[ossec-list] Very strange - syscheck not alerting at all -- not to log file or to email

Tue, 14 Jun 2016 09:45:01 -0700 

We're using OSSEC 2.8.3 in standalone mode and failing to get syscheck to 
be useful. We *are* getting other alerts via both the log file and email.

We're stumped. Any insight would be appreciated.

The ossec.conf configuration that is relevant. There is no fine-grained 
"email-alerts" section defined.

  <global>
    <email_notification>yes</email_notification>
    <email_to>ossec-repo...@ourhost.com</email_to>
    <smtp_server>mail.ourhost.com.</smtp_server>
    <email_from>oss...@ourhost.com</email_from>
  </global>

  <syscheck>
    <frequency>300</frequency>
    <alert_new_files>yes</alert_new_files>
    <directories check_all="yes" 
realtime="yes">/home/jblaine/test-checksum-area</directories>
  </syscheck>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

The trigger test case. I modify 2 files monitored by syscheck.

  [jblaine@ourhost ~]$ date
  Tue Jun 14 12:23:19 EDT 2016
  [jblaine@ourhost ~]$ pwd
  /home/jblaine
  [jblaine@ourhost ~]$ cd test-checksum-area/
  [jblaine@ourhost test-checksum-area]$ ls
  a-file  b-file
  [jblaine@ourhost test-checksum-area]$ echo 32eh23oeh23oe2o23o > a-file
  [jblaine@ourhost test-checksum-area]$ echo dfiosdafo > b-file
  [jblaine@ourhost test-checksum-area]$

And the local_rules.xml where I do the common thing of increasing the level 
for file additions for syscheck. This isn't relevant to this test case, as 
we're not creating any new files, but I thought I would mention it for 
completeness:

  <rule id="554" level="10" overwrite="yes">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
  </rule>

We have not touched any syscheck rules in ossec_rules.xml. They all remain 
at level 7 per default.

Yes, I've restarted ossec after the configurations above.

I wait over 5 minutes, per the 300sec syscheck interval. I see that 
syscheck ran at 12:27

2016/06/14 12:27:16 ossec-syscheckd: INFO: Starting syscheck scan.
2016/06/14 12:27:38 ossec-syscheckd: INFO: Ending syscheck scan.

I see no alert matching /home*

[jblaine@ourhost test-checksum-area]$ sudo grep /home 
/var/ossec/logs/alerts/alerts.log
[jblaine@ourhost test-checksum-area]$

Likewise, I get no alert email.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to