On Wed, Nov 3, 2010 at 1:04 PM, Tim Eberhard <xmi...@gmail.com> wrote: > So changing it to logall and then changing a start up item via > chkconfig..I don't see anything. Nothing in my alerts about it being > changed either. >
I don't see the chkconfig check being run in your logs. Make sure the command runs, then change it, and make sure it runs again. > My log file is below. Does the syscheckd error matter in this case? > I'd see what kind of file that is, but it shouldn't matter in this instance. I get the same error for a "broken" symlink. > r...@ossec:/var/ossec/logs# tail -f ossec.log > 2010/11/03 09:56:56 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/nmap-out-bird.log'. > 2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output > of command(360): netstat -tan |grep LISTEN | grep -v '127.0.0.1' > 2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output > of command(360): awk -F: '($3 == "0") {print}' /etc/passwd > 2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output > of command(360): rpm -qa > 2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output > of command(360): awk -F: '($2 == "") {print}' /etc/shadow > 2010/11/03 09:56:56 ossec-logcollector: INFO: Monitoring full output > of command(360): find / -user root -perm -4000 -print > 2010/11/03 09:56:56 ossec-logcollector: INFO: Started (pid: 23635). > 2010/11/03 09:56:56 ossec-analysisd(1210): ERROR: Queue > '/queue/alerts/ar' not accessible: 'Connection refused'. > 2010/11/03 09:56:56 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2010/11/03 09:56:56 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > 2010/11/03 09:57:57 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/11/03 09:57:57 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/11/03 09:57:57 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2010/11/03 09:59:34 ossec-syscheckd: ERROR: Invalid internal state > (missing '/etc/alternatives/jaxp_parser_impl'). > 2010/11/03 10:01:27 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/11/03 10:01:39 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2010/11/03 10:01:59 ossec-syscheckd: INFO: Starting real time file monitoring. > 2010/11/03 10:01:59 ossec-rootcheck: INFO: Starting rootcheck scan. > > On Wed, Nov 3, 2010 at 11:40 AM, dan (ddp) <ddp...@gmail.com> wrote: >> Nothing that I can see. Even with -d it goes into the background. >> DEBUG messages are logged to ossec.log >> >> On Wed, Nov 3, 2010 at 12:30 PM, Tim Eberhard <xmi...@gmail.com> wrote: >>> What am I missing here? >>> >>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d >>> 2010/11/03 09:29:47 ossec-logcollector: DEBUG: Starting ... >>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -dt >>> 2010/11/03 09:29:57 ossec-logcollector: DEBUG: Starting ... >>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d -t >>> 2010/11/03 09:30:00 ossec-logcollector: DEBUG: Starting ... >>> r...@ossec:/home/teberhard# /var/ossec/bin/ossec-logcollector -d -t -c >>> /var/ossec/etc/ossec.conf >>> 2010/11/03 09:30:10 ossec-logcollector: DEBUG: Starting ... >>> >>> >>> >>> On Wed, Nov 3, 2010 at 10:07 AM, dan (ddp) <ddp...@gmail.com> wrote: >>>> Try running logcollector in debug mode. >>>> Try it with 1 full_command to see if you can get that working. I >>>> recommend the ones that aren't quite so system intensive. >>>> >>>> Here's my setup: >>>> <localfile> >>>> <log_format>full_command</log_format> >>>> <command>netstat -an |grep LISTEN | grep -v '127.0.0.1'</command> >>>> </localfile> >>>> >>>> <rule id="510000" level="7"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'netstat -an |grep LISTEN</match> >>>> <check_diff /> >>>> <description>Listened ports have changed.</description> >>>> </rule> >>>> >>>> This works for me. >>>> >>>> On Wed, Nov 3, 2010 at 10:59 AM, Tim Eberhard <xmi...@gmail.com> wrote: >>>>> I removed that extra white space and it doesn't appear to have helped >>>>> anything. Checking the log file.. >>>>> >>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>>>> of command(360): netstat -tan |grep LISTEN | grep -v$ >>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>>>> of command(360): awk -F: '($3 == "0") {print}' /etc/$ >>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>>>> of command(360): rpm -qa >>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>>>> of command(360): awk -F: '($2 == "") {print}' /etc/s$ >>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Monitoring full output >>>>> of command(360): find / -user root -perm -4000 -print >>>>> 2010/11/03 07:54:23 ossec-logcollector: INFO: Started (pid: 21501). >>>>> >>>>> What is the next step in troubleshooting custom rules like this? I >>>>> apologize if this is a standard question.. if someone would show me >>>>> how to go about this I'll do my best to spoon feed myself :) >>>>> >>>>> Thanks again for your help, >>>>> -Tim Eberhard >>>>> >>>>> >>>>> On Tue, Nov 2, 2010 at 7:57 PM, Tim Eberhard <xmi...@gmail.com> wrote: >>>>>> That's how it sits today. I'll remove them and see if that helps things >>>>>> at all. >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Nov 2, 2010 at 3:23 PM, dan (ddp) <ddp...@gmail.com> wrote: >>>>>>> On Tue, Nov 2, 2010 at 4:13 PM, Tim Eberhard <xmi...@gmail.com> wrote: >>>>>>>> [My apologies for posting this to ossec-dev. I typed in the wrong >>>>>>>> google group. This was intended for ossec-list] >>>>>>>> >>>>>>>> All, >>>>>>>> >>>>>>>> I've been trying to write some rules for my lab OSSEC box and test >>>>>>>> them before we roll OSSEC out to production. I'm having some problems >>>>>>>> writing rules when using the full command. I've tried to follow the >>>>>>>> examples written here: >>>>>>>> http://www.ossec.net/doc/manual/monitoring/process-monitoring.html >>>>>>>> >>>>>>>> But it seems all my added checks/rules don't work properly. >>>>>>>> >>>>>>>> Basic info: >>>>>>>> -Linux - 2.6.18-128.1.6.el5 >>>>>>>> -OSSEC 2.5.1 >>>>>>>> -Stand alone server >>>>>>>> >>>>>>>> Here is the example rule I've been trying to get to work... >>>>>>>> >>>>>>>> Check for changes to the system start up services >>>>>>>> ossec.conf: >>>>>>>> <localfile> >>>>>>>> <log_format>full_command</log_format> >>>>>>>> <command> /sbin/chkconfig --list | grep '3:on'</command> >>>>>>> >>>>>>> Is the space in the <command> above intentional or a paste-o? I don't >>>>>>> know if it will affect the output or not... >>>>>>> >>>>>>>> </localfile> >>>>>>>> >>>>>>>> In local_rules.xml: >>>>>>>> <rule id="510004" level="7"> >>>>>>>> <if_sid>530</if_sid> >>>>>>>> <match>ossec: output: ‘/sbin/chkconfig </match> >>>>>>>> <check_diff /> >>>>>>>> <description>The system start up services have changed</description> >>>>>>>> </rule> >>>>>>>> >>>>>>>> >>>>>>>> Upon changing the start up and removing an item I get an alert when >>>>>>>> OSSEC notices the start up script file change..It just doesn't seem to >>>>>>>> fire off my alert that I have configured. >>>>>>>> >>>>>>>> OSSEC HIDS Notification. >>>>>>>> 2010 Nov 02 07:16:40 >>>>>>>> Received From: ossec->syscheck >>>>>>>> Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve >>>>>>>> checksum." >>>>>>>> Portion of the log(s): >>>>>>>> >>>>>>>> File '/etc/rc.d/rc0.d/K03yum-updatesd' was deleted. Unable to retrieve >>>>>>>> checksum. >>>>>>>> --END OF NOTIFICATION >>>>>>>> >>>>>>>> >>>>>>>> Anyone care to tell me what obvious item I'm missing? This holds true >>>>>>>> for half a dozen items that I am using full_command for and trying to >>>>>>>> check. Another example is below: >>>>>>>> >>>>>>>> >>>>>>>> Check for changes to the SUID binaries >>>>>>>> ossec.conf: >>>>>>>> <localfile> >>>>>>>> <log_format>full_command</log_format> >>>>>>>> <command> find / -user root -perm -4000 -print</command> >>>>>>>> </localfile> >>>>>>>> >>>>>>>> In local_rules.xml: >>>>>>>> <rule id="510005" level="7"> >>>>>>>> <if_sid>530</if_sid> >>>>>>>> <match>ossec: output: ‘find / -user root </match> >>>>>>>> <check_diff /> >>>>>>>> <description>SUID root binaries have been changed</description> >>>>>>>> </rule> >>>>>>>> >>>>>>>> >>>>>>>> Thanks for any assistance/input you can provide. >>>>>>>> -Tim Eberhard >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >