? B. I registered Windows and RHEL machines as agents but none of…
Subhajit Pathak
  • 31
  • 1
  • 1
  • 4
2
votes
1 answer

OSSEC windows agent configuration

I am getting started with OSSEC and i want to configure windows agent. I have followed the documentation and this. My server is a VM ubuntu and I want to have an Windows Agent. This is the output of active agents. vm:/var/ossec/etc#…
roffensive
  • 564
  • 4
  • 22
2
votes
2 answers

How to automatically remove inactive OSSEC agents (batch)

As part of some batch "bash" program, how can I automatically remove inactive ossec agents in cases of autoscaling groups where instances are created/deleted constantly?
atbash
  • 21
  • 1
  • 4
1
vote
0 answers

ossec-slack active-response on ossec agent

I'm testing Ossec as our IDPS solution, I chose the one-server-multiple-agents configuration as the agents will be installed on instances within an autoscaling group, I've managed to make everything work however the slack integration doesn't seem to…
DevOpsNRZ
  • 132
  • 1
  • 8
1
vote
1 answer

Where to put which OSSEC configuration - monitoring crontab

I am evaluating (vanilla) OSSEC+ (not Wazuh). If I understand the documentation correctly, all the rule-specific configuration has to be done on the server, which sounds very reasonable as I do not want to change the configuration of every single…
Dantel35
  • 103
  • 1
  • 5
1
vote
1 answer

Not showing OSSEC agent actual IP address on manager server

I added a new agent on the Manager server using ossec-authd method which registers an agent IP on the manager server without interactive prompt input. I am able to add an agent on the manager server but it showing the agent IP address as IP: any. I…
Sunita Muneshwar
  • 55
  • 1
  • 4
1
vote
1 answer

How to automate registering the OSSEC agent ip address on manager server?

I want to automate the process of registering the OSSEC agent IP on the OSSEC manager server. I have explored many links and articles about it but everywhere they have mentioned entering the IP value through prompt using…
Sunita Muneshwar
  • 55
  • 1
  • 4
1
vote
1 answer

Unable to analyse MySQL error logs in OSSEC

I am trying to analyze MySQL error logs that are generated on my OSSEC agent and raise alerts using OSSEC server. here is the code block added to /var/ossec/etc/ossec.conf on the agent side to read the error logs of MySQL from the agent: …
rana bhagath chand
  • 11
  • 4
1
vote
1 answer

Is it possible to enable/disable rules remotely from Wazuh server?

I have read about Centralized configuration in Wazuh. But can the rules be enabled/disabled in server instead of changing in all servers ?
Sravan
  • 596
  • 1
  • 9
  • 19
1
vote
0 answers

OSSEC HIDS cannot ignore rules based on hostname

I am attempting to ignore an ossec rule for an alert that is triggered from a certain host. Rule 5401 exists in the syslog_rules.xml file: 5400 3 incorrect password attempts
Edward Mulhern
  • 11
  • 1
0
votes
0 answers

Wazuh windows agent cant connect after long disconnect

My windows Wazuh agent registers properly and agent is visible. However when computer is turned off for few hours, and you boot in it , it doesnt connect to manager. I can provide logs ,debug logs if you need this information to diagnose the…
Cahir7
  • 13
  • 4
0
votes
0 answers

OSSEC Dashboard is completely blank

Hey all, im trying to set up an OSSEC HIDS with WUI on a VM, however despite following the steps and confirming that OSSEC is already running, the dashboard still remains empty as seen in the image. I even set it up on a seperate VM on a clean…
Toxicfireball
  • 1
1
2 3