Re: [ossec-list] Problem with alerting file changes and checksum integrity

2020-06-13 Thread dan (ddp) 
On Sat, Jun 13, 2020 at 7:41 AM John Goh  wrote:
>
> Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying to 
> detect certain file creation or changes in realtime but I do not see it being 
> reflected in the OSSEC web interface. The OSSEC is being deployed in a local 
> environment on Ubuntu 18.4.04 LTS. The rule I have for code creation is:
>   
> ossec
> syscheck_new_entry
> File added to the system.
> syscheck,
>   
>
> The rule works as random file creation has been logging but it does not work 
> for the specific directories that I have specified. The code below is the 
> specified directories that I want to monitor. Even when I gave the attribute 
> "realtime" it does not reflect on the logs when i changed it.
> 
> no
> 180
> yes
>
> 
> /etc,/usr/bin,/usr/sbin
> /bin,/sbin,/boot
>  check_all="yes">/home/ubuntu/Downloads
>  check_all="yes">/home/ubuntu/Desktop,/home/ubuntu
>  check_all="yes">/home/ubuntu/Downloads/active.txt
> Even when i force scan by using the following command:
> /var/ossec/bin/agent_control -r -u 000
> it does not work, for some reason, it keeps on stating that: "INFO: 
> Initializing real-time file monitoring (not started)."
>

This message is normal, realtime should be started sometime after this.

> I'm lost and I do not know what is wrong, can anybody help me with this issue?
>

I can't remember if realtime was changed to alert on new files or not.
At one point it did not.
Do changes to the files in those directories get alerted on automatically?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpxoigGzpk4ch_B7mNCqjz2hxYk-tQhw%2BM7c2J%2BLz1akw%40mail.gmail.com.

[ossec-list] ignore test

2020-06-13 Thread John Goh 
test

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/c983929f-e9bd-4f03-b0a9-79e80392ec3do%40googlegroups.com.

[ossec-list] Problem with alerting file changes and checksum integrity

2020-06-13 Thread John Goh 


Hi all, I'm new to the whole idea of using IDS and OSSEC. I've been trying 
to detect certain file creation or changes in realtime but I do not see it 
being reflected in the OSSEC web interface. The OSSEC is being deployed in 
a local environment on Ubuntu 18.4.04 LTS. The rule I have for code 
creation is:
  
ossec
syscheck_new_entry
File added to the system.
syscheck,
  

The rule works as random file creation has been logging but it does not 
work for the specific directories that I have specified. The code below is 
the specified directories that I want to monitor. Even when I gave the 
attribute "realtime" it does not reflect on the logs when i changed it.

no
180
yes


/etc,/usr/bin,/usr/sbin
/bin,/sbin,/boot
/home/ubuntu/Downloads
/home/ubuntu/Desktop,/home/ubuntu
/home/ubuntu/Downloads/active.txt
Even when i force scan by using the following command: 
/var/ossec/bin/agent_control -r -u 000
it does not work, for some reason, it keeps on stating that: "INFO: 
Initializing real-time file monitoring (not started)."

I'm lost and I do not know what is wrong, can anybody help me with this 
issue?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/b8a2c8b8-ec38-4310-bba9-40265da62c4fo%40googlegroups.com.