On Wed, Oct 24, 2012 at 2:23 PM, Scott <kazmil...@gmail.com> wrote: > I want notification to continue no matter how many times a file changes, not > just 3 times. >
http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html Look at auto_ignore. > On Wednesday, October 24, 2012 11:08:09 AM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Oct 24, 2012 at 2:01 PM, Scott <kazm...@gmail.com> wrote: >> > If there is no timer does this mean once a file has changed 3 times >> > there is >> > no more notification of that file changing? >> > >> >> Correct. >> >> > If that is so, where can I change this value? >> > >> >> Which value? >> >> > On Friday, October 19, 2012 7:02:40 PM UTC-7, Jb Cheng wrote: >> >> >> >> I am not aware there is a timer to reset after a file is modified the >> >> 3rd >> >> time. >> >> You can look at syscheck database files under >> >> /var/ossec/queue/syscheck/ >> >> directory. >> >> The first three characters of each line show how many times a file has >> >> been changed. >> >> "+++" means unchanged, while "!!!" means it has been changed 3 times. >> >> >> >> For your testing, you can use 'syscheck_control -u <agent_id>' to clear >> >> the agent syscheck database. >> >> >> >> bin/syscheck_control >> >> -u <id> Updates (clear) the database for the agent. >> >> >> >> >> >> On Friday, October 19, 2012 2:32:49 PM UTC-7, Scott wrote: >> >>> >> >>> Hi Dan, >> >>> >> >>> Thanks for the reply. My global set up is fine and I am getting many >> >>> OSSEC emails to my global email. This is a recent new addition by me >> >>> to do >> >>> the single file monitoring and notification. File monitoring looks to >> >>> be >> >>> doing pretty well when I look at my OSSEC web ui. >> >>> >> >>> The best clue I have is when I check from the OSSEC server manager for >> >>> this particular client server, I see some file changed entries about >> >>> 1.5 >> >>> weeks ago, including 1st, 2nd and 3rd time modified. On the client >> >>> server I >> >>> see more recent entries in the queue diff directory, including diff >> >>> updates. >> >>> I don't know what the default timers are for when a file changes that >> >>> it >> >>> stops alerting after 3 notifications (does that last 1 day, etc. >> >>> before more >> >>> notifications would be sent to the server). >> >>> >> >>> At this point it looks like a disconnect between what the client sees >> >>> vs. >> >>> what the server is getting. Any ideas? >> >>> >> >>> >> >>> On Thursday, October 18, 2012 1:12:10 PM UTC-7, Scott wrote: >> >>>> >> >>>> I am trying to monitor one specific file on one server for any >> >>>> changes >> >>>> and to send email notification to several individuals when that file >> >>>> changes, no matter how often it changes, and including a diff of the >> >>>> changes. I am using a centralized configuration to manage ossec >> >>>> agents. The >> >>>> client server is running AIX 5.3 (so no real time monitoring >> >>>> available). >> >>>> >> >>>> My .../ossec/etc/shared/agent.conf file is broken down by OS type, >> >>>> e.g. >> >>>> <agent_config os="Windows"> and <agent_config os="AIX|Linux|SunOS">. >> >>>> To this >> >>>> file I added machine specific configuration to monitor my specific >> >>>> file >> >>>> (/usr/local/filename), i.e.: >> >>>> >> >>>> <agent_config name="aixserver11"> >> >>>> <syscheck> >> >>>> <frequency>900</frequency> >> >>>> <directories check_all="yes" >> >>>> report_changes="yes">/usr/local/filename</directories> >> >>>> </syscheck> >> >>>> </agent_config> >> >>>> >> >>>> From what I read you can either specify a full filename to monitor or >> >>>> you can use the restrict parameter to monitor a single file. The >> >>>> frequency >> >>>> is pretty short here for testing. >> >>>> >> >>>> As I understand it config matches are cumulative so both the AIX >> >>>> config >> >>>> and the aixserver11 config should apply to this server, and it >> >>>> appears to be >> >>>> doing so. I can see in my .../ossec/queue/diff/local directory the >> >>>> file is >> >>>> showing up and in the OSSEC log file on that server I see it is >> >>>> monitoring >> >>>> that specific file. My main problem is with email notification. While >> >>>> OSSEC >> >>>> is certainly sending out some emails, I am trying to get this one >> >>>> particular >> >>>> syscheck to notify others when this file changes. From what I've read >> >>>> this >> >>>> is done in the ossec.conf file on the main OSSEC server. I have it >> >>>> set up as >> >>>> so (within the <ossec_config> section): >> >>>> >> >>>> <email_alerts> >> >>>> <email_to>te...@test.com</email_to> (email address modified for >> >>>> posting) >> >>>> <event_location>aixserver11</event_location> >> >>>> <group>syscheck</group> >> >>>> <do_not_delay /> >> >>>> <do_not_group /> >> >>>> </email_alerts> >> >>>> >> >>>> The do_not_delay and do_not_group are in there for testing, I am not >> >>>> sure if they are really needed or not. In any case I am not getting >> >>>> any >> >>>> emails sent to the email address when changes occur, although I am >> >>>> seeing >> >>>> new diff files show up on the aix server. I realize that I have not >> >>>> tailored >> >>>> the email notification to *only* the one file being changed but >> >>>> probably for >> >>>> any syscheck file changes on that server (under the aix config some >> >>>> standard >> >>>> directories are being monitored for changes) - it would be nice to >> >>>> address >> >>>> that as well. In one case a change was made and yet never detected >> >>>> until I >> >>>> restarted the OSSEC agent on the aix server. >> >>>> >> >>>> Any help with this would be appreciated. >> >>>> >> >
