On Thu, Jun 21, 2018 at 2:45 PM, Vinay Vanama <[email protected]> wrote:
> So now how can we ensure that this <config_profile> is working ?
>
Ok, I created an agent.conf:
ix# more /var/ossec/etc/shared/agent.conf
<agent_config profile="tester">
<syscheck>
<directories check_all="yes">/var/test</directories>
</syscheck>
</agent_config>
It got pushed to an agent. I configured that agent to use the profile:
junction# more /var/ossec/etc/ossec.conf
<ossec_config>
<client>
<server-hostname>ix.example.com</server-hostname>
<config-profile>tester</config-profile>
</client>
I restarted the agent and checked the log:
junction# grep 'var/test' /var/ossec/logs/ossec.log
2018/06/21 14:58:52 ossec-syscheckd(1701): WARN: No option provided
for directories: '/var/test', ignoring it.
2018/06/21 14:59:24 ossec-syscheckd(1701): WARN: No option provided
for directories: '/var/test', ignoring it.
2018/06/21 14:59:59 ossec-syscheckd: INFO: Monitoring directory:
'/var/test', with options perm | size | owner | group | md5sum |
sha256sum.
You can see my failed attempts at setting this up the first couple of
times. I got it right on the third try.
Now this agent already has some <directories> entries, so I'll have to
try it again without them to see if it still works.
After removing the <directories> entries from the 's ossec.conf and
restarting, I still see the message about '/var/test':
2018/06/21 15:03:59 ossec-syscheckd: INFO: Monitoring directory:
'/var/test', with options perm | size | owner | group | md5sum |
sha256sum.
The agent.conf was updated on the agent, restarted, and see:
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/var/test', with options perm | size | owner | group | md5sum |
sha256sum.
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/etc', with options perm | size | owner | group | md5sum | sha256sum.
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/usr/bin', with options perm | size | owner | group | md5sum |
sha256sum.
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin', with options perm | size | owner | group | md5sum |
sha256sum.
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/bin', with options perm | size | owner | group | md5sum | sha256sum.
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/sbin', with options perm | size | owner | group | md5sum |
sha256sum.
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/boot', with options perm | size | owner | group | md5sum |
sha256sum.
2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory:
'/var/ossec/etc/ossec.conf', with options perm | size | owner | group
| md5sum | report_changes | sha256sum.
So, it's definitely working.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
