That goes on the manager ossec.conf The manager takes care of analyzing syscheck data received from the agents, and generate alerts.
I hope it helps Santiago Bassett @santiagobassett > On Feb 23, 2018, at 9:59 AM, temp.email....@gmail.com wrote: > > Hi Santiago, I just came across your post. Are you saying that the > auto_ignore and alert_new_files goes in /var/ossec/etc/ossec.conf on the > manager OR in /var/ossec/etc/shared/agent.conf on the manager? Obviously, the > latter will eventually be placed on the Agent. I thought that > /var/ossec/etc/ossec.conf (on the manager) only applied to syscheck settings > locally (in this case, the manager) and that agent.conf would control what > happens on the Agents. This is a little confusing. > > > >> On Thursday, November 12, 2015 at 5:44:56 PM UTC-8, Santiago Bassett wrote: >> Are you using scan_on_start option? Remember realtime won't work until first >> syscheck is done. >> >> I also recommend to use alert_new_files and set auto_ignore to "no" (this >> goes on the manager). >> >> Useful trobleshooting tip is to enable debug for syscheck on the agent >> (internal_options.conf file) >> >> Best >> >>> On Wed, Nov 11, 2015 at 12:59 PM, Jenia Jenia <jen...@gmail.com> wrote: >>> I've checked, I have the /usr/include/linux/inotify.h and I have >>> -DUSEINOTIFY. >>> >>> I do have the "Real time file monitoring started.", which I simply didn't >>> notice. >>> >>> However the problem is that it looks like real time notifications are >>> working inconsistently, i.e: if I let's say "apt-get install ...some >>> package, I get the notification right away, also when I restart OSSEC I get >>> email immediately, BUT when I modify /etc/hosts or some other file that is >>> with "realtime" parameter in "directories" then I only get a notification >>> when ossec-syscheckd runs as scheduled. >>> >>> Any ideas? >>> >>> >>> >>> >>>> On Wednesday, November 11, 2015 at 9:09:45 PM UTC+2, Jb Cheng wrote: >>>> Realtime syscheck uses INOTIFY feature on Linux systems. The Makeall file >>>> checks existence of a header file. Please see if your Ubuntu system has >>>> one of the follwoing: >>>> # Checking for inotify >>>> >>>> if [ "X$OS" = "XLinux" ]; then >>>> >>>> if [ -e /usr/include/sys/inotify.h ]; then >>>> >>>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS >>>> >>>> elif [ -e /usr/include/linux/inotify.h ]; then >>>> >>>> echo "EEXTRA=-DUSEINOTIFY" >> Config.OS >>>> >>>> fi >>>> >>>> LUA_PLAT="posix" >>>> >>>> fi >>>> >>>> >>>> >>>> If it works, Config.OS file will contain the '-DUSEINOFITY' compilation >>>> directive. Please check it. >>>> >>>> >>>> Documentation is available at: >>>> http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#real-time-monitoring >>>> >>>> Good luck! >>>> >>>>> On Wednesday, November 11, 2015 at 4:48:09 AM UTC-8, Jenia Jenia wrote: >>>>> >>>>> Hi Guys! >>>>> I've installed and configured OSSEC to get real time notifications, but >>>>> when I modify for instance /etc/passwd or /etc/hosts I don't get a real >>>>> time notification. >>>>> Scheduled notifications are working I receive events to my email. >>>>> >>>>> In addition documentation tells that in ossec.log there should be a line >>>>> "Real time file monitoring started." which I never get. >>>>> >>>>> Please advise >>>>> >>>>> <global> >>>>> <email_notification>yes</email_notification> >>>>> <email_to>jen...@gmail.com</email_to> >>>>> <smtp_server>mx.yandex.net.</smtp_server> >>>>> <email_from>ossecm@myserver</email_from> >>>>> </global> >>>>> <!-- 550 changed, 553 deleted, 554 added --> >>>>> <email_alerts> >>>>> <email_to>jen...@gmail.com</email_to> >>>>> <rule_id>550, 553, 554</rule_id> >>>>> <do_not_delay /> >>>>> </email_alerts> >>>>> >>>>> <!-- Directories to check (perform all possible verifications) --> >>>>> <directories realtime="yes" >>>>> check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>> >>>>> <alert_new_files>yes</alert_new_files> >>>>> <scan_on_start>no</scan_on_start> >>>>> <auto_ignore>no</auto_ignore> >>>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
