Search found 1668 matches

by mikeshinn
Tue Nov 12, 2019 5:22 pm
Forum: Atomic Protector (formerly ASL)
Topic: ASL - Logs
Replies: 1
Views: 4866

Re: ASL - Logs

WAF events are logged concurrently to the event data repository with one per event and are stored by default in this location on the system:

/var/asl/data/audit/apache
by mikeshinn
Wed Sep 25, 2019 3:23 pm
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 5741

Re: Long messages being truncated when sent using syslog_out

Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release. If youre using the comme...
by mikeshinn
Tue Sep 17, 2019 4:35 pm
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 5741

Re: Long messages being truncated when sent using syslog_out

Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v
by mikeshinn
Wed Sep 11, 2019 10:35 am
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 5741

Re: Long messages being truncated when sent using syslog_out

Sorry if I wasnt clear, the latest version of AEO has no limit. What version of AEO is the hub using?

Just run this command:

asl -v
by mikeshinn
Fri Sep 06, 2019 8:41 am
Forum: OSSEC
Topic: Local installation version VS Agentless Server installation
Replies: 1
Views: 2501

Re: Local installation version VS Agentless Server installat

They basically the same thing. You may want to disable some services that are used just with agents, like remoted but otherwise a standalone instance is an ossec server as opposed to an agent.
by mikeshinn
Tue Aug 20, 2019 6:58 pm
Forum: OSSEC
Topic: Long messages being truncated when sent using syslog_output.
Replies: 10
Views: 5741

Re: Long messages being truncated when sent using syslog_out

Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.
by mikeshinn
Thu Jul 18, 2019 1:29 pm
Forum: OSSEC
Topic: How to extract IP from Log
Replies: 4
Views: 3299

Re: How to extract IP from Log

What version of OSSEC are you using?
by mikeshinn
Fri Jul 05, 2019 2:59 pm
Forum: OSSEC
Topic: active-responses log filling up drive
Replies: 1
Views: 2451

Re: active-responses log filling up drive

It looks like youre included either /var or /var/ossec in your FIM settings, and configured them further to report the content of changes in those directories (record diffs). Just log into the AEO GUI, and Click on the "ASL" tab, select "File Integrity", then select "Watch R...
by mikeshinn
Fri Jul 05, 2019 2:54 pm
Forum: OSSEC
Topic: How to extract IP from Log
Replies: 4
Views: 3299

Re: How to extract IP from Log

Yes, you just need to create a decoder for that application/platforms log format, which will then allow you assign key values for each position/pattern/delimiter in your log file. You'll find decoders in /var/ossec/etc/decoders.d/ For example: May 14 17:49:12 auth openvpn: Sun May 14 17:49:12 2017 2...
by mikeshinn
Fri Jul 05, 2019 2:50 pm
Forum: Atomic Protector (formerly ASL)
Topic: SACK
Replies: 7
Views: 7232

Re: SACK

Its not added into a table, it changes kernel settings.
by mikeshinn
Wed Jun 26, 2019 5:55 pm
Forum: Atomic Protector (formerly ASL)
Topic: SACK
Replies: 7
Views: 7232

Re: SACK

On older systems it was probably set to no, it is set to yes by default not sure when the change happened though but for sometime its been the default.
by mikeshinn
Thu Jun 20, 2019 4:33 pm
Forum: Atomic Protector (formerly ASL)
Topic: SACK
Replies: 7
Views: 7232

Re: SACK

Only if TSO or GSO is enabled for the interface, and only if you have MSS protection disabled in ASL. Check this setting in ASL: FW_MSS_DROP="yes" ASL has always been immune to this kind of attack, for many many years if this is enabled. If youre not using ASL, then you want to check to se...
by mikeshinn
Tue Jun 18, 2019 3:57 pm
Forum: Atomic OSSEC
Topic: which agent reported the event?
Replies: 4
Views: 8875

Re: which agent reported the event?

Just a followup, the QA build will be released tomorrow into testing.
by mikeshinn
Thu Jun 13, 2019 4:37 pm
Forum: Atomic OSSEC
Topic: which agent reported the event?
Replies: 4
Views: 8875

Re: which agent reported the event?

Doug I see whats happening, it is a setting but a bug is causing it to be hidden in the current GUI. We're pushing an update out into QA to enable this column, and itll be in the testing channel Monday. As soon as its available I'll post that its out. Youll be able to install the update from "t...
by mikeshinn
Fri Jun 07, 2019 4:16 pm
Forum: Atomic OSSEC
Topic: New machine learning features in OSSEC
Replies: 0
Views: 8879

New machine learning features in OSSEC

We're proud to announce the release of our next generation of our cloud based machine learning system for our Atomic Worload Protection and Atomic Enterprise OSSEC customers. What you'll see in both products now is that our cloud based machine learning engine is now able to detect and block attacks ...