Hi Daniel. I had never used <scan_time> before, but I think it works for weekly scans since OSSEC prints this log (even when setting frequency=84800):
2016/08/01 14:27:33 ossec-syscheckd: INFO: Syscheck scan frequency: 604800 seconds This amount of time is one week, so I think that <scan_time> works only for weekly scans, and then you should also introduce the the <scan_day> parameter, since it appears to have no default value. For example: <scan_time>1am</scan_time> <scan_day>monday</scan_day> I tested that configuration and Syscheck appears to work properly. Hope it helps. Best regards. On Monday, August 1, 2016 at 7:32:13 AM UTC-7, Daniel Bray wrote: > > Can someone verify that all the proper settings are in place to allow for > realtime scans on some directories? We are running CentOS 6 servers > (manager and agents/clients), and we use the Atomic install method. > > Here is the latest available Atomic version installed (also noted inotify > is installed) > $ rpm -qa | egrep "inotify|ossec" > ossec-hids-2.8.3-53.el6.art.x86_64 > inotify-tools-3.14-1.el6.x86_64 > ossec-hids-client-2.8.3-53.el6.art.x86_64 > > > Here is the important part of /var/ossec/etc/shared/agent.conf > <agent_config os="Linux"> > <syscheck> > <scan_time>1am</scan_time> > <frequency>82800</frequency> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <scan_on_start>no</scan_on_start> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/bin,/sbin,/usr,/opt</directories> > <directories check_all="yes" > report_changes="yes" > realtime="yes">/etc,/root,/var/named,/var/www</directories> > ... > > Here is the agent /var/ossec/etc/ossec.conf file > <ossec_config> > <client> > <server-ip>10.10.10.10</server-ip> > </client> > </ossec_config> > > The above exists on all our agents/clients. > > On the manager, it pretty much matches up exactly, with the exception that > the server is installed, and not the client: > $ rpm -qa | egrep "inotify|ossec" > inotify-tools-3.14-1.el6.x86_64 > ossec-hids-server-2.8.3-53.el6.art.x86_64 > ossec-hids-2.8.3-53.el6.art.x86_64 > > > I have gone in an updated all servers (yum -y update) and rebooted to the > latest kernel available on CentOS 6. I've waited a few days for the normal > scans to complete, and I am seeing alerts for nightly changed files. > However, when I run a test on a file that exists in /root or /etc, I never > get alerted. The test is simply > $ sudo vim /etc/hosts.allow > ...and I add/remove some entries, and :wq out for the update. > > After a clean update and reboot, here is the relevant log entries: > 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ... > 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ... > 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ... > 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer set to: '124928'. > 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server ( > 10.10.10.10:1514). > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120). > 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer set to: '124928'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124). > 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124). > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: > '/var/named'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: > '/var/www'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/etc'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/root'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/named'. > 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time > monitoring: '/var/www'. > 2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0 > > > > Is there anything obvious that I'm missing in the configs? > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.