Works great now. Thank you for the work on this. No worries about the
time. It's developmental :) Plus, I have a little firmer grasp on OSSEC
now.
On Thursday, January 28, 2016 at 4:58:11 PM UTC-8, Daniel Cid wrote:
>
> The issue was in my branch there. Mind getting the latest again? Should be
> working now:
>
> https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz
>
> Sorry for the waste of time :/
>
> thanks,
>
> On Thu, Jan 28, 2016 at 1:34 PM, Luke Hansey > wrote:
>
>> Thanks for the reply, Santiago.
>>
>> Here is what I am seeing. On agent:
>>
>> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Monitoring directory:
>> '/var/www/vhosts/'.
>> 2016/01/28 11:42:06 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/var/www/vhosts/'.
>> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck scan
>> (forwarding database).
>> 2016/01/28 11:43:08 ossec-syscheckd: INFO: Starting syscheck database
>> (pre-scan).
>> 2016/01/28 11:48:59 ossec-syscheckd: INFO: Initializing real time file
>> monitoring (not started).
>> 2016/01/28 11:49:00 ossec-syscheckd: INFO: Finished creating syscheck
>> database (pre-scan completed).
>> 2016/01/28 11:49:12 ossec-syscheckd: INFO: Ending syscheck scan
>> (forwarding database).
>> 2016/01/28 11:49:32 ossec-syscheckd: INFO: Starting real time file
>> monitoring.
>> 2016/01/28 11:49:32 ossec-rootcheck: INFO: Starting rootcheck scan.
>> 2016/01/28 11:55:02 ossec-rootcheck: INFO: Ending rootcheck scan.
>>
>> On my server I'm watching this agent's syscheck queue:
>>
>> Every 1.0s: cat '(blah.blah.com) 10.0.1.2->syscheck' | grep '.php$'
>>
>> +++3232368:33261:0:0:41591364ec9f9f74e6180f91ede53f24:f3f7f713f0b6fffcb582cce39ad2b433c2f12ef0
>>
>> !1454017663 /usr/bin/php
>>
>> I've created a test.php file in /var/www/vhosts/
>> test.com/httpdocs/test.php as well as edited an existing PHP file in the
>> same directory.
>>
>> Nothing changes, so I run from server:
>>
>> /var/ossec/bin/agent_control -r -u 001
>>
>> OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 001
>>
>> Still the queue/syscheck file for this agent does not change. File size
>> is the same as well. Before this process I also ran:
>>
>> /var/ossec/bin/syscheck_control -u 001 and it emptied the file. But once
>> syscheck ran again, it was exactly the same size as it was before (334K),
>> which seems small.
>>
>> I'm running v2015-12 latest dev that Dan pushed a few days ago. I feel
>> like I'm missing something obvious...
>>
>> On Wednesday, January 27, 2016 at 2:54:09 PM UTC-8, Santiago Bassett
>> wrote:
>>>
>>> Are you sure your config is not working?
>>>
>>> I just tested this and it works for me:
>>>
>>> >> restrict=".txt1|.txt2">/root
>>>
>>> I created three test files:
>>>
>>> root@vpc-ossec-manager:~# ls test.txt*
>>>
>>> test.txt1 test.txt2 test.txt3
>>>
>>> And this is what I get in my syscheck file:
>>>
>>> root@vpc-ossec-manager:~# cat /var/ossec/queue/syscheck/syscheck | grep
>>> test.txt
>>>
>>> +++3:33188:0:0:764efa883dda1e11db47671c4a3bbd9e:55ca6286e3e4f4fba5d0448333fa99fc5a404a73
>>>
>>> !1453933436 /root/test.txt1
>>>
>>> +++5:33188:0:0:d8e8fca2dc0f896fd7cb4cb0031ba249:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83
>>>
>>> !1453933436 /root/test.txt2
>>>
>>> There is nothing for test.txt3
>>>
>>> I am using 2.9 version (development branch)
>>>
>>> Best
>>>
>>> On Tue, Jan 26, 2016 at 4:34 PM, Luke Hansey
>>> wrote:
>>>
>>>> If I use:
>>>>
>>>> >>> restrict=".php|.js">/var/www/vhosts/
>>>>
>>>> syscheck logs no changes to any file.
>>>>
>>>> If I use:
>>>>
>>>> /var/www/vhosts/
>>>>
>>>> Works fine and logs changes to any file.
>>>>
>>>> Am I missing something when using the *restrict *option?
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.