It's working!
I did the following config:
<directories realtime="yes"
check_all="yes">//home/tomcat/server</directories>
<directories realtime="yes" check_all="yes"
report_changes="yes">/home/tomcat/server/conf,/etc</directories>
Regards,
Stephan Gomes Higuti
On 16 September 2013 21:09, Roy Feintuch <[email protected]> wrote:
> glad it is working now.
> I'm pretty confident that check_diff can be applied to sub folder while not
> covering the parent folder - but I did not try it myself.
> As it is a simple setup - just do it - and please share your findings.
> -R
>
>
> On Monday, September 16, 2013 6:46:22 AM UTC-7, Stephan Gomes Higuti wrote:
>>
>> Thankz Roy.
>>
>> I did some changes and its now working.
>> I configure the agents for using profiles, that are configured on
>> /var/ossec/etc/shared/agents.conf on server, and now its working fine.
>> About the diffs, i'm having some issues with it, for example:
>>
>> I'm watching real time the directory /home/tomcat, wich includes the
>> subdirectories /home/tomcat/bin, /home/tomcat/logs,
>> /home/tomcat/webapps, /home/tomcat/conf...
>> I want to have the report_changes only in /home/tomcat/conf, otherwise
>> it will consume a huge space in disk if I add the webapps directory
>> for report_changes as well.
>> So, is it correct to do like this:
>>
>> <directories realtime="yes" check_all="yes"
>> report_changes="yes">/home/tomcat/conf</directories>
>> <directories realtime="yes" check_all="yes">/home/tomcat</directories>
>>
>> Is there another way for do that or its as simple as that?
>>
>> Best Regards,
>>
>> Stephan
>> Att,
>>
>> Stephan Gomes Higuti
>>
>>
>> On 13 September 2013 14:31, Roy Feintuch <[email protected]> wrote:
>> > Hi,
>> > 1. I think you are checking the wrong folder - queue/diff is used to
>> > store
>> > the files where using 'report_changes' mode (full diff reporting)
>> > The syscheck db folder is at queue/syscheck
>> >
>> > 2. If this is a new installation - then it takes ossec some time to
>> > start
>> > triggering some events (~1 day / 2 successful full scans while not
>> > restating
>> > the agent)
>> >
>> > 3. Describe exactly what not working in relatime - how did you test
>> > that?
>> > for what kind of event? For example new file added are never discovered
>> > in
>> > realtime.
>> >
>> > -Roy
>> >
>> >
>> > On Wednesday, September 11, 2013 7:59:51 AM UTC-7, Stephan Gomes Higuti
>> > wrote:
>> >>
>> >> Hi!
>> >>
>> >> I'm having issues on Real Time detection and syscheck scan, look at
>> >> the time that syscheck took.
>> >>
>> >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck scan
>> >> (forwarding database).
>> >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Starting syscheck database
>> >> (pre-scan).
>> >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Initializing real time file
>> >> monitoring (not started).
>> >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real
>> >> time monitoring: '/srv/www/'.
>> >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real
>> >> time monitoring: '/home/XXXXXX/'.
>> >> 2013/09/11 11:46:57 ossec-syscheckd: DEBUG: Directory added for real
>> >> time monitoring: '/home/YYYYYYY/'.
>> >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Real time file monitoring
>> >> started.
>> >> 2013/09/11 11:46:57 ossec-syscheckd: INFO: Finished creating syscheck
>> >> database (pre-scan completed).
>> >> 2013/09/11 11:47:09 ossec-syscheckd: INFO: Ending syscheck scan
>> >> (forwarding database).
>> >> 2013/09/11 11:47:29 ossec-rootcheck: INFO: Starting rootcheck scan.
>> >> 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on check_rc_files
>> >> 2013/09/11 11:47:29 ossec-rootcheck: DEBUG: Starting on
>> >> check_rc_trojans
>> >>
>> >>
>> >> Realtime monitoring is not working aswell, here is my agent ossec.conf:
>> >>
>> >> <syscheck>
>> >> <!-- Frequency that syscheck is executed - default to every 22
>> >> hours
>> >> -->
>> >> <frequency>21600</frequency>
>> >>
>> >> <scan_on_start>yes</scan_on_start>
>> >> <auto_ignore>no</auto_ignore>
>> >> <alert_new_files>yes</alert_new_files>
>> >> <!-- Directories to check (perform all possible verifications) -->
>> >> <directories report_changes="yes"
>> >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>> >> <directories report_changes="yes"
>> >> check_all="yes">/bin,/sbin</directories>
>> >> <directories realtime="yes"
>> >> check_all="yes">/srv/www,/home/XXXXXX,/home/YYYYYY/apache</directories>
>> >>
>> >> <!-- Files/directories to ignore -->
>> >> <ignore>/etc/mtab</ignore>
>> >> <ignore>/etc/mnttab</ignore>
>> >> <ignore>/etc/hosts.deny</ignore>
>> >> <ignore>/etc/mail/statistics</ignore>
>> >> <ignore>/etc/random-seed</ignore>
>> >> <ignore>/etc/adjtime</ignore>
>> >> <ignore>/etc/httpd/logs</ignore>
>> >> <ignore>/etc/utmpx</ignore>
>> >> <ignore>/etc/wtmpx</ignore>
>> >> <ignore>/etc/cups/certs</ignore>
>> >> <ignore>/etc/dumpdates</ignore>
>> >> <ignore>/etc/svc/volatile</ignore>
>> >> <ignore>/var/ossec/queue</ignore>
>> >> <ignore>/var/ossec/logs</ignore>
>> >> <ignore>/var/ossec/stats</ignore>
>> >> <ignore>/var/ossec/var</ignore>
>> >> <ignore>/home/YYYYYYYY/apache/logs</ignore>
>> >>
>> >> </syscheck>
>> >>
>> >>
>> >> The weird thing is, i had it working on others servers.
>> >> The syscheck didnt even create all the queues:
>> >>
>> >> # ls /var/ossec/queue/diff/local/
>> >> etc
>> >>
>> >>
>> >> # du -hsc /var/ossec/queue/diff/local/*
>> >> 608K /var/ossec/queue/diff/local/etc
>> >> 608K total
>> >>
>> >>
>> >> I've got no idea why the syscheck is kind of jumping the scan, I
>> >> checked the conf files and it seems ok!
>> >> Am i missing anything?
>> >>
>> >>
>> >> Regards,
>> >>
>> >>
>> >> Stephan
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
