On Fri, Apr 17, 2015 at 10:23 AM, srikanth kalangi <srikanthkala...@gmail.com> wrote: > Sure Dan, thank you for clarification. > > Can you please confirm if the below settings are correct ? as we have > already enabled this before. > > <!-- Directories to check (perform all possible verifications) --> > <directories report_changes="yes" realtime="yes" > check_all="yes">/usr/bin,/usr/sbin</directories> > <directories report_changes="yes" realtime="yes" > check_all="yes">/bin,/sbin,/etc</directories> >
These look correct. Does `/var/ossec/queue/diff` exist on the agent and/or manager? What subdirectories does it contain (I only have a local install at the moment, and /var/ossec/queue/diff/local is the directory I'm seeing)? > Thanks > Srikanth > > On Friday, April 17, 2015 at 7:15:09 AM UTC-7, dan (ddpbsd) wrote: >> >> On Fri, Apr 17, 2015 at 10:09 AM, srikanth kalangi >> <srikant...@gmail.com> wrote: >> > Hi Dan, >> > >> > I have tried to enable check_diff for rules 550, 551, 552 and 553. >> > Tested but somehow still not working. >> > >> >> >> Ok, I think I got this one wrong. You need the report_changes option >> in the <directories> setting. >> >> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.syscheck.html?highlight=report_changes >> >> check_diff is more for commands. Sorry about the confusion. >> >> > Here are the rules info. >> > <rule id="550" level="8"> >> > <category>ossec</category> >> > <decoded_as>syscheck_integrity_changed</decoded_as> >> > <check_diff /> >> > <options>alert_by_email</options> >> > <description>Integrity checksum changed.</description> >> > <group>syscheck,</group> >> > </rule> >> > >> > <rule id="551" level="8"> >> > <category>ossec</category> >> > <check_diff /> >> > <options>alert_by_email</options> >> > <decoded_as>syscheck_integrity_changed_2nd</decoded_as> >> > <description>Integrity checksum changed again (2nd >> > time).</description> >> > <group>syscheck,</group> >> > </rule> >> > >> > <rule id="552" level="8"> >> > <category>ossec</category> >> > <decoded_as>syscheck_integrity_changed_3rd</decoded_as> >> > <check_diff /> >> > <options>alert_by_email</options> >> > <description>Integrity checksum changed again (3rd >> > time).</description> >> > <group>syscheck,</group> >> > </rule> >> > >> > <rule id="553" level="7"> >> > <category>ossec</category> >> > <decoded_as>syscheck_deleted</decoded_as> >> > <check_diff /> >> > <options>alert_by_email</options> >> > <description>File deleted. Unable to retrieve >> > checksum.</description> >> > <group>syscheck,</group> >> > </rule> >> > >> > >> > Here is the output from email alert >> > Rule: 550 fired (level 8) -> "Integrity checksum changed." >> > Portion of the log(s): >> > >> > Integrity checksum changed for: '/etc/rsyslog.conf' >> > Size changed from '4334' to '4335' >> > Old md5sum was: 'a2862b03a2184b133a677a3cf68c8642' >> > New md5sum is : '1f44062e85aca68133c0204f319feb25' >> > Old sha1sum was: '3dff8cf28193d4feb03df7e136f968d27e00bd00' >> > New sha1sum is : '34472e2b29694e9233f5bf6ef2c178af7fe9764c' >> > >> > Thanks >> > Srikanth >> > >> > On Friday, April 17, 2015 at 6:26:49 AM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Fri, Apr 17, 2015 at 9:17 AM, srikanth kalangi >> >> <srikant...@gmail.com> wrote: >> >> > Hi Dan, >> >> > yes tried all possibilities but still not working. >> >> > >> >> > Can you please confirm if the rule is correct for check_diff ? >> >> > >> >> >> >> Without testing, no. But it looks correct. >> >> >> >> > Rule: 551 fired (level 8) -> "Integrity checksum changed again (2nd >> >> > time)." >> >> >> >> However, this alert is for rule 551, not 550. You'll probably have to >> >> adjust 550, 551, 552, and 553 to ensure coverage. >> >> >> >> > Portion of the log(s): >> >> > >> >> > Integrity checksum changed for: '/etc/sysctl.conf' >> >> > Size changed from '1178' to '1180' >> >> > Old md5sum was: '6c9e37b11ad582d5abcf48f960522052' >> >> > New md5sum is : 'c97d89abe2e63aa32e0d2d124bd87679' >> >> > Old sha1sum was: '98d2f9f67648002930280381042d09d7cad0f55b' >> >> > New sha1sum is : '6afc9406dab588f2e160b3d51596c3f1e2a93ad7' >> >> > >> >> > Thanks >> >> > Srikanth >> >> > >> >> > On Friday, April 17, 2015 at 4:33:04 AM UTC-7, dan (ddpbsd) wrote: >> >> >> >> >> >> On Fri, Apr 17, 2015 at 2:57 AM, srikanth kalangi >> >> >> <srikant...@gmail.com> wrote: >> >> >> > Hi Dan, >> >> >> > This is what I have done so far. >> >> >> > >> >> >> > <rule id="550" level="8"> >> >> >> > <category>ossec</category> >> >> >> > <decoded_as>syscheck_integrity_changed</decoded_as> >> >> >> > <check_diff /> >> >> >> > <options>alert_by_email</options> >> >> >> > <description>Integrity checksum changed.</description> >> >> >> > <group>syscheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > But still in the email alert, output diff is not showing up. >> >> >> > Please let me know if you are looking for more info on this. >> >> >> > >> >> >> >> >> >> Did you restart the OSSEC processes on the manager after changing >> >> >> the >> >> >> rule? If so, try it again, but stop the processes, make sure they've >> >> >> stopped, and start them again. >> >> >> Other things to check are to make sure the disk isn't full on the >> >> >> agent (df and df -i for inodes), and make sure permissions are >> >> >> correct >> >> >> in /var/ossec/queue >> >> >> >> >> >> > Thanks >> >> >> > Srikanth >> >> >> > >> >> >> > On Thursday, April 16, 2015 at 7:56:04 PM UTC-7, dan (ddpbsd) >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> >> >> On Apr 16, 2015 10:54 PM, "srikanth kalangi" >> >> >> >> <srikant...@gmail.com> >> >> >> >> wrote: >> >> >> >> > >> >> >> >> > Hi Dan, >> >> >> >> > >> >> >> >> > Thank you very much for your reply. >> >> >> >> > Is it possible for you to provide the sample rule as I was >> >> >> >> > unable >> >> >> >> > to >> >> >> >> > find it from >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > http://dcid.me/2010/03/alerting-when-a-log-or-output-of-a-command-changes/ >> >> >> >> > which gets me 404 error. >> >> >> >> > >> >> >> >> >> >> >> >> What have you tried so far? >> >> >> >> >> >> >> >> > Thanks >> >> >> >> > Srikanth >> >> >> >> > >> >> >> >> > >> >> >> >> > On Thursday, April 16, 2015 at 11:20:56 AM UTC-7, dan (ddpbsd) >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> On Thu, Apr 16, 2015 at 2:08 PM, srikanth kalangi >> >> >> >> >> <srikant...@gmail.com> wrote: >> >> >> >> >> > Hi Team, >> >> >> >> >> > >> >> >> >> >> > Is there a way to show the difference in the email alert >> >> >> >> >> > like >> >> >> >> >> > what >> >> >> >> >> > has >> >> >> >> >> > changed between old & new file? >> >> >> >> >> > >> >> >> >> >> > Please help. >> >> >> >> >> > >> >> >> >> >> > It is showing the md5sum but the not the difference output. >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > Integrity checksum changed for: '/var/ossec/etc/ossec.conf' >> >> >> >> >> > >> >> >> >> >> > Size changed from '2777' to '2817' >> >> >> >> >> > >> >> >> >> >> > Old md5sum was: 'a69f4ab990235e4eeb61b5d2d839dcc8' >> >> >> >> >> > >> >> >> >> >> > New md5sum is : '72ce6db1b1983a4a07de78abfdf0724e' >> >> >> >> >> > >> >> >> >> >> > Old sha1sum was: 'c9f86b33392f7f2e87ac5e1e38344c0bd1be5cb9' >> >> >> >> >> > >> >> >> >> >> > New sha1sum is : '8fe3613d520900260e1c3fceada8fdad8e2b00bb' >> >> >> >> >> > >> >> >> >> >> >> >> >> >> >> The check_diff rule option can help with that: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html?highlight=check_diff#element-check_diff >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > Thanks >> >> >> >> >> > >> >> >> >> >> > Srikanth >> >> >> >> >> > >> >> >> >> >> > -- >> >> >> >> >> > >> >> >> >> >> > --- >> >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> >> > Google >> >> >> >> >> > Groups >> >> >> >> >> > "ossec-list" group. >> >> >> >> >> > To unsubscribe from this group and stop receiving emails >> >> >> >> >> > from >> >> >> >> >> > it, >> >> >> >> >> > send an >> >> >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an email to ossec-list+...@googlegroups.com. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.