So changing it to logall and then changing a start up item via
chkconfig..I don't see anything. Nothing in my alerts about it being
changed either.
My log file is below. Does the syscheckd error matter in this case?
r...@ossec:/var/ossec/logs# tail -f ossec.log
2010/11/03 09:56:56 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/nmap-out-bird.log'.
2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output
of command(360): netstat -tan |grep LISTEN | grep -v '127.0.0.1'
2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output
of command(360): awk -F: '($3 == "0") {print}' /etc/passwd
2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output
of command(360): rpm -qa
2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output
of command(360): awk -F: '($2 == "") {print}' /etc/shadow
2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output
of command(360): find / -user root -perm -4000 -print
2010/11/03 09:56:56 ossec-logcollector: INFO: Started (pid: 23635).
2010/11/03 09:56:56 ossec-analysisd(1210): ERROR: Queue
'/queue/alerts/ar' not accessible: 'Connection refused'.
2010/11/03 09:56:56 ossec-analysisd(1301): ERROR: Unable to connect to
active response queue.
2010/11/03 09:56:56 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
2010/11/03 09:57:57 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2010/11/03 09:57:57 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2010/11/03 09:57:57 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2010/11/03 09:59:34 ossec-syscheckd: ERROR: Invalid internal state
(missing '/etc/alternatives/jaxp_parser_impl').
2010/11/03 10:01:27 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2010/11/03 10:01:39 ossec-syscheckd: INFO: Ending syscheck scan
(forwarding database).
2010/11/03 10:01:59 ossec-syscheckd: INFO: Starting real time file monitoring.
2010/11/03 10:01:59 ossec-rootcheck: INFO: Starting rootcheck scan.
On Wed, Nov 3, 2010 at 11:40 AM, dan (ddp) <[email protected]> wrote:
> Nothing that I can see. Even with -d it goes into the background.
> DEBUG messages are logged to ossec.log
>
> On Wed, Nov 3, 2010 at 12:30 PM, Tim Eberhard <[email protected]> wrote:
>> What am I missing here?
>>
>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d
>> 2010/11/03 09:29:47 ossec-logcollector: DEBUG: Starting ...
>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -dt
>> 2010/11/03 09:29:57 ossec-logcollector: DEBUG: Starting ...
>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d -t
>> 2010/11/03 09:30:00 ossec-logcollector: DEBUG: Starting ...
>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d -t -c
>> /var/ossec/etc/ossec.conf
>> 2010/11/03 09:30:10 ossec-logcollector: DEBUG: Starting ...
>>
>>
>>
>> On Wed, Nov 3, 2010 at 10:07 AM, dan (ddp) <[email protected]> wrote:
>>> Try running logcollector in debug mode.
>>> Try it with 1 full_command to see if you can get that working. I
>>> recommend the ones that aren't quite so system intensive.
>>>
>>> Here's my setup:
>>> <localfile>
>>> <log_format>full_command</log_format>
>>> <command>netstat -an |grep LISTEN | grep -v '127.0.0.1'</command>
>>> </localfile>
>>>
>>> <rule id="510000" level="7">
>>> <if_sid>530</if_sid>
>>> <match>ossec: output: 'netstat -an |grep LISTEN</match>
>>> <check_diff />
>>> <description>Listened ports have changed.</description>
>>> </rule>
>>>
>>> This works for me.
>>>
>>> On Wed, Nov 3, 2010 at 10:59 AM, Tim Eberhard <[email protected]> wrote:
>>>> I removed that extra white space and it doesn't appear to have helped
>>>> anything. Checking the log file..
>>>>
>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output
>>>> of command(360): netstat -tan |grep LISTEN | grep -v$
>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output
>>>> of command(360): awk -F: '($3 == "0") {print}' /etc/$
>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output
>>>> of command(360): rpm -qa
>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output
>>>> of command(360): awk -F: '($2 == "") {print}' /etc/s$
>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output
>>>> of command(360): find / -user root -perm -4000 -print
>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Started (pid: 21501).
>>>>
>>>> What is the next step in troubleshooting custom rules like this? I
>>>> apologize if this is a standard question.. if someone would show me
>>>> how to go about this I'll do my best to spoon feed myself :)
>>>>
>>>> Thanks again for your help,
>>>> -Tim Eberhard
>>>>
>>>>
>>>> On Tue, Nov 2, 2010 at 7:57 PM, Tim Eberhard <[email protected]> wrote:
>>>>> That's how it sits today. I'll remove them and see if that helps things
>>>>> at all.
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Nov 2, 2010 at 3:23 PM, dan (ddp) <[email protected]> wrote:
>>>>>> On Tue, Nov 2, 2010 at 4:13 PM, Tim Eberhard <[email protected]> wrote:
>>>>>>> [My apologies for posting this to ossec-dev. I typed in the wrong
>>>>>>> google group. This was intended for ossec-list]
>>>>>>>
>>>>>>> All,
>>>>>>>
>>>>>>> I've been trying to write some rules for my lab OSSEC box and test
>>>>>>> them before we roll OSSEC out to production. I'm having some problems
>>>>>>> writing rules when using the full command. I've tried to follow the
>>>>>>> examples written here:
>>>>>>> http://www.ossec.net/doc/manual/monitoring/process-monitoring.html
>>>>>>>
>>>>>>> But it seems all my added checks/rules don't work properly.
>>>>>>>
>>>>>>> Basic info:
>>>>>>> -Linux - 2.6.18-128.1.6.el5
>>>>>>> -OSSEC 2.5.1
>>>>>>> -Stand alone server
>>>>>>>
>>>>>>> Here is the example rule I've been trying to get to work...
>>>>>>>
>>>>>>> Check for changes to the system start up services
>>>>>>> ossec.conf:
>>>>>>> <localfile>
>>>>>>> <log_format>full_command</log_format>
>>>>>>> <command> /sbin/chkconfig --list | grep '3:on'</command>
>>>>>>
>>>>>> Is the space in the <command> above intentional or a paste-o? I don't
>>>>>> know if it will affect the output or not...
>>>>>>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> In local_rules.xml:
>>>>>>> <rule id="510004" level="7">
>>>>>>> <if_sid>530</if_sid>
>>>>>>> <match>ossec: output: ‘/sbin/chkconfig </match>
>>>>>>> <check_diff />
>>>>>>> <description>The system start up services have changed</description>
>>>>>>> </rule>
>>>>>>>
>>>>>>>
>>>>>>> Upon changing the start up and removing an item I get an alert when
>>>>>>> OSSEC notices the start up script file change..It just doesn't seem to
>>>>>>> fire off my alert that I have configured.
>>>>>>>
>>>>>>> OSSEC HIDS Notification.
>>>>>>> 2010 Nov 02 07:16:40
>>>>>>> Received From: ossec->syscheck
>>>>>>> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve
>>>>>>> checksum."
>>>>>>> Portion of the log(s):
>>>>>>>
>>>>>>> File '/etc/rc.d/rc0.d/K03yum-updatesd' was deleted. Unable to retrieve
>>>>>>> checksum.
>>>>>>> --END OF NOTIFICATION
>>>>>>>
>>>>>>>
>>>>>>> Anyone care to tell me what obvious item I'm missing? This holds true
>>>>>>> for half a dozen items that I am using full_command for and trying to
>>>>>>> check. Another example is below:
>>>>>>>
>>>>>>>
>>>>>>> Check for changes to the SUID binaries
>>>>>>> ossec.conf:
>>>>>>> <localfile>
>>>>>>> <log_format>full_command</log_format>
>>>>>>> <command> find / -user root -perm -4000 -print</command>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> In local_rules.xml:
>>>>>>> <rule id="510005" level="7">
>>>>>>> <if_sid>530</if_sid>
>>>>>>> <match>ossec: output: ‘find / -user root </match>
>>>>>>> <check_diff />
>>>>>>> <description>SUID root binaries have been changed</description>
>>>>>>> </rule>
>>>>>>>
>>>>>>>
>>>>>>> Thanks for any assistance/input you can provide.
>>>>>>> -Tim Eberhard
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
