Bah, it must not have pushed out the agent.conf on the server. Thanks.
On Wed, Nov 28, 2012 at 9:35 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Wed, Nov 28, 2012 at 10:01 AM, mcrane0 <mathew.cr...@gmail.com> wrote: > > ossec.conf on server, relevant portion: > > > > <directories report_changes="yes" > > check_all="yes">/etc,/var/ossec/etc</directories> > > <directories check_all="yes">/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > <directories report_changes="yes" > > check_all="yes">/home/*/.ssh</directories> > > > > ############################### > > > > agent.conf on remote client, AIX: > > > > <agent_config os="AIX"> > > > > <syscheck> > > <frequency>86400</frequency> > > <scan_on_start>no</scan_on_start> > > <scan_time>03:30</scan_time> > > <auto_ignore>false</auto_ignore> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > > > <directories report_changes="yes" check_all="yes">/etc</directories> > > <ignore type="sregex">^/etc/objrepos/</ignore> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/perf</ignore> > > <ignore>/etc/es/objrepos</ignore> > > <ignore>/etc/lp/diagnostics</ignore> > > <ignore>/etc/lpp/diagnostics</ignore> > > <ignore>/etc/mnttab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > <ignore>/etc/utmp</ignore> > > <ignore>/etc/wtmp</ignore> > > <ignore>/etc/utmpx</ignore> > > <ignore>/etc/wtmpx</ignore> > > <ignore>/etc/cups/certs</ignore> > > <ignore>/etc/dumpdates</ignore> > > <ignore>/etc/svc/volatile</ignore> > > <ignore>/etc/prelink.cache</ignore> > > <ignore>/etc/security/failedlogin</ignore> > > > > <directories check_all="yes">/opt</directories> > > <ignore>/opt/splunkforwarder</ignore> > > <ignore>/opt/recon</ignore> > > <ignore>/opt/IBM</ignore> > > > > <directories check_all="yes">/var/ossec</directories> > > <ignore type="sregex">^/var/ossec/queue/</ignore> > > <ignore type="sregex">^/var/ossec/logs/</ignore> > > <ignore type="sregex">^/var/ossec/stats/</ignore> > > > > </syscheck> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/adm/secure/secure.out</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/adm/syslog/kern.out</location> > > </localfile> > > > > </agent_config> > > > > ################# > > > > agent.conf, linux: > > > > <agent_config os="Linux"> > > <syscheck> > > <frequency>86400</frequency> > > <scan_on_start>yes</scan_on_start> > > <scan_time>03:00</scan_time> > > <auto_ignore>false</auto_ignore> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > > > <directories check_all="yes">/var/ossec</directories> > > > You don't have report_changes set. > > > <ignore type="sregex">^/var/ossec/queue/</ignore> > > <ignore type="sregex">^/var/ossec/logs/</ignore> > > <ignore type="sregex">^/var/ossec/stats/</ignore> > > > > <!-- Files/directories to ignore --> > > <ignore type="sregex">^/var/spool/mail/</ignore> > > <ignore type="sregex">^/var/spool/mqueue/</ignore> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/mnttab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > <ignore>/etc/utmpx</ignore> > > <ignore>/etc/wtmpx</ignore> > > <ignore>/etc/cups/certs</ignore> > > <ignore>/etc/dumpdates</ignore> > > <ignore>/etc/svc/volatile</ignore> > > > > </syscheck> > > > > <!-- Files to monitor (localfiles) --> > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/messages</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/secure</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/maillog</location> > > </localfile> > > > > </agent_config> > > > > > > > > > > On Thursday, November 15, 2012 2:20:11 PM UTC-6, Jb Cheng wrote: > >> > >> This is strange --- AIX works OK, but Linux does not. > >> I would like to reproduce the issue on Linux. Could you post the > relevant > >> ossec.conf section here? > >> > >> On Thursday, November 15, 2012 7:36:48 AM UTC-8, mcrane0 wrote: > >>> > >>> It's worth noting that this is only occurring in our Linux environment. > >>> The AIX agents are correctly reporting diffs with file integrity > alerts. > >>> Both AIX and Linux syscheck directives have the same contents on > >>> client/server. > >>> > >>> Is there any way to debug this? I've set syscheck debug level to 2 on > >>> client and see no change in logging. It's very frustrating as a.) the > alert > >>> is triggering and, b.) the diff is appearing in > >>> /var/ossec/queue/diff/local/etc/<file>, but it's not being reported > with the > >>> alert. > >>> > >>> On Tuesday, November 13, 2012 11:33:12 AM UTC-6, mcrane0 wrote: > >>>> > >>>> Trying to include filesystem integrity alert diffs. > >>>> > >>>> Testing with /etc > >>>> > >>>> I have verified that both ossec.conf on server and > >>>> /var/ossec/etc/shared/agent.conf has 'report_changes=yes' for /etc. > >>>> /var/ossec/queue/diff/local/etc/fstab folder includes the diff file on > >>>> the client. > >>>> > >>>> The alert triggers, but the diff is not included with the alert. Is > >>>> there some other hidden setting I need to look for? Does ossec.conf > on the > >>>> server need to match agent.conf on the client? > >>>> > > >
