[ossec-list] Problem with alerting file changes and checksum integrity

Sat, 13 Jun 2020 04:41:07 -0700 


Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying 
to detect certain file creation or changes in realtime but I do not see it 
being reflected in the OSSEC web interface. The OSSEC is being deployed in 
a local environment on Ubuntu 18.4.04 LTS. The rule I have for code 
creation is:
  <rule id="554" level="10" overwrite="yes">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
  </rule>

The rule works as random file creation has been logging but it does not 
work for the specific directories that I have specified. The code below is 
the specified directories that I want to monitor. Even when I gave the 
attribute "realtime" it does not reflect on the logs when i changed it.
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <auto_ignore>no</auto_ignore>
    <frequency>180</frequency>
    <alert_new_files>yes</alert_new_files>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
    <directories report_changes="yes" realtime="yes" 
check_all="yes">/home/ubuntu/Downloads</directories>
    <directories report_changes="yes" realtime="yes" 
check_all="yes">/home/ubuntu/Desktop,/home/ubuntu</directories>
    <directories report_changes="yes" realtime="yes" 
check_all="yes">/home/ubuntu/Downloads/active.txt</directories>
Even when i force scan by using the following command: 
/var/ossec/bin/agent_control -r -u 000
it does not work, for some reason, it keeps on stating that: "INFO: 
Initializing real-time file monitoring (not started)."

I'm lost and I do not know what is wrong, can anybody help me with this 
issue?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com.

Reply via email to