Is my ossec.conf on the agents correct? tested again today after some days:
added an entry to /etc/hosts, nothing is detected and alerted directly.. Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > > Hello, I have the following setup : > > 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > 2 agents - OSSEC 2.7 64 bit Atomic repo install > > I have changes de <syscheck> in /var/ossec/etc/ossec.conf to the following > on the manager: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > in seconds --> > <frequency>7200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > I want realtime monitoring of the /etc/ directories on the agents. > I tested the active restarts and link with the agents via the > agent_control -lc > > The agents have the following ossec.conf: > > <ossec_config> > <client> > <server-ip>10.10.138.69</server-ip> > </client> > </ossec_config> > > Nothing happens when I alter /etc/hosts on 1 of the agents. > > When I change the /etc/hosts on the manager it is instant (exactly what I > want). > > I changed the ossec.conf on the agents with the following; > > <ossec_config> > <client> > <server-ip>10.10.138.69</server-ip> > </client> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > in seconds --> > <frequency>7200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" > check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > </ossec_config> > > and restarted the ossec service on the agents, let sysstem-check rebuild > its database on both agents: > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/ossec/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/etc'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/bin'. > 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/usr/sbin'. > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring > started. > 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database) > > I change the /etc/hosts file again and multiple new lines to make sure it > wont match the MD5 sum. > Still nothing happening on the agents, no alert triggered (as on the > manager it was instant) > > Am I correct that the realtime configuration should be in the ossec.conf > on the agents? > I have seen one error on 1 of the servers alerting: > > Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' > File '/etc/hosts' was deleted. Unable to retrieve checksum. > > > How can I recreate the database? > > Regards and sorry if I ask the obvious questions here. > > Michiel > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
