Atomicorp

Could you post the full output of the yum command?

Could you explain a little more about what you want to change?

What I mean is that there seems to be a bug BEFORE the decoders are selected. The IP address is located before the log text itself, so it's not a matter of decoder here, but about the parser that separates the line into the the fields that are later processed by the decoders. The parser is the deco...

I think I understand where you might be having trouble. Think of decoders as translators, so even though a log might be going thru a decoder, if it doesnt understand the log message it wont translate it correctly. You need the right decoder for that specific log format, even if its coming from the s...

It doesnt look like you have a decoder for that application:

**Phase 2: Completed decoding.
No decoder matched.

Without a decoder, OSSEC doesnt know what each field means.

EL8 is officially supported.

The 4.0 RPMs are available here:

https://updates.atomicorp.com/channels/ossec-hub-repo/

And the 4.2.x RPMs are available here:

https://updates.atomicorp.com/channels/awp-hub-repo/

OK, I see whats going on, your system is using the old 3.x open source branch, there a bug in the branch for remoted. You'll want to upgrade to the 4.x branch.

I have the version which was installed using the instructions from my initial post. How do I find from the command-line what version is installed? Just query the operating system software management system, for example: rpm -qa ossec* For example: [mshinn@threat ~]$ rpm -qa ossec* ossec-hids-4.2.2-...

You can whitelist a CIDR or IP by running this command as root:

asl -w 1.2.3.0/24

And on v6:

awp -w 1.2.3.0/24

Are you using the open source OSSEC only? And if so, what version? Understood, however, shouldn't the service run on both protocols, or at least be binding to IPv4 in the first instance as still the standard? I'm not sure I understand, remoted will run on both protocols at the same time. It will not...

Does ossec-remoted not bind to IPv4 by default? It runs on IPv4 too, for example: [root@host ~]# netstat -anupl | grep ossec-remoted udp 0 0 0.0.0.0:1514 0.0.0.0:* 11174/ossec-remoted [root@host ~]# However, if an IPv4 interface wasnt plumbed when the service was started, then you would only see it...

Assuming the agent is trying to connect to the remoted service running on an IPv4 IP, no it doesnt look like you have ossec-remoted running on an IPv4 address. Is the hub system plumbed with an IPv4 address? Alternatively you can use IPv6. If so, what happens if you restart the ossec-hids service? P...

I'm not sure if Plesk makes the rules available in some other way, but if they provided you with a username and password you can just log into our rules archive with those credentials and download the rules.

You can however install the rules on your server outside of Plesk, just follow this process:

https://wiki.atomicorp.com/wiki/index.p ... stallation