Thankz Roy. I did some changes and its now working. I configure the agents for using profiles, that are configured on /var/ossec/etc/shared/agents.conf on server, and now its working fine. About the diffs, i'm having some issues with it, for example:
I'm watching real time the directory /home/tomcat, wich includes the subdirectories /home/tomcat/bin, /home/tomcat/logs, /home/tomcat/webapps, /home/tomcat/conf... I want to have the report_changes only in /home/tomcat/conf, otherwise it will consume a huge space in disk if I add the webapps directory for report_changes as well. So, is it correct to do like this: <directories realtime="yes" check_all="yes" report_changes="yes">/home/tomcat/conf</directories> <directories realtime="yes" check_all="yes">/home/tomcat</directories> Is there another way for do that or its as simple as that? Best Regards, Stephan Att, Stephan Gomes Higuti On 13 September 2013 14:31, Roy Feintuch <[email protected]> wrote: > Hi, > 1. I think you are checking the wrong folder - queue/diff is used to store > the files where using 'report_changes' mode (full diff reporting) > The syscheck db folder is at queue/syscheck > > 2. If this is a new installation - then it takes ossec some time to start > triggering some events (~1 day / 2 successful full scans while not restating > the agent) > > 3. Describe exactly what not working in relatime - how did you test that? > for what kind of event? For example new file added are never discovered in > realtime. > > -Roy > > > On Wednesday, September 11, 2013 7:59:51 AM UTC-7, Stephan Gomes Higuti > wrote: >> >> Hi! >> >> I'm having issues on Real Time detection and syscheck scan, look at >> the time that syscheck took. >> >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Initializing real time file >> monitoring (not started). >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real >> time monitoring: '/srv/www/'. >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real >> time monitoring: '/home/XXXXXX/'. >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real >> time monitoring: '/home/YYYYYYY/'. >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Real time file monitoring >> started. >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Finished creating syscheck >> database (pre-scan completed). >> 2013/09/11 11:47:09 ossec-syscheckd: INFO: Ending syscheck scan >> (forwarding database). >> 2013/09/11 11:47:29 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_files >> 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_trojans >> >> >> Realtime monitoring is not working aswell, here is my agent ossec.conf: >> >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours >> --> >> <frequency>21600</frequency> >> >> <scan_on_start>yes</scan_on_start> >> <auto_ignore>no</auto_ignore> >> <alert_new_files>yes</alert_new_files> >> <!-- Directories to check (perform all possible verifications) --> >> <directories report_changes="yes" >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories report_changes="yes" >> check_all="yes">/bin,/sbin</directories> >> <directories realtime="yes" >> check_all="yes">/srv/www,/home/XXXXXX,/home/YYYYYY/apache</directories> >> >> <!-- Files/directories to ignore --> >> <ignore>/etc/mtab</ignore> >> <ignore>/etc/mnttab</ignore> >> <ignore>/etc/hosts.deny</ignore> >> <ignore>/etc/mail/statistics</ignore> >> <ignore>/etc/random-seed</ignore> >> <ignore>/etc/adjtime</ignore> >> <ignore>/etc/httpd/logs</ignore> >> <ignore>/etc/utmpx</ignore> >> <ignore>/etc/wtmpx</ignore> >> <ignore>/etc/cups/certs</ignore> >> <ignore>/etc/dumpdates</ignore> >> <ignore>/etc/svc/volatile</ignore> >> <ignore>/var/ossec/queue</ignore> >> <ignore>/var/ossec/logs</ignore> >> <ignore>/var/ossec/stats</ignore> >> <ignore>/var/ossec/var</ignore> >> <ignore>/home/YYYYYYYY/apache/logs</ignore> >> >> </syscheck> >> >> >> The weird thing is, i had it working on others servers. >> The syscheck didnt even create all the queues: >> >> # ls /var/ossec/queue/diff/local/ >> etc >> >> >> # du -hsc /var/ossec/queue/diff/local/* >> 608K /var/ossec/queue/diff/local/etc >> 608K total >> >> >> I've got no idea why the syscheck is kind of jumping the scan, I >> checked the conf files and it seems ok! >> Am i missing anything? >> >> >> Regards, >> >> >> Stephan > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
