ossec-keepalive

[Leroy Tennison]

Just FYI, not sure if a resolution to https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ has been put in place or not but it is occurring in v2.9.2 - I received an email alert (can post the text if it would be helpful).

Related to this, I noticed that the alert level is 2, it appears that the only place to set alert levels is in ossec.conf on the server or 'local' (it is configured on the server as the default: <email_alert_level>7</email_alert_level>).

I seem to remember seeing somewhere that a local install was one where the server managed only itself but can't find that reference now, is that correct?

The other option is to configure the system as hybrid, if that would allow the notification to be suppressed (and the implications of the change weren't too great), I would be glad to configure it that way if someone could point me to instructions on how to do so.

Thanks for the help, my learning curve at this point is pretty steep.

[dan (ddp)]

On Mon, Aug 28, 2017 at 11:53 AM, Leroy Tennison
<leroy.t...@gmail.com> wrote:
> Just FYI, not sure if a resolution to
> https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ
> has been put in place or not but it is occurring in v2.9.2 - I received an
> email alert (can post the text if it would be helpful).
>

More relevant information is generally helpful. There have been
attempts at silencing these, but they're usually low volume enough
that it isn't a huge deal.

> Related to this, I noticed that the alert level is 2, it appears that the
> only place to set alert levels is in ossec.conf on the server or 'local' (it
> is configured on the server as the default:
> <email_alert_level>7</email_alert_level>).
>
> I seem to remember seeing somewhere that a local install was one where the
> server managed only itself but can't find that reference now, is that
> correct?
>

This is correct. It's a standalone system.

> The other option is to configure the system as hybrid, if that would allow
> the notification to be suppressed (and the implications of the change
> weren't too great), I would be glad to configure it that way if someone
> could point me to instructions on how to do so.
>

Hybrid installs are for OSSEC servers that report to upstream OSSEC
server. It is essentially a server to agents, as well as an agent to a
server (passing the alerts from its agents upstream).

> Thanks for the help, my learning curve at this point is pretty steep.
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Leroy Tennison]

Thanks for the answer, that clarifies my understanding.  Sounds like you would like to see the alert details so here they are ("our-demo" below is an agent, not the server):

OSSEC HIDS Notification.

2017 Aug 27 08:20:39

Received From: (our-demo) 10.nnn.nnn.nnn->ossec-keepalive

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

--MARK--: dh7GKhV3D=9_tT9mi+oFulZk!/aTDX2_mDueL^7wo;Y-[Bccq4-;^Pcb]Qcyh5n7QH@JrN5))x9$Y#&w;6p835rYqu-@HdN=LsBknO.bu7%A]Yf)#8dJHvbfPGzEJ#vC/eMmb;1vhJdcQi+!&'o623tZdS.]#6xt@sFuYO.5=a7+Xe0+LwVV'xoLxlGe(lxfDkz]Ywi.!x)BCN5v98*k??VxZ]^LVg/;4@CwP;7tqUdaP8v6KU*;c_31yMU)aatm@d-u,XNm0/0joD&h;j?I.2RvWfWef&4y)US^lNJtMdDiH1p$sop3y6'Ct._#$Se1UWKodCH.Fsg#)9TTGqr4-YPjV*+DEH/;.-UPs,[YoO(Qs_dYeu!J(taITE@=@rx9h(s%w0_Kj6[BU/'hslQT)Q]G_o@0FQ*[CRqgleRutLdv=KCkWAlJ*g^n8UvhegP+fo]rs['L_.7@HRDL(O_lUlywnc*6W^d2.MB3H8Xv5yaVxEaj(D8+OPZkR'&h8)rnzayo9+JI1;L'!MQext'@8b+t[n%kOO@wOdK5HCWcubJ/][Qs1KMD'^eB.A''w4p@p0;e,OhqQ/2'GmmbegEL+-#Ar5u]*JoPRhTNV0lfhvNNIZP[5BGc60*FATAl,Pi,W2Jl!d5*ymzotwjGf.I@X

 --END OF NOTIFICATION