Re: [ossec-list] Re: Syscheck not alerting on realtime scans

2016-08-02 Thread Daniel Bray 
Victor,

The nightly scans are working just fine. That's not the problem The problem
is the real time scans are not working. Each night around 1am, I get
various reports of changed or added filesall good there. However,
during the day or really any time, if I edit/add/delete files in /etc or
/root, I am not instantly getting alerted. In other words, the realtime
scan is not monitoring those directories, even though it states:

2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/etc'.
2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/root'.


On Mon, Aug 1, 2016 at 6:25 PM, Victor Fernandez  wrote:

> Hi Daniel.
>
> I had never used  before, but I think it works for weekly
> scans since OSSEC prints this log (even when setting frequency=84800):
>
> 2016/08/01 14:27:33 ossec-syscheckd: INFO: Syscheck scan frequency: 604800
> seconds
>
> This amount of time is one week, so I think that  works only
> for weekly scans, and then you should also introduce the the 
> parameter, since it appears to have no default value. For example:
>
> 1am
> monday
>
> I tested that configuration and Syscheck appears to work properly.
>
> Hope it helps.
>
> Best regards.
>
>
> On Monday, August 1, 2016 at 7:32:13 AM UTC-7, Daniel Bray wrote:
>>
>> Can someone verify that all the proper settings are in place to allow for
>> realtime scans on some directories? We are running CentOS 6 servers
>> (manager and agents/clients), and we use the Atomic install method.
>>
>> Here is the latest available Atomic version installed (also noted inotify
>> is installed)
>> $ rpm -qa | egrep "inotify|ossec"
>> ossec-hids-2.8.3-53.el6.art.x86_64
>> inotify-tools-3.14-1.el6.x86_64
>> ossec-hids-client-2.8.3-53.el6.art.x86_64
>>
>>
>> Here is the important part of /var/ossec/etc/shared/agent.conf
>> 
>>   
>> 1am
>> 82800
>> no
>> yes
>> no
>>
>> 
>> /bin,/sbin,/usr,/opt
>> > report_changes="yes" 
>> realtime="yes">/etc,/root,/var/named,/var/www
>> ...
>>
>> Here is the agent /var/ossec/etc/ossec.conf file
>> 
>>   
>> 10.10.10.10
>>   
>> 
>>
>> The above exists on all our agents/clients.
>>
>> On the manager, it pretty much matches up exactly, with the exception
>> that the server is installed, and not the client:
>> $  rpm -qa | egrep "inotify|ossec"
>> inotify-tools-3.14-1.el6.x86_64
>> ossec-hids-server-2.8.3-53.el6.art.x86_64
>> ossec-hids-2.8.3-53.el6.art.x86_64
>>
>>
>> I have gone in an updated all servers (yum -y update) and rebooted to the
>> latest kernel available on CentOS 6. I've waited a few days for the normal
>> scans to complete, and I am seeing alerts for nightly changed files.
>> However, when I run a test on a file that exists in /root or /etc, I never
>> get alerted. The test is simply
>> $ sudo vim /etc/hosts.allow
>> ...and I add/remove some entries, and :wq out for the update.
>>
>> After a clean update and reboot, here is the relevant log entries:
>> 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ...
>> 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ...
>> 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ...
>> 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send
>> buffer set to: '124928'.
>> 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server (
>> 10.10.10.10:1514).
>> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/messages'.
>> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/secure'.
>> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file:
>> '/var/log/maillog'.
>> 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120).
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send
>> buffer set to: '124928'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124).
>> 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124).
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
>> '/var/named'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory:
>> '/var/www'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/etc'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/root'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/var/named'.
>> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time
>> monitoring: '/var/www'.

[ossec-list] Re: Syscheck not alerting on realtime scans

2016-08-01 Thread Victor Fernandez 
Hi Daniel.

I had never used  before, but I think it works for weekly scans 
since OSSEC prints this log (even when setting frequency=84800):

2016/08/01 14:27:33 ossec-syscheckd: INFO: Syscheck scan frequency: 604800 
seconds

This amount of time is one week, so I think that  works only for 
weekly scans, and then you should also introduce the the  
parameter, since it appears to have no default value. For example:

1am
monday

I tested that configuration and Syscheck appears to work properly. 

Hope it helps.

Best regards.


On Monday, August 1, 2016 at 7:32:13 AM UTC-7, Daniel Bray wrote:
>
> Can someone verify that all the proper settings are in place to allow for 
> realtime scans on some directories? We are running CentOS 6 servers 
> (manager and agents/clients), and we use the Atomic install method.
>
> Here is the latest available Atomic version installed (also noted inotify 
> is installed)
> $ rpm -qa | egrep "inotify|ossec"
> ossec-hids-2.8.3-53.el6.art.x86_64
> inotify-tools-3.14-1.el6.x86_64
> ossec-hids-client-2.8.3-53.el6.art.x86_64
>
>
> Here is the important part of /var/ossec/etc/shared/agent.conf
> 
>   
> 1am
> 82800
> no
> yes
> no
>
> 
> /bin,/sbin,/usr,/opt
>  report_changes="yes" 
> realtime="yes">/etc,/root,/var/named,/var/www
> ...
>
> Here is the agent /var/ossec/etc/ossec.conf file
> 
>   
> 10.10.10.10
>   
> 
>
> The above exists on all our agents/clients. 
>
> On the manager, it pretty much matches up exactly, with the exception that 
> the server is installed, and not the client:
> $  rpm -qa | egrep "inotify|ossec"
> inotify-tools-3.14-1.el6.x86_64
> ossec-hids-server-2.8.3-53.el6.art.x86_64
> ossec-hids-2.8.3-53.el6.art.x86_64
>
>
> I have gone in an updated all servers (yum -y update) and rebooted to the 
> latest kernel available on CentOS 6. I've waited a few days for the normal 
> scans to complete, and I am seeing alerts for nightly changed files. 
> However, when I run a test on a file that exists in /root or /etc, I never 
> get alerted. The test is simply
> $ sudo vim /etc/hosts.allow
> ...and I add/remove some entries, and :wq out for the update.
>
> After a clean update and reboot, here is the relevant log entries:
> 2016/08/01 14:25:13 ossec-syscheckd: DEBUG: Starting ...
> 2016/08/01 14:25:13 ossec-rootcheck: DEBUG: Starting ...
> 2016/08/01 14:25:13 ossec-rootcheck: Starting queue ...
> 2016/08/01 14:25:13 ossec-syscheckd: INFO: (unix_domain) Maximum send 
> buffer set to: '124928'.
> 2016/08/01 10:25:14 ossec-agentd(4102): INFO: Connected to the server (
> 10.10.10.10:1514).
> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: 
> '/var/log/messages'.
> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: 
> '/var/log/secure'.
> 2016/08/01 14:25:19 ossec-logcollector(1950): INFO: Analyzing file: 
> '/var/log/maillog'.
> 2016/08/01 14:25:19 ossec-logcollector: INFO: Started (pid: 2120).
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: (unix_domain) Maximum send 
> buffer set to: '124928'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Started (pid: 2124).
> 2016/08/01 14:25:19 ossec-rootcheck: INFO: Started (pid: 2124).
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/usr'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/opt'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: '/root'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: 
> '/var/named'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Monitoring directory: 
> '/var/www'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time 
> monitoring: '/etc'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time 
> monitoring: '/root'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time 
> monitoring: '/var/named'.
> 2016/08/01 14:25:19 ossec-syscheckd: INFO: Directory set for real time 
> monitoring: '/var/www'.
> 2016/08/01 14:25:33 ossec-syscheckd: Setting SCHED_BATCH returned: 0
>
>
>
> Is there anything obvious that I'm missing in the configs?
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.