I have done a server installation on RHEL5. There are no agents yet.
I am carrying out some basic testing and not seeing any file integrity
checking.
I have changed frequency to 90 seconds
I have tried using both one of the standard directories (/usr/sbin)
and a custom one (/var/ossec-test).
The l
Nobody can help me?
On 6 Lug, 15:51, Stefano Pedretti wrote:
> Dears,
> I have still not solved my problem.
>
> I need to monitor audits of only a set of users. I build a compiled
> rule to check if the dstuser of
> These are the facts: I
>
> - create a logman.c file (that's reported on bottom)
Hi Stefano,
Did you restart OSSEC after making all those changes? The steps you
took look correctly
to me, so if it is working inside logtest it should work as well
inside analysisd.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Tue, Jul 6, 2010 at 10:51 AM, Stefano Pedretti
wrote:
> Dear
OSSEC has now identified the file changes, but not on the first run of
syscheck.
Could there be some kind of initial processing, like the setting up of
a database of files to be monitored, that has to complete before the
checks can run?
In the default ossec.conf (Unix/Linux 2.4) the directory /etc is
monitored with all checks, then some files (such as /etc/mtab and /etc/
hosts.deny) are excluded by using the tag.
Can I modify this so that although most of /etc has all checks, there
are specified files that can be monitored for c
Hi,
You probably have to wait a little more until the changes are send
over. The scan
itself takes more than 20 minutes to start, so if you are making these
changes as
soon as you start ossec, they will not be picked up.
If you want realtime detection, use the "realtime" option:
http://www.osse
The CDB lists feature in the newest snapshot will allow for this with out
writing a compiled_rile.
See the wiki page: http://www.ossec.net/wiki/ORFC_-_CDB_Database_lookups
for how to use this feature. It should also be very fast and updates to
CDB does not require a reload of OSSEC.
--
Jere
The first time the sysceck process runs it creates a baseline database. On
subequent runs it should compare the new info to the older db. I do not know if
these checks are done after it has finished its run, or if it checks for
changes as it goes through the fs.
If you're using a realtime capabl
Thanks for your response.
I don't think realtime will be necessary, I just needed to understand
what was going on.
Hi...
Sorry for the delay...
First of all, thank you for your help. But there must be smth I don't
understand : I've added a rule that works with ossec-logtest, but I
can't see any alerts in the ossec logs. What's wrong ?
For information, when using ossec-logtest, I got the message :
**Phase 3:
Hi all,
I'm attempting to replace my homebrew HIDS scripts with OSSEC for the sleek
central management and alerting. So far the log monitoring and
syscheck/rootcheck are working beautifully, but I can't figure how to do
baselining and anomaly detection for certain key intrusion areas, such as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
I have some questions about central agent configs. I've read over the
available documentation and I'm a little confused. I'm also new to OSSEC, so
be gentle...
First, is agent.conf the only central file available? ie, all
12 matches
Mail list logo