Hello Dan. ossec-makelists does report that it is making a new .cdb: * File lists/employees.cdb need to be updated
The longest I was waiting was 3-5 minutes. On a related note, I was trying to figure out if there was a format for comments in the text version of the list. ossec-makelists appeared to put lines with leading '#' into the .cdb file (according to strings). I guess I could come up with a simple Makefile to manage comments though. Thanks, Andy On Mon, Jan 09, 2012 at 08:33:59PM -0500, dan (ddp) wrote: > On Mon, Jan 9, 2012 at 4:27 PM, Andy Jack <andy.j...@caledoncard.com> wrote: > > Hello list! So I'm working on a cdb list of users so there can be rules > > that differentiate when a user on the list vs. not on the list logs in, > > as described here: > > > > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html > > > > After confirming that the list is being read and the two rules are being > > alerted correctly (one for on-the-list, and the other for > > not-on-the-list), I tried modifying the text list and re-running > > bin/ossec-makelists to see if the alerts change when a user is taken off > > the list: > > > > 1) user1 and user2, are on the list, user3 is not. run > > bin/ossec-makelists. run ossec-control start. > > 2) logging in as either user1 or user2 alerts the on-the-list rule. > > logging in as user3 alerts the not-on-the-list rule. > > 3) modify the list, removing the line for user2. re-run > > bin/ossec-makelists. leave ossec running as-is. > > 4) logging in as user2 alerts the on-the-list rule still. > > > > According to the URL above, updating the cdb file should invalidate the > > mmap and make the analysis daemon re-read the db from disk as needed, > > but this doesn't appear to be happening. Could I have something > > configured incorrectly? Permissions issue perhaps? Or do I have to > > wait a period of time for ossec to notice or purge a cache or something? > > > > root@pegasus:/var/ossec# ls -ld /var/ossec > > dr-xr-x--- 14 root ossec 4096 2012-01-09 14:13 /var/ossec > > root@pegasus:/var/ossec# ls -ld /var/ossec/lists > > drwxr-xr-x 2 root ossec 4096 2012-01-09 16:08 /var/ossec/lists > > root@pegasus:/var/ossec# ls -l /var/ossec/lists > > total 8 > > -rw-r--r-- 1 root ossec 77 2012-01-09 16:08 employees > > -rw-r--r-- 1 root ossec 2345 2012-01-09 16:08 employees.cdb > > > > I just tried adding user4 to the list and remaking the cdb, and ossec > > still alerts as though user4 is not on the list. The behavior seems to > > indicate that ossec isn't re-reading the updated lists. I guess > > restarting ossec is a workaround but that's a pain for every list > > modification. > > > > Thanks, > > Andy > > I don't know the answer off hand, but how long do you wait? > Does ossec-makelists indicate that it's rebuilding the list?