Ok, clear for me. I want this to be on the agents so I have to create a template for all agents with this settings.
Thanks! 2013/10/3 dan (ddp) <ddp...@gmail.com> > On Thu, Oct 3, 2013 at 9:50 AM, Michiel van Es <vanesmich...@gmail.com> > wrote: > > But it is correct that I add the syscheck and realtime options to the > agent > > own ossec.conf and NOT on the server right? > > > > That depends on where you want that setting to be applied. If you want > the agent to attempt these detections in real time, then you have to > define it on the agent. If you want the server to do realtime > detection, you must define it on the server. I will try to make the > documentation more clear on this. > > > > > 2013/10/3 dan (ddp) <ddp...@gmail.com> > >> > >> On Thu, Oct 3, 2013 at 9:13 AM, Michiel van Es <vanesmich...@gmail.com> > >> wrote: > >> > > >> > > >> > Op donderdag 3 oktober 2013 14:57:28 UTC+2 schreef dan (ddpbsd): > >> >> > >> >> On Thu, Oct 3, 2013 at 4:26 AM, Michiel van Es <vanesm...@gmail.com> > >> >> wrote: > >> >> > Is my ossec.conf on the agents correct? > >> >> > tested again today after some days: > >> >> > > >> >> > >> >> As far as I can tell it seems ok. > >> >> > >> >> > added an entry to /etc/hosts, nothing is detected and alerted > >> >> > directly.. > >> >> > > >> >> > >> >> >>What do you mean by "alerted directly?" > >> > > >> > > >> > The realtime=yes should trigger an alert for OSSEC directly when I > alter > >> > the > >> > file right? (I open the file with vim, add a new line with bogus , > >> > write+quit) > >> > It does nothing after that, only after the first syscheck run that is > >> > scheduled to run every X hour/minutes. > >> > > >> > >> It should trigger an alert very quickly, yes. > >> I don't really have a way to troubleshoot this. Everytime I test > >> realtime it works just fine. > >> > >> >> > >> >> > >> >> > > >> >> > Op vrijdag 27 september 2013 15:50:18 UTC+2 schreef Michiel van Es: > >> >> >> > >> >> >> Hello, I have the following setup : > >> >> >> > >> >> >> 1 manager - OSSEC 2.7 64 bit tar.gz manager install via script > >> >> >> 2 agents - OSSEC 2.7 64 bit Atomic repo install > >> >> >> > >> >> >> I have changes de <syscheck> in /var/ossec/etc/ossec.conf to the > >> >> >> following > >> >> >> on the manager: > >> >> >> > >> >> >> <syscheck> > >> >> >> <!-- Frequency that syscheck is executed - default to every 22 > >> >> >> hours > >> >> >> in seconds --> > >> >> >> <frequency>7200</frequency> > >> >> >> > >> >> >> <!-- Directories to check (perform all possible > verifications) > >> >> >> --> > >> >> >> <directories realtime="yes" > >> >> >> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> >> >> <directories check_all="yes">/bin,/sbin</directories> > >> >> >> > >> >> >> <!-- Files/directories to ignore --> > >> >> >> <ignore>/etc/mtab</ignore> > >> >> >> <ignore>/etc/mnttab</ignore> > >> >> >> <ignore>/etc/hosts.deny</ignore> > >> >> >> <ignore>/etc/mail/statistics</ignore> > >> >> >> <ignore>/etc/random-seed</ignore> > >> >> >> <ignore>/etc/adjtime</ignore> > >> >> >> <ignore>/etc/httpd/logs</ignore> > >> >> >> <ignore>/etc/utmpx</ignore> > >> >> >> <ignore>/etc/wtmpx</ignore> > >> >> >> <ignore>/etc/cups/certs</ignore> > >> >> >> <ignore>/etc/dumpdates</ignore> > >> >> >> <ignore>/etc/svc/volatile</ignore> > >> >> >> > >> >> >> <!-- Windows files to ignore --> > >> >> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> > >> >> >> <ignore>C:\WINDOWS/Debug</ignore> > >> >> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > >> >> >> <ignore>C:\WINDOWS/iis6.log</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > >> >> >> <ignore>C:\WINDOWS/Prefetch</ignore> > >> >> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > >> >> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > >> >> >> <ignore>C:\WINDOWS/Temp</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/config</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/spool</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> > >> >> >> </syscheck> > >> >> >> > >> >> >> I want realtime monitoring of the /etc/ directories on the agents. > >> >> >> I tested the active restarts and link with the agents via the > >> >> >> agent_control -lc > >> >> >> > >> >> >> The agents have the following ossec.conf: > >> >> >> > >> >> >> <ossec_config> > >> >> >> <client> > >> >> >> <server-ip>10.10.138.69</server-ip> > >> >> >> </client> > >> >> >> </ossec_config> > >> >> >> > >> >> >> Nothing happens when I alter /etc/hosts on 1 of the agents. > >> >> >> > >> >> >> When I change the /etc/hosts on the manager it is instant (exactly > >> >> >> what > >> >> >> I > >> >> >> want). > >> >> >> > >> >> >> I changed the ossec.conf on the agents with the following; > >> >> >> > >> >> >> <ossec_config> > >> >> >> <client> > >> >> >> <server-ip>10.10.138.69</server-ip> > >> >> >> </client> > >> >> >> > >> >> >> <syscheck> > >> >> >> <!-- Frequency that syscheck is executed - default to every 22 > >> >> >> hours > >> >> >> in seconds --> > >> >> >> <frequency>7200</frequency> > >> >> >> > >> >> >> <!-- Directories to check (perform all possible > verifications) > >> >> >> --> > >> >> >> <directories realtime="yes" > >> >> >> > check_all="yes">/var/ossec/etc,/etc,/usr/bin,/usr/sbin</directories> > >> >> >> <directories check_all="yes">/bin,/sbin</directories> > >> >> >> > >> >> >> <!-- Files/directories to ignore --> > >> >> >> <ignore>/etc/mtab</ignore> > >> >> >> <ignore>/etc/mnttab</ignore> > >> >> >> <ignore>/etc/hosts.deny</ignore> > >> >> >> <ignore>/etc/mail/statistics</ignore> > >> >> >> <ignore>/etc/random-seed</ignore> > >> >> >> <ignore>/etc/adjtime</ignore> > >> >> >> <ignore>/etc/httpd/logs</ignore> > >> >> >> <ignore>/etc/utmpx</ignore> > >> >> >> <ignore>/etc/wtmpx</ignore> > >> >> >> <ignore>/etc/cups/certs</ignore> > >> >> >> <ignore>/etc/dumpdates</ignore> > >> >> >> <ignore>/etc/svc/volatile</ignore> > >> >> >> > >> >> >> <!-- Windows files to ignore --> > >> >> >> <ignore>C:\WINDOWS/System32/LogFiles</ignore> > >> >> >> <ignore>C:\WINDOWS/Debug</ignore> > >> >> >> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > >> >> >> <ignore>C:\WINDOWS/iis6.log</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > >> >> >> <ignore>C:\WINDOWS/Prefetch</ignore> > >> >> >> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > >> >> >> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > >> >> >> <ignore>C:\WINDOWS/Temp</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/config</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/spool</ignore> > >> >> >> <ignore>C:\WINDOWS/system32/CatRoot</ignore> > >> >> >> </syscheck> > >> >> >> > >> >> >> </ossec_config> > >> >> >> > >> >> >> and restarted the ossec service on the agents, let sysstem-check > >> >> >> rebuild > >> >> >> its database on both agents: > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > >> >> >> '/etc'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > >> >> >> '/usr/bin'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > >> >> >> '/usr/sbin'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > >> >> >> '/bin'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Monitoring directory: > >> >> >> '/sbin'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real > >> >> >> time > >> >> >> monitoring: '/var/ossec/etc'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real > >> >> >> time > >> >> >> monitoring: '/etc'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real > >> >> >> time > >> >> >> monitoring: '/usr/bin'. > >> >> >> 2013/09/27 14:16:33 ossec-syscheckd: INFO: Directory set for real > >> >> >> time > >> >> >> monitoring: '/usr/sbin'. > >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck scan > >> >> >> (forwarding database). > >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Starting syscheck > >> >> >> database > >> >> >> (pre-scan). > >> >> >> 2013/09/27 14:18:27 ossec-syscheckd: INFO: Initializing real time > >> >> >> file > >> >> >> monitoring (not started). > >> >> >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Real time file > monitoring > >> >> >> started. > >> >> >> 2013/09/27 14:43:12 ossec-syscheckd: INFO: Finished creating > >> >> >> syscheck > >> >> >> database (pre-scan completed). > >> >> >> 2013/09/27 14:43:26 ossec-syscheckd: INFO: Ending syscheck scan > >> >> >> (forwarding database) > >> >> >> > >> >> >> I change the /etc/hosts file again and multiple new lines to make > >> >> >> sure > >> >> >> it > >> >> >> wont match the MD5 sum. > >> >> >> Still nothing happening on the agents, no alert triggered (as on > the > >> >> >> manager it was instant) > >> >> >> > >> >> >> Am I correct that the realtime configuration should be in the > >> >> >> ossec.conf > >> >> >> on the agents? > >> >> >> I have seen one error on 1 of the servers alerting: > >> >> >> > >> >> >> Rule: 553 (level 7) -> 'File deleted. Unable to retrieve > checksum.' > >> >> >> File '/etc/hosts' was deleted. Unable to retrieve checksum. > >> >> >> > >> >> >> > >> >> >> How can I recreate the database? > >> >> >> > >> >> >> Regards and sorry if I ask the obvious questions here. > >> >> >> > >> >> >> Michiel > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+unsubscr...@googlegroups.com. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "ossec-list" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/ossec-list/o2IBo4LjwME/unsubscribe. > >> To unsubscribe from this group and all its topics, send an email to > >> ossec-list+unsubscr...@googlegroups.com. > >> > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/o2IBo4LjwME/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.