from:"Luke Hansey"

Re: [ossec-list] syscheck not working with restrict option

2016-01-29 Thread Luke Hansey

Works great now.  Thank you for the work on this.  No worries about the 
time.  It's developmental :)  Plus, I have a little firmer grasp on OSSEC 
now.

On Thursday, January 28, 2016 at 4:58:11 PM UTC-8, Daniel Cid wrote:
>
> The issue was in my branch there. Mind getting the latest again? Should be 
> working now:
>
> https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz
>
> Sorry for the waste of time :/
>
> thanks,
>
> On Thu, Jan 28, 2016 at 1:34 PM, Luke Hansey  > wrote:
>
>> Thanks for the reply, Santiago.
>>
>> Here is what I am seeing.  On agent:
>>
>> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Monitoring directory: 
>> '/var/www/vhosts/'.
>> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Directory set for real time 
>> monitoring: '/var/www/vhosts/'.
>> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck scan 
>> (forwarding database).
>> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck database 
>> (pre-scan).
>> 2016/01/28 11:48:59 ossec-syscheckd: INFO: Initializing real time file 
>> monitoring (not started).
>> 2016/01/28 11:49:00 ossec-syscheckd: INFO: Finished creating syscheck 
>> database (pre-scan completed).
>> 2016/01/28 11:49:12 ossec-syscheckd: INFO: Ending syscheck scan 
>> (forwarding database).
>> 2016/01/28 11:49:32 ossec-syscheckd: INFO: Starting real time file 
>> monitoring.
>> 2016/01/28 11:49:32 ossec-rootcheck: INFO: Starting rootcheck scan.
>> 2016/01/28 11:55:02 ossec-rootcheck: INFO: Ending rootcheck scan.
>>
>> On my server I'm watching this agent's syscheck queue:
>>
>> Every 1.0s: cat '(blah.blah.com) 10.0.1.2->syscheck' | grep '.php$' 
>>
>> +++3232368:33261:0:0:41591364ec9f9f74e6180f91ede53f24:f3f7f713f0b6fffcb582cce39ad2b433c2f12ef0
>>  
>> !1454017663 /usr/bin/php
>>
>> I've created a test.php file in /var/www/vhosts/
>> test.com/httpdocs/test.php as well as edited an existing PHP file in the 
>> same directory.
>>
>> Nothing changes, so I run from server:
>>
>> /var/ossec/bin/agent_control -r -u 001
>>
>> OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 001
>>
>> Still the queue/syscheck file for this agent does not change.  File size 
>> is the same as well.  Before this process I also ran:
>>
>> /var/ossec/bin/syscheck_control -u 001 and it emptied the file.  But once 
>> syscheck ran again, it was exactly the same size as it was before (334K), 
>> which seems small.
>>
>> I'm running v2015-12 latest dev that Dan pushed a few days ago.  I feel 
>> like I'm missing something obvious...
>>
>> On Wednesday, January 27, 2016 at 2:54:09 PM UTC-8, Santiago Bassett 
>> wrote:
>>>
>>> Are you sure your config is not working?
>>>
>>> I just tested this and it works for me:
>>>
>>> >> restrict=".txt1|.txt2">/root
>>>
>>> I created three test files:
>>>
>>> root@vpc-ossec-manager:~# ls test.txt*
>>>
>>> test.txt1  test.txt2  test.txt3
>>>
>>> And this is what I get in my syscheck file:
>>>
>>> root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | grep 
>>> test.txt
>>>
>>> +++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73
>>>  
>>> !1453933436 /root/test.txt1
>>>
>>> +++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83
>>>  
>>> !1453933436 /root/test.txt2
>>>
>>> There is nothing for test.txt3
>>>
>>> I am using 2.9 version (development branch)
>>>
>>> Best
>>>
>>> On Tue, Jan 26, 2016 at 4:34 PM, Luke Hansey  
>>> wrote:
>>>
>>>> If I use:
>>>>
>>>> >>> restrict=".php|.js">/var/www/vhosts/
>>>>
>>>> syscheck logs no changes to any file.
>>>>
>>>> If I use:
>>>>
>>>> /var/www/vhosts/
>>>>
>>>> Works fine and logs changes to any file.
>>>>
>>>> Am I missing something when using the *restrict *option?
>>>>
>>>> -- 
>>>>
>>>> --- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck not working with restrict option

2016-01-28 Thread Luke Hansey

Thanks for the reply, Santiago.

Here is what I am seeing.  On agent:

2016/01/28 11:42:06 ossec-syscheckd: INFO: Monitoring directory: 
'/var/www/vhosts/'.
2016/01/28 11:42:06 ossec-syscheckd: INFO: Directory set for real time 
monitoring: '/var/www/vhosts/'.
2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck scan 
(forwarding database).
2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).
2016/01/28 11:48:59 ossec-syscheckd: INFO: Initializing real time file 
monitoring (not started).
2016/01/28 11:49:00 ossec-syscheckd: INFO: Finished creating syscheck 
database (pre-scan completed).
2016/01/28 11:49:12 ossec-syscheckd: INFO: Ending syscheck scan (forwarding 
database).
2016/01/28 11:49:32 ossec-syscheckd: INFO: Starting real time file 
monitoring.
2016/01/28 11:49:32 ossec-rootcheck: INFO: Starting rootcheck scan.
2016/01/28 11:55:02 ossec-rootcheck: INFO: Ending rootcheck scan.

On my server I'm watching this agent's syscheck queue:

Every 1.0s: cat '(blah.blah.com) 10.0.1.2->syscheck' | grep '.php$' 

+++3232368:33261:0:0:41591364ec9f9f74e6180f91ede53f24:f3f7f713f0b6fffcb582cce39ad2b433c2f12ef0

!1454017663 /usr/bin/php

I've created a test.php file in /var/www/vhosts/test.com/httpdocs/test.php 
as well as edited an existing PHP file in the same directory.

Nothing changes, so I run from server:

/var/ossec/bin/agent_control -r -u 001

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 001

Still the queue/syscheck file for this agent does not change.  File size is 
the same as well.  Before this process I also ran:

/var/ossec/bin/syscheck_control -u 001 and it emptied the file.  But once 
syscheck ran again, it was exactly the same size as it was before (334K), 
which seems small.

I'm running v2015-12 latest dev that Dan pushed a few days ago.  I feel 
like I'm missing something obvious...

On Wednesday, January 27, 2016 at 2:54:09 PM UTC-8, Santiago Bassett wrote:
>
> Are you sure your config is not working?
>
> I just tested this and it works for me:
>
> /root
>
> I created three test files:
>
> root@vpc-ossec-manager:~# ls test.txt*
>
> test.txt1  test.txt2  test.txt3
>
> And this is what I get in my syscheck file:
>
> root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | grep 
> test.txt
>
> +++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73
>  
> !1453933436 /root/test.txt1
>
> +++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83
>  
> !1453933436 /root/test.txt2
>
> There is nothing for test.txt3
>
> I am using 2.9 version (development branch)
>
> Best
>
> On Tue, Jan 26, 2016 at 4:34 PM, Luke Hansey  > wrote:
>
>> If I use:
>>
>> > restrict=".php|.js">/var/www/vhosts/
>>
>> syscheck logs no changes to any file.
>>
>> If I use:
>>
>> /var/www/vhosts/
>>
>> Works fine and logs changes to any file.
>>
>> Am I missing something when using the *restrict *option?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] syscheck not working with restrict option

2016-01-26 Thread Luke Hansey

If I use:

/var/www/vhosts/

syscheck logs no changes to any file.

If I use:

/var/www/vhosts/

Works fine and logs changes to any file.

Am I missing something when using the *restrict *option?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syscheck not working with restrict option

Re: [ossec-list] syscheck not working with restrict option

[ossec-list] syscheck not working with restrict option

3 matches

Site Navigation

Mail list logo

Footer information