Once I turned on "alert_new_files" I started getting alerts - things appear to be working now.
Is there any way to completely disable the logcollector daemon? We have another process that does that job so no need to have that bit running - removing the "<localfiles>" section doesn't seem to do the trick. On Saturday, March 4, 2017 at 12:12:49 PM UTC-6, dan (ddpbsd) wrote: > > On Fri, Mar 3, 2017 at 5:29 PM, Sam Gardner <lwne...@gmail.com > <javascript:>> wrote: > > Thanks for the info - I'd like to explore what I can actually do with > OSSEC > > and do my due diligence before exploring other options. > > > > I've spun up the following conf file and am running ossec-analysisd and > > ossec-syscheckd only - they seem to be healthy, but I'm not getting any > > thing in /var/ossec/logs/alerts when I fiddle with stuff in /usr/bin. > > > > Any idea what might be going on? As far as I can tell syscheckd is > > configured to realtime monitor /usr/bin (and inotify works on this > system), > > so my understanding is that I should be getting _something_ logged > somewhere > > - am I fundamentally misunderstanding something? > > <ossec_config> > > <global> > > <email_notification>no</email_notification> > > </global> > > > > <rules> > > <include>rules_config.xml</include> > > <include>ossec_rules.xml</include> > > </rules> > > > > <syscheck> > > <frequency>72000</frequency> > > > > <directories realtime="yes" > > check_all="yes">/usr/bin,/usr/sbin</directories> > > > > <!-- Files/directories to ignore --> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > > > <!-- Check the file, but never compute the diff --> > > <nodiff>/etc/ssl/private.key</nodiff> > > </syscheck> > > > > <rootcheck> > > <disabled>yes</disabled> > > </rootcheck> > > > > <remote> > > <disabled>yes</disabled> > > </remote> > > > > <alerts> > > <log_alert_level>1</log_alert_level> > > <email_alert_level>7</email_alert_level> > > </alerts> > > > > <!-- Active Response Config --> > > <active-response> > > <disabled>yes</disabled> > > </active-response> > > </ossec_config> > > > > Analysisd and syscheckd appear to start up just fine: > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Starting ... > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Found user/group ... > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response initialized > ... > > 2017/03/03 22:06:26 adding rule: rules_config.xml > > 2017/03/03 22:06:26 adding rule: ossec_rules.xml > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Read configuration ... > > 2017/03/03 22:06:26 ossec-analysisd: Initializing PF decoder.. > > 2017/03/03 22:06:26 ossec-analysisd: Initializing SonicWall decoder.. > > 2017/03/03 22:06:26 ossec-analysisd: Initializing SymantecWS decoder.. > > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. > > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading local decoder file. > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: > > 'rules_config.xml' > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: > > 'ossec_rules.xml' > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. > > 2017/03/03 22:06:26 0 : rule:1, level 0, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:600, level 0, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:601, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:602, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:603, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:604, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:605, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:606, level 3, timeout: 0 > > 2017/03/03 22:06:26 0 : rule:2, level 0, timeout: 0 > > 2017/03/03 22:06:26 0 : rule:3, level 0, timeout: 0 > > 2017/03/03 22:06:26 0 : rule:4, level 0, timeout: 0 > > 2017/03/03 22:06:26 0 : rule:5, level 0, timeout: 0 > > 2017/03/03 22:06:26 0 : rule:6, level 0, timeout: 0 > > 2017/03/03 22:06:26 0 : rule:7, level 0, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:500, level 0, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:530, level 0, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:531, level 7, timeout: 7200 > > 2017/03/03 22:06:26 4 : rule:532, level 0, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:533, level 7, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:534, level 1, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:535, level 1, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:593, level 9, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:592, level 8, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:555, level 7, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:501, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:502, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:503, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:504, level 3, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:591, level 3, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:509, level 0, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:510, level 7, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:511, level 0, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:515, level 0, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:513, level 9, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:512, level 3, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:516, level 3, timeout: 0 > > 2017/03/03 22:06:26 4 : rule:519, level 7, timeout: 0 > > 2017/03/03 22:06:26 3 : rule:514, level 2, timeout: 0 > > 2017/03/03 22:06:26 4 : rule:518, level 9, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:554, level 0, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:598, level 5, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:700, level 0, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:701, level 0, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:580, level 8, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:581, level 8, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:550, level 7, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:594, level 5, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:551, level 7, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:595, level 5, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:552, level 7, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:596, level 5, timeout: 0 > > 2017/03/03 22:06:26 1 : rule:553, level 7, timeout: 0 > > 2017/03/03 22:06:26 2 : rule:597, level 5, timeout: 0 > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Total rules enabled: '53' > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: > '/etc/hosts.deny' > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: > > '/etc/mail/statistics' > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: > '/etc/random-seed' > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Ignoring file: > '/etc/httpd/logs' > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Chrooted to directory: > /var/ossec > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Using user: ossec > > 2017/03/03 22:06:26 ossec-analysisd: INFO: Started (pid: 1761). > > 2017/03/03 22:06:26 ossec-analysisd: SyscheckInit completed. > > 2017/03/03 22:06:26 ossec-analysisd: RootcheckInit completed. > > 2017/03/03 22:06:26 ossec-analysisd: OS_CreateEventList completed. > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: FTSInit completed. > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Accumulator Init completed. > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response Init > completed. > > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Startup completed. Waiting > for > > new messages.. > > 2017/03/03 22:06:55 ossec-syscheckd: DEBUG: Starting ... > > 2017/03/03 22:06:55 syscheckd: Reading Configuration > > [/var/ossec/etc/ossec.conf] > > 2017/03/03 22:06:55 rootcheck: DEBUG: Starting ... > > 2017/03/03 22:06:55 rootcheck: Rootcheck disabled. Exiting. > > 2017/03/03 22:06:55 ossec-syscheckd: WARN: Rootcheck module disabled. > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: (unix_domain) Maximum send > buffer > > set to: '8388608'. > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Started (pid: 1792). > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin', > > with options perm | size | owner | group | md5sum | sha1sum | realtime. > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Monitoring directory: > > '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum > | > > realtime. > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/mtab' > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: > '/etc/mail/statistics' > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/random-seed' > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: No diff for file: > > '/etc/ssl/private.key' > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time > > monitoring: '/usr/bin'. > > 2017/03/03 22:06:59 ossec-syscheckd: INFO: Directory set for real time > > monitoring: '/usr/sbin'. > > 2017/03/03 22:07:11 ossec-syscheckd: Setting SCHED_BATCH returned: 0 > > 2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck scan > > (forwarding database). > > 2017/03/03 22:08:01 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2017/03/03 22:08:01 ossec-syscheckd: INFO: Initializing real time file > > monitoring (not started). > > 2017/03/03 22:08:01 ossec-syscheckd: DEBUG: Directory added for real > time > > monitoring: '/usr/bin'. > > 2017/03/03 22:09:28 ossec-syscheckd: DEBUG: Directory added for real > time > > monitoring: '/usr/sbin'. > > 2017/03/03 22:10:19 ossec-syscheckd: INFO: Real time file monitoring > > started. > > 2017/03/03 22:10:19 ossec-syscheckd: INFO: Finished creating syscheck > > database (pre-scan completed). > > 2017/03/03 22:10:31 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding > > database). > > > > If I shuffle stuff around in /usr/bin, I don't see any logs anywhere. > How > > can I verify that the FIM monitoring is actually working? I see there > are > > various entries in the syscheck queue for the existing files, but > nothing > > else. > > > > After a second full scan runs, do you get alerts? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
