If you're interested in realtime integrity checking, see here: http://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring/
Looks like you just need to add 'realtime=”yes” ' to the <directories> option. That way you won't have to run it every 60 seconds. --Jeremy On Wed, Sep 15, 2010 at 3:08 PM, Aamir Niazi <[email protected]> wrote: > Actually never mind I lied... I guess i just had to wait long enough > for syscheck database to initiate fully. I def got an email alert as > soon as I deleted a file. So that helps alot :) very grateful for your > assistance. > > I am sure I will have alot more questions. > > Thanks once again Jeremy. > > > On Wed, Sep 15, 2010 at 5:58 PM, Jeremy Lee <[email protected]> wrote: > > Are you watching the /var/ossec/logs/ossec.log file to see if the > > syscheck/rootcheck processes are kicking off? > > > > It would be good if you could copy and paste the output from your > ossec.conf > > files (both on the agent and server) as well as snippets from the > ossec.log > > > > > > Thanks, > > Jeremy > > > > On Wed, Sep 15, 2010 at 2:53 PM, Aamir Niazi <[email protected]> > wrote: > >> > >> OK so I went ahead and added the directory on the agent. Stopped and > >> restarted the agent. Changed the time on ossec.conf on the server to > >> 60 seconds just to test quickly. stopped and restarted the server with > >> no luck. I edited the files and added a new file in that directory but > >> did not get any alerts in the email. Email settings are configured > >> properly since I have been getting ossec stop restart emails whenever > >> I reset the server. what am I doing wrong. > >> > >> As far as the users go I meant if local users are added or deleted on > >> the agents. > >> > >> > >> > >> On Wed, Sep 15, 2010 at 5:36 PM, Jeremy Lee <[email protected]> wrote: > >> > Sorry, my initial comment was incorrect. You should specify, as you > >> > already > >> > did I believe, the C:\Test_TPS path in the ossec.conf that's on your > >> > Windows > >> > machine. Syscheck generally runs locally to each box so putting that > on > >> > the > >> > Ossec Server (Ubuntu) wouldn't do much. If you want to change the > >> > frequency, > >> > however, you need to do that on the OSSEC server I believe. > >> > > >> > On Wed, Sep 15, 2010 at 2:27 PM, Aamir Niazi <[email protected]> > >> > wrote: > >> >> > >> >> Also when I add that particular directory under syscheck in > ossec.conf > >> >> on the server, how does the server automatically know to check for > >> >> that directory on the agent? and what If I had to check one directory > >> >> on one agent and another on another agent how do I specify which > agent > >> >> it should check the directory on? > >> >> > >> >> Much appreciate your input. > >> >> > >> >> Thanks > >> >> > >> >> On Wed, Sep 15, 2010 at 4:33 PM, Jeremy Lee <[email protected]> > wrote: > >> >> > Hi there, > >> >> > > >> >> > Welcome! > >> >> > > >> >> > It sounds like you want to do some integrity checking to notify you > >> >> > of > >> >> > any > >> >> > changes to files in the C:\Test_TPS directory, correct? If so, it > >> >> > should > >> >> > be > >> >> > pretty straightforward. You just need to edit the ossec.conf > >> >> > (/var/ossec/etc/ossec.conf is the default path on your OSSEC > server) > >> >> > and > >> >> > add > >> >> > the following under the <syscheck> section: > >> >> > > >> >> > <directories check_all="yes">C:\Test_TPS</directories> > >> >> > > >> >> > > >> >> > > >> >> > Hope that helps! > >> >> > > >> >> > --Jeremy > >> >> > > >> >> > On Wed, Sep 15, 2010 at 1:22 PM, Aamir Niazi <[email protected] > > > >> >> > wrote: > >> >> >> > >> >> >> Hello List, My first time writing to this list. > >> >> >> > >> >> >> I have OSSEC running on Ubuntu 10.4 and have windows client > >> >> >> machines. > >> >> >> There is not much on the website regarding rules so I purchased > the > >> >> >> OSSEC book. But I am still confused about how to you custom write > >> >> >> rules to monitor specific directories. Lets say if I wanted to > >> >> >> monitor > >> >> >> C:\Test_TPS folder and files within this directory on the windows > >> >> >> machine, what would I have to do in order to make sure that client > >> >> >> is > >> >> >> configured for this and server is also monitoring this directory > for > >> >> >> any changes and integrity? If anyone can elaborate a little bit on > >> >> >> this I would highly appreciate it. FYI i am a *nix newbie. > >> >> >> > >> >> >> Thanks a lot in advance. > >> >> >> > >> >> >> -- > >> >> >> Best Regards, > >> >> >> > >> >> >> Aamir Niazi > >> >> > > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Best Regards, > >> >> > >> >> Aamir Niazi > >> >> Senior Security Analyst > >> > > >> > > >> > >> > >> > >> -- > >> Best Regards, > >> > >> Aamir Niazi > >> Senior Security Analyst > > > > > > > > -- > Best Regards, > > Aamir Niazi > Senior Security Analyst >
