Atomicorp

Yes, aum works on Ubuntu. 20.04.

Install aum and it will install modsecurity for you.

Whats your process for testing the agent?

How did you provision the key for the agent?

Should be port 1514, is it trying 1415 on your system?

Yeah, thats a better option as the OS is what sets the outbound normally.

2021/05/31 14:06:16 ossec-remoted(2202): ERROR: Error uncompressing string. That means something tried to send a message of one size, and it was actually of another. Was this a device sending messages to the syslog listener on 514, or an agent on 1514, and if the later, which version and platform?

So this error means whatevers trying to connect isnt using the right protocol (which could be anything, nmap, telnet, etc.). If thats what you were doing, thats what that means. If not, what agent and version is running on the endpoint, and was this something trying to send events to the hub for sys...

In ASL/AP v6, we no longer use mysql, that however does not deprecate any functionality in ASL/AP.

easiest way is to start remoted from the command line and start it with -d which puts into debug mode.

When you mean random port, do you mean the port the agent is trying to connect to? That should be 1514 by default. If you mean the port the client computer uses to establish the connection, thats controlled by the operating system. Its going to use a high port thats not in use by another outbound co...

Is this on debian?

We have a kernel module we will be releasing soon. The key reason weve moved away from a dedicated kernel was PHP. The JIT compiler while making PHP much faster, needs to violate the memory protection model (so it can work), and everytime a control panel updated PHP they overwrote the flags that all...

<jsonout_output>yes</jsonout_output> Is the new systax. It belongs in the global settngs, for example: <global> <email_notification>yes</email_notification> <email_to>root@localhost</email_to> <smtp_server>127.0.0.1</smtp_server> <helo_server>localhost</helo_server> <email_from>localhost</email_from...

Its been deprecated. You can keep using it if you like, but its not going to be updated.

Yes you can, you do at the rule level after the rule thats been triggered. Its a match basically, and change whatever you need to change. For example, to lower the level to 0 for that agent for an entire group: <rule id=12345 level="0"> <if_group>syscheck</if_group> <hostname>some_agents_n...