@scottalanmiller said in What Are You Doing Right Now:
@DustinB3403 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
Exciting moment.... new software product shown to the first potential customer just now. Years of work, and now the moment of truth.
Customer: Nah. . .
Likely
Let us know what the actual response is. But what software was pitched?
@scottalanmiller said in What Are You Doing Right Now:
Exciting moment.... new software product shown to the first potential customer just now. Years of work, and now the moment of truth.
Customer: Nah. . .
@IRJ said in Wazuh - operational and can add agents - now what:
So you already filtered it. Just click discover on top right
Doh that is so easy that I didn't even think that was it.
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
Starting Wazuh manager...
env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'.
env[11593]: ossec-analysisd: Configuration error. Exiting
systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Wazuh manager. Starting Wazuh manager...
env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'.
env[11414]: ossec-analysisd: Configuration error. Exiting
systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Wazuh manager.@IRJ so I can't start the wazuh-manager because ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.
I'll have to look into that in a bit, have a meeting to run too.
Okay, so I've added that file to /var/ossec/etc/rules and entered what you provided (probably should verify that for my own sanity). Do I need to "enable" it or refresh the rules?
@IRJ How are rulesets installed?