Hello David and dan,
I think I am facing the same issue as David.
So David, does this configuration in agent.conf on the OSSEC server, work?
:
<agent_conf>
<syscheck>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin<directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/usr/local/sbin</directories>
<directories check_all="yes">/usr/local/bin</directories>
</syscheck>
</agent_conf>
Do you see "Integrity checksum changed" alerts from an agent on a
directory/file you specified in agent.conf file on the server? Was that
directory also specified in ossec.conf on the agent?
We need to check if integrity alerts for an agent are generated for
directories/files not mentioned in ossec.conf (agent's side) but in
agent.conf (server side).
I am only interested in the syscheck (FIM) part and not the logs on the
agents.
On Thursday, 20 June 2013 02:38:22 UTC+5:30, David Blanton wrote:
>
> If I have a <directories check_all="yes">/usr/local/bin,/sbin</directories>
>
> and <ignore>/opt/lampp</ignore> within my ossec.conf file (for example),
> does that mean that my agents will
>
> not abide by these rules? Are they only local rules for my OSSEC Server?
>
> Do these have to be specifically addressed for each agent, with their OS,
> name, ect. within agent.conf in order
>
> for agents to either ignore certain directories or check certain files and
> directories?
>
>
> The OSSEC 2.7 documentation and book does not specifically make any of
> these things clear.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
