Actually never mind I lied... I guess i just had to wait long enough for syscheck database to initiate fully. I def got an email alert as soon as I deleted a file. So that helps alot :) very grateful for your assistance.
I am sure I will have alot more questions. Thanks once again Jeremy. On Wed, Sep 15, 2010 at 5:58 PM, Jeremy Lee <[email protected]> wrote: > Are you watching the /var/ossec/logs/ossec.log file to see if the > syscheck/rootcheck processes are kicking off? > > It would be good if you could copy and paste the output from your ossec.conf > files (both on the agent and server) as well as snippets from the ossec.log > > > Thanks, > Jeremy > > On Wed, Sep 15, 2010 at 2:53 PM, Aamir Niazi <[email protected]> wrote: >> >> OK so I went ahead and added the directory on the agent. Stopped and >> restarted the agent. Changed the time on ossec.conf on the server to >> 60 seconds just to test quickly. stopped and restarted the server with >> no luck. I edited the files and added a new file in that directory but >> did not get any alerts in the email. Email settings are configured >> properly since I have been getting ossec stop restart emails whenever >> I reset the server. what am I doing wrong. >> >> As far as the users go I meant if local users are added or deleted on >> the agents. >> >> >> >> On Wed, Sep 15, 2010 at 5:36 PM, Jeremy Lee <[email protected]> wrote: >> > Sorry, my initial comment was incorrect. You should specify, as you >> > already >> > did I believe, the C:\Test_TPS path in the ossec.conf that's on your >> > Windows >> > machine. Syscheck generally runs locally to each box so putting that on >> > the >> > Ossec Server (Ubuntu) wouldn't do much. If you want to change the >> > frequency, >> > however, you need to do that on the OSSEC server I believe. >> > >> > On Wed, Sep 15, 2010 at 2:27 PM, Aamir Niazi <[email protected]> >> > wrote: >> >> >> >> Also when I add that particular directory under syscheck in ossec.conf >> >> on the server, how does the server automatically know to check for >> >> that directory on the agent? and what If I had to check one directory >> >> on one agent and another on another agent how do I specify which agent >> >> it should check the directory on? >> >> >> >> Much appreciate your input. >> >> >> >> Thanks >> >> >> >> On Wed, Sep 15, 2010 at 4:33 PM, Jeremy Lee <[email protected]> wrote: >> >> > Hi there, >> >> > >> >> > Welcome! >> >> > >> >> > It sounds like you want to do some integrity checking to notify you >> >> > of >> >> > any >> >> > changes to files in the C:\Test_TPS directory, correct? If so, it >> >> > should >> >> > be >> >> > pretty straightforward. You just need to edit the ossec.conf >> >> > (/var/ossec/etc/ossec.conf is the default path on your OSSEC server) >> >> > and >> >> > add >> >> > the following under the <syscheck> section: >> >> > >> >> > <directories check_all="yes">C:\Test_TPS</directories> >> >> > >> >> > >> >> > >> >> > Hope that helps! >> >> > >> >> > --Jeremy >> >> > >> >> > On Wed, Sep 15, 2010 at 1:22 PM, Aamir Niazi <[email protected]> >> >> > wrote: >> >> >> >> >> >> Hello List, My first time writing to this list. >> >> >> >> >> >> I have OSSEC running on Ubuntu 10.4 and have windows client >> >> >> machines. >> >> >> There is not much on the website regarding rules so I purchased the >> >> >> OSSEC book. But I am still confused about how to you custom write >> >> >> rules to monitor specific directories. Lets say if I wanted to >> >> >> monitor >> >> >> C:\Test_TPS folder and files within this directory on the windows >> >> >> machine, what would I have to do in order to make sure that client >> >> >> is >> >> >> configured for this and server is also monitoring this directory for >> >> >> any changes and integrity? If anyone can elaborate a little bit on >> >> >> this I would highly appreciate it. FYI i am a *nix newbie. >> >> >> >> >> >> Thanks a lot in advance. >> >> >> >> >> >> -- >> >> >> Best Regards, >> >> >> >> >> >> Aamir Niazi >> >> > >> >> > >> >> >> >> >> >> >> >> -- >> >> Best Regards, >> >> >> >> Aamir Niazi >> >> Senior Security Analyst >> > >> > >> >> >> >> -- >> Best Regards, >> >> Aamir Niazi >> Senior Security Analyst > > -- Best Regards, Aamir Niazi Senior Security Analyst
