If there is no timer does this mean once a file has changed 3 times there is no more notification of that file changing?
If that is so, where can I change this value? On Friday, October 19, 2012 7:02:40 PM UTC-7, Jb Cheng wrote: > > I am not aware there is a timer to reset after a file is modified the 3rd > time. > You can look at syscheck database files under /var/ossec/queue/syscheck/ > directory. > The first three characters of each line show how many times a file has > been changed. > "+++" means unchanged, while "!!!" means it has been changed 3 times. > > For your testing, you can use 'syscheck_control -u <agent_id>' to clear > the agent syscheck database. > > bin/syscheck_control > -u <id> Updates (clear) the database for the agent. > > > On Friday, October 19, 2012 2:32:49 PM UTC-7, Scott wrote: >> >> Hi Dan, >> >> Thanks for the reply. My global set up is fine and I am getting many >> OSSEC emails to my global email. This is a recent new addition by me to do >> the single file monitoring and notification. File monitoring looks to be >> doing pretty well when I look at my OSSEC web ui. >> >> The best clue I have is when I check from the OSSEC server manager for >> this particular client server, I see some file changed entries about 1.5 >> weeks ago, including 1st, 2nd and 3rd time modified. On the client server >> I see more recent entries in the queue diff directory, including diff >> updates. I don't know what the default timers are for when a file changes >> that it stops alerting after 3 notifications (does that last 1 day, etc. >> before more notifications would be sent to the server). >> >> At this point it looks like a disconnect between what the client sees vs. >> what the server is getting. Any ideas? >> >> >> On Thursday, October 18, 2012 1:12:10 PM UTC-7, Scott wrote: >>> >>> I am trying to monitor one specific file on one server for any changes >>> and to send email notification to several individuals when that file >>> changes, no matter how often it changes, and including a diff of the >>> changes. I am using a centralized configuration to manage ossec agents. The >>> client server is running AIX 5.3 (so no real time monitoring available). >>> >>> My .../ossec/etc/shared/agent.conf file is broken down by OS type, e.g. >>> <agent_config os="Windows"> and <agent_config os="AIX|Linux|SunOS">. To >>> this file I added machine specific configuration to monitor my specific >>> file (/usr/local/filename), i.e.: >>> >>> <agent_config name="aixserver11"> >>> <syscheck> >>> <frequency>900</frequency> >>> <directories check_all="yes" >>> report_changes="yes">/usr/local/filename</directories> >>> </syscheck> >>> </agent_config> >>> >>> From what I read you can either specify a full filename to monitor or >>> you can use the restrict parameter to monitor a single file. The frequency >>> is pretty short here for testing. >>> >>> As I understand it config matches are cumulative so both the AIX config >>> and the aixserver11 config should apply to this server, and it appears to >>> be doing so. I can see in my .../ossec/queue/diff/local directory the file >>> is showing up and in the OSSEC log file on that server I see it is >>> monitoring that specific file. My main problem is with email notification. >>> While OSSEC is certainly sending out some emails, I am trying to get this >>> one particular syscheck to notify others when this file changes. From what >>> I've read this is done in the ossec.conf file on the main OSSEC server. I >>> have it set up as so (within the <ossec_config> section): >>> >>> <email_alerts> >>> <email_to>te...@test.com</email_to> (email address modified for posting) >>> <event_location>aixserver11</event_location> >>> <group>syscheck</group> >>> <do_not_delay /> >>> <do_not_group /> >>> </email_alerts> >>> >>> The do_not_delay and do_not_group are in there for testing, I am not >>> sure if they are really needed or not. In any case I am not getting any >>> emails sent to the email address when changes occur, although I am seeing >>> new diff files show up on the aix server. I realize that I have not >>> tailored the email notification to *only* the one file being changed but >>> probably for any syscheck file changes on that server (under the aix config >>> some standard directories are being monitored for changes) - it would be >>> nice to address that as well. In one case a change was made and yet never >>> detected until I restarted the OSSEC agent on the aix server. >>> >>> Any help with this would be appreciated. >>> >>>
