Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): > > On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es > <vanesm...@gmail.com<javascript:>> > wrote: > > Is my ossec.conf on the agents correct? > > tested again today after some days: > > > > As far as I can tell it seems ok. > > > added an entry to /etc/hosts, nothing is detected and alerted directly.. > > > > >>What do you mean by "alerted directly?" >
The realtime=yes should trigger an alert for OSSEC directly when I alter the file right? (I open the file with vim, add a new line with bogus , write+quit) It does nothing after that, only after the first syscheck run that is scheduled to run every X hour/minutes. > > > > > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > >> > >> Hello, I have the following setup : > >> > >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > >> 2 agents - OSSEC 2.7 64 bit Atomic repo install > >> > >> I have changes de <syscheck> in /var/ossec/etc/ossec.conf to the > following > >> on the manager: > >> > >> <syscheck> > >> <!-- Frequency that syscheck is executed - default to every 22 > hours > >> in seconds --> > >> <frequency>7200</frequency> > >> > >> <!-- Directories to check (perform all possible verifications) --> > >> <directories realtime="yes" > >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> <directories check_all="yes">/bin,/sbin</directories> > >> > >> <!-- Files/directories to ignore --> > >> <ignore>/etc/mtab</ignore> > >> <ignore>/etc/mnttab</ignore> > >> <ignore>/etc/hosts.deny</ignore> > >> <ignore>/etc/mail/statistics</ignore> > >> <ignore>/etc/random-seed</ignore> > >> <ignore>/etc/adjtime</ignore> > >> <ignore>/etc/httpd/logs</ignore> > >> <ignore>/etc/utmpx</ignore> > >> <ignore>/etc/wtmpx</ignore> > >> <ignore>/etc/cups/certs</ignore> > >> <ignore>/etc/dumpdates</ignore> > >> <ignore>/etc/svc/volatile</ignore> > >> > >> <!-- Windows files to ignore --> > >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> > >> <ignore>C:\WINDOWS/Debug</ignore> > >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > >> <ignore>C:\WINDOWS/iis6.log</ignore> > >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > >> <ignore>C:\WINDOWS/Prefetch</ignore> > >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > >> <ignore>C:\WINDOWS/Temp</ignore> > >> <ignore>C:\WINDOWS/system32/config</ignore> > >> <ignore>C:\WINDOWS/system32/spool</ignore> > >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> > >> </syscheck> > >> > >> I want realtime monitoring of the /etc/ directories on the agents. > >> I tested the active restarts and link with the agents via the > >> agent_control -lc > >> > >> The agents have the following ossec.conf: > >> > >> <ossec_config> > >> <client> > >> <server-ip>10.10.138.69</server-ip> > >> </client> > >> </ossec_config> > >> > >> Nothing happens when I alter /etc/hosts on 1 of the agents. > >> > >> When I change the /etc/hosts on the manager it is instant (exactly what > I > >> want). > >> > >> I changed the ossec.conf on the agents with the following; > >> > >> <ossec_config> > >> <client> > >> <server-ip>10.10.138.69</server-ip> > >> </client> > >> > >> <syscheck> > >> <!-- Frequency that syscheck is executed - default to every 22 > hours > >> in seconds --> > >> <frequency>7200</frequency> > >> > >> <!-- Directories to check (perform all possible verifications) --> > >> <directories realtime="yes" > >> check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin</directories> > >> <directories check_all="yes">/bin,/sbin</directories> > >> > >> <!-- Files/directories to ignore --> > >> <ignore>/etc/mtab</ignore> > >> <ignore>/etc/mnttab</ignore> > >> <ignore>/etc/hosts.deny</ignore> > >> <ignore>/etc/mail/statistics</ignore> > >> <ignore>/etc/random-seed</ignore> > >> <ignore>/etc/adjtime</ignore> > >> <ignore>/etc/httpd/logs</ignore> > >> <ignore>/etc/utmpx</ignore> > >> <ignore>/etc/wtmpx</ignore> > >> <ignore>/etc/cups/certs</ignore> > >> <ignore>/etc/dumpdates</ignore> > >> <ignore>/etc/svc/volatile</ignore> > >> > >> <!-- Windows files to ignore --> > >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> > >> <ignore>C:\WINDOWS/Debug</ignore> > >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > >> <ignore>C:\WINDOWS/iis6.log</ignore> > >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > >> <ignore>C:\WINDOWS/Prefetch</ignore> > >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > >> <ignore>C:\WINDOWS/Temp</ignore> > >> <ignore>C:\WINDOWS/system32/config</ignore> > >> <ignore>C:\WINDOWS/system32/spool</ignore> > >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> > >> </syscheck> > >> > >> </ossec_config> > >> > >> and restarted the ossec service on the agents, let sysstem-check > rebuild > >> its database on both agents: > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/etc'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > >> '/usr/bin'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > >> '/usr/sbin'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/bin'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > '/sbin'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > >> monitoring: '/var/ossec/etc'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > >> monitoring: '/etc'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > >> monitoring: '/usr/bin'. > >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real time > >> monitoring: '/usr/sbin'. > >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan > >> (forwarding database). > >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck database > >> (pre-scan). > >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time file > >> monitoring (not started). > >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file monitoring > >> started. > >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating syscheck > >> database (pre-scan completed). > >> 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan > >> (forwarding database) > >> > >> I change the /etc/hosts file again and multiple new lines to make sure > it > >> wont match the MD5 sum. > >> Still nothing happening on the agents, no alert triggered (as on the > >> manager it was instant) > >> > >> Am I correct that the realtime configuration should be in the > ossec.conf > >> on the agents? > >> I have seen one error on 1 of the servers alerting: > >> > >> Rule: 553 (level 7) -> 'File deleted. Unable to retrieve checksum.' > >> File '/etc/hosts' was deleted. Unable to retrieve checksum. > >> > >> > >> How can I recreate the database? > >> > >> Regards and sorry if I ask the obvious questions here. > >> > >> Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
